Skip to content
Guidance · EDPB ·22019-on-the-processing-of-personal-data-under-article-61b-gdpr-in EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

Summary

1 Adopted Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects Version 2.0 8 October 2019 2 Adopted Version history Version 2.0 8 October 2019 Adoption of the Guidelines after public consultation Version 1.0 9 April 2019 Adoption of the Guidelines for publication consultation 3 Adopted 1 Part 1 – Introduction ................................ ................................…

How it connects

Full text

1 Adopted Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects Version 2.0 8 October 2019 2 Adopted Version history Version 2.0 8 October 2019 Adoption of the Guidelines after public consultation Version 1.0 9 April 2019 Adoption of the Guidelines for publication consultation 3 Adopted 1 Part 1 – Introduction ................................ ................................ ................................ ....................... 4 1.1 Background ................................ ................................ ................................ .............................. 4 1.2 Scope of these guidelines ................................ ................................ ................................ ........ 5 2 Part 2 - Analysis of Article 6(1)(b) ................................ ................................ ................................ .... 5 2.1 General observations ................................ ................................ ................................ .............. 5 2.2 Interaction of Article 6(1)(b) with other lawful bases for processing ................................ ..... 7 2.3 Scope of Article 6(1)(b) ................................ ................................ ................................ ............ 8 2.4 Necessity ................................ ................................ ................................ ................................ . 8 2.5 Necessary for performance of a contract with the data subject ................................ ............ 9 2.6 Termination of contract ................................ ................................ ................................ ........ 12 2.7 Ne cessary for taking steps prior to entering into a contract ................................ ................ 13 3 Part 3 – Applicability of Article 6(1)(b) in specific situations ................................ ......................... 14 3.1 Processing for ‘service improvement’ ................................ ................................ ................... 14 3.2 Processing for ‘fraud prevention’ ................................ ................................ .......................... 14 3.3 Processing for online behavioural advertising ................................ ................................ ...... 14 3.4 Processing for personalisation of content ................................ ................................ ............. 15 4 Adopted The European Data Protection Board Having regard to A rticle 70 (1 )e of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, HAS ADOPT ED THE FOLLOWING GUI DELINES 1 PART 1 – INTRODUCTION 1.1 Background 1. P ursuant to Article 8 of the Charter of Fundamental Rights of the European Union, personal data must be processed fairly for specified purposes and on the basis of a legitimate basis laid down by law. In this regard, Article 6(1) of the General Data Protection Regulation 1 (GDPR) specifies that processing shall be lawful only on the basis of one of six specified conditions set out in Article 6(1)(a) to (f). Identifying the appropriate legal basis that corresponds to the objective and essence of the processing is of essential importance. Controllers must , inter alia , take into account the impact on data subjects’ rights when identifying the appropriate lawful basis in order to respect the principle of fairness . 2. Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract ” . 2 This supports the freedom to conduct a business, which is guaranteed by Article 16 of the Charter, and reflects the fact that sometimes the contractual obligations towards the data subject cannot be per formed without the data subject providing certain personal data. If the specific processing is part and parcel of delivery of the requested service, it is in the interests of both parties to process that data, as otherwise the service could not be provided and the contract could not be performed. However, the ability to rely on this or one of the other legal bases mentioned in A rticle 6(1) does not exempt the controller from compliance with the other requirements of the GDPR. 3. Articles 56 and 57 of the Treat y on the Functioning of the European Union define and regulate the freedom to provide services within the European Union. Specific EU legislative measures have been adopted in respect of ‘information society services’. 3 These services are defined as “any s ervice normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” This definition extends to services that are not paid for directly by the persons who receive them, 4 such as online ser vices funded through advertising. ‘Online services’ as used in these guidelines refers to ‘information society services’. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Gener al Da ta Protection Regulation) . 2 See also recital 44. 3 See for example Directive (EU) 2015/1535 of the European Parliament and of the Council, and Article 8 GDPR. 4 See Recital 18 of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market . 5 Adopted 4. The development of EU law reflects the central importance of online services in modern society. The proliferation of always - on mobile internet and the widespread availability of connected devices have enabled the development of online services in fields such as social media, e - commerce, internet search, communication, and travel. While some of these services are funded by user payments, others are provided without monetary payment by the consumer, instead financed by the sale of online advertising services allowing for targeting of data subjects. Tracking of user behaviour for the purposes of such advertising is often carried out in ways the user is often not aware of, 5 and it may not be immediately obvious from the nature of the service provided, which makes it almost impossible in practice for the data subject to exercise an informed choice over the use of their data. 5. Against this background, the European Data Protection Board 6 (EDPB) considers it appropriate to provide guidance on the applicability of Article 6(1)(b) to processing of personal data in the context of online services, in order to ensure that this lawful basis is only relied upon where appropriate. 6. The Article 29 Working Party (WP29) has previously expressed views on the contractual necessity basis under Directive 95/46/EC in its opinion on the notion of legitimate interests of the data controller. 7 Generally, that gui dance remains relevant to Article 6(1)(b) and the GDPR. 1.2 Scope of these guidelines 7. These guidelines are concerned with the applicability of Article 6(1)(b) to processing of personal data in the context of contracts for online services, irrespective of how the services are financed. The guidelines will outline the elements of lawful processing under Article 6(1)(b) GDPR and consider the concept of ‘necessity’ as it applies to ’necessary for the performance of a contract’. 8. Data protection rules govern import ant aspects of how online services interact with their users, however, other rules apply as well. Regulation of online services involves cross - functional responsibilities in the fields of , inter alia, consumer protection law, and competition law. Considera tions regarding these fields of law are beyond the scope of these guidelines. 9. Although Article 6(1)(b) can only apply in a contractual context, these guidelines do not express a view on the validity of contracts for online services generally, as this is ou tside the competence of the EDPB. Nonetheless, contracts and contractual terms must comply with the requirements of contract laws and, as the case may be for consumer contracts, consumer protection laws in order for processing based on those terms to be co nsidered fair and lawful. 10. Some general observations on data protection principles are included below, but not all data protection issues that may arise when processing under Article 6(1)(b) will be elaborated on. Controllers must always ensure that they comply with the data protect ion principles set out in Article 5 and all other requirements of the GDPR and, where applicable, the ePrivacy legislation. 2 PART 2 - ANALYSIS OF ARTICLE 6(1)(B) 2.1 General observations 5 In this regard, controllers need to fulfil the transparency obligations set out in the GDPR. 6 Established under Article 68 GDPR. 7 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Arti cle 7 of Directive 95/46/EC (WP 217). See in particular pages 11, 16, 17, 18 and 55. 6 Adopted 11. The lawful basis for processing on the basis of Article 6(1)(b) needs to be considered in the context of the GDPR as a whole, the objectives set out in Article 1, and alongside controllers’ duty to process personal data in compliance with the data protection principles pursuant to Article 5. This includes processing personal da ta in a fair and transparent manner and in line with the purpose limitation and data minimisation obligations. 12. Article 5(1)(a) GDPR provides that personal data must be processed lawfully, fairly and transparently in relation to the data subject. The princi ple of fairness includes , inter alia, recognising the reasonable expectations 8 of the data subjects , considering possible adverse consequences processing may have on them, and having regard to the relationship and potential effects of imbalance between the m and the controller. 13. As mentioned, as a matter of lawfulness, contracts for online services must be valid under the applicable contract law. A n example of a relevant factor is whether the data subject is a child. In such a case (and aside from complying with the requirements of the GDPR, including the ‘specific protections’ which apply to children), 9 the controller must ensure that it complies with the relevant national laws on the capacity of children to enter into contracts . Furthermore, to ensure compliance with the fairness and lawfulness principles, the controller needs to satisfy other legal requirements. For example, for consumer contracts, Directive 93/13/EEC on unfair terms in consumer contracts (the “Unfair Contract T erms Directive”) may be applicable. 10 Article 6(1)(b) is not limited to contracts governed by the law of an EEA member state. 11 14. Article 5(1)(b) of the GDPR provides for the purpose limitation principle, which requires that personal data must be collected fo r specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 15. Article 5(1)(c) provides for data minimisation as a principle, i.e. processing as little data as possible in order to achieve th e purpose. This assessment complements the necessity assessments pursuant to Article 6(1)(b) to (f). 16. Both purpose limitation and data minimisation principles are particularly relevant in contracts for online services, which typically are not negotiated on an individual basis. Technological advancements make it possible for controllers to easily collect and process more personal data than ever before. As a result, there is an acute risk that data controllers may seek to include general processing terms in c ontracts in order to maximise the possible collection and uses of data, without adequately specifying those purposes or considering data minimisation obligations. WP29 has previously stated: The purpose of the collection must be clearly and specifically id entified: it must be detailed enough to determine what kind of processing is and is not included within the specified purpose, and to allow that compliance with the law can be assessed and data protection safeguards 8 Some personal data are expected to be private or only processed in certain ways, and data processing should not be surprising to the data subject. In the GDPR, the concept of ‘reasonable expectations’ is specifically referenced in recitals 47 and 50 in re lation to Article 6(1)(f) and (4). 9 See Recital 38 , which refers to children meriting specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. 10 A contractual term that has not been individually negotiated is unfair under the Unfair Contract Terms Directive “if, contrar y to the requirement of good faith, it causes a significant imbalance in the parties' rights and obl igations arising under the contract, to the detriment of the consumer”. Like the transparency obligation in the GDPR, the Unfair Contract Terms Directive mandates the use of plain, intelligible language. Processing of personal data that is based on what is deemed to be an unfair term under the Unfair Contract Terms Directive, will generally not be consistent with the requirement under Article 5(1)(a) GDPR that processing is lawful and fair. 11 The GDPR applies to certain controllers outside the EEA; see Arti cle 3 GDPR. 7 Adopted applied. For these reasons, a purpose th at is vague or general, such as for instance 'improving users' experience', 'marketing purposes', 'IT - security purposes' or 'future research' will - without more detail - usually not meet the criteria of being ‘specific’. 12 2.2 Interaction of Article 6(1)(b) with other lawful bases for processing 17. Where processing is not considered ‘necessary for the performance of a contract’, i.e. when a requested service can be provided without the specific processing taking place, the EDPB recognises that another lawful bas is may be applicable, provided the relevant conditions are met. In particular, in some circumstances it may be more appropriate to rely on freely given consent under Article 6(1)(a). In other instances, Article 6(1)(f) may provide a more appropriate lawful basis for processing. The legal basis must be identified at the outset of processing, and information given to data subjects in line with Article s 13 and 14 must specify the legal basis. 18. It is possible that another lawful basis than Article 6(1)(b) may be tter match the objective and context of the processing operation in question . The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation. 13 19. The WP29 guidelines on c onsent also clarify that where “a controller seeks to process personal data that are in fact necessary for the performance of a contract, then consent is not the appropriate lawful basis” . Conversely, the EDPB considers that where processing is not in fact necessary for the performance of a contract , such processing can take place only if it relies on another appropriate legal basis. 14 20. In line with their transparency obligations, controllers should make sure to avoid any confusion as to what the applicable legal basis is. This is particularly relevan t where the appropriate legal basis is Article 6(1)(b) and a contract regarding online services is entered into by data subjects. Depending on the circumstances, data subjects may erroneously get the impression that they are giving their consent in line wi th Article 6(1)(a) when signing a contract or accepting terms of service. At the same time, a controller might erroneously assume that the signature of a contract corresponds to a consent in the sense of article 6(1)(a). These are entirely different concep ts. It is important to distinguish between accepting terms of service to conclude a contract and giving consent within the meaning of Article 6(1)(a), as these concepts have different requirements and legal consequences. 21. In relation to the processing of s pecial categories of personal data, in the guidelines on consent, WP29 has also observed that: Article 9(2) does not recognize ‘necessary for the performance of a contract’ as an exception to the general prohibition to process special categories of data. Therefore controllers and Member States that deal with this situation should explore the specific exceptions in Article 9(2) subparagraphs (b) to (j). Should none of the exceptions (b) to (j) apply, obtaining explicit 12 Article 29 Working Party Opinion 03 /2013 on purpose limitation (WP 203), page 15 – 16. 13 When controllers set out to identify the appropriate legal basis in line with the fairness principle, this will be difficult to achieve if they have not fi rst clearly identified the purposes of processing, or if processing personal data goes beyond what is necessary for the specified purposes. 14 For more information on implications in relation to Article 9, see Article 29 Working Party Guidelines on consent under Regulation 2016/679 (WP259), endorsed by the EDPB, page s 19 – 20. 8 Adopted consent in accordance with the conditi ons for valid consent in the GDPR remains the only possible lawful exception to process such data. 15 2.3 Scope of Article 6(1)(b) 22. Article 6(1)(b) applies where either of two conditions are met: the processing in question must be objectively necessary for the performance of a contract with a data subject, or the processing must be objectively necessary in order to take pre - contractual steps at the request of a data subject. 2.4 N ecessity 23. Necessity of processing is a prerequisite for both parts of Article 6(1)(b). At the outset, it is important to note that the concept of what is ‘necessary for the performance of a contract’ is not simply an assessment of what is permitted by or wr itten into the terms of a contract. The concept of necessity has an independent meaning in European Union law, which must reflect the objectives of data protection law. 16 Therefore, it also involves consideration of the fundamental right to privacy and prot ection of personal data, 17 as well as the requirements of data protection principles including, notably, the fairness principle. 24. The starting point is to identify the purpose for the processing, and in the context of a contractual relationship, there may b e a variety of purposes for processing. Those purposes must be clearly specified and communicated to the data subject, in line with the controller’s purpose limitation and transparency obligations. 25. Assessing what is ‘necessary’ involves a combined, fact - b ased assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”. 18 If there are realistic, less intrusive alternatives, the processing is not ‘ necessary’. 19 Article 6(1)( b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre - contractual steps at the request of the data subject, even if it is necessary for the controller’s other business p urposes. 15 Article 29 Working Party Guidelines on consen t under Regulation 2016/679 (WP 259), endorsed by the EDPB, page 19. 16 The CJEU stated in Huber that “what is at issue is a concept [necessity] which has its own independent meaning in Community law and which must be interpreted in a manner which fully reflects the objective of that Directive, [Directive 95/46], as laid down in Article 1(1) thereof”. CJEU, Case C ‑ 524/06, Heinz Huber v Bundesrepublik Deutschland, 18 December 2008, para. 52. 17 See Articles 7 and 8 of the Charter of Fundamental Rights of the European Union 18 See EDPS Toolkit: Assessing the Necessity of Measures that limit the fundamental right to the protection of personal data, page 5. 19 In Schecke , the CJEU held that, when examining the necessity of processing personal data, the legislature needed to take into account alternative, less intrusive measures. CJEU, Joined Cases C ‑ 92/09 and C ‑ 93/09, Volker und Markus Schecke G bR and Hartmut Eifert v Land Hessen , 9. November 2010. This was repeated by the CJEU in the Rīgas case where it held that “As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limit ations in relation to the protection of personal data must apply only in so far as is strictly necessary”. CJEU, Case C ‑ 13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’ , para. 30. A strict necessary test is required for any limitations on the exercise of the rights to privacy and to personal data protection with regard to the process ing of personal data, see EDPS Toolkit: Assessing the Necessity of Measures that limit the fundamental right to the protection of personal data , page 7 . 9 Adopted 2.5 Necessary for performance of a contract with the data subject 26. A controller can rely on the first option of Article 6(1)(b) to process personal data when i t can, in line with its accountability obligations under Article 5(2), establish both that t he processing takes place in the context of a valid contract with the data subject and that processing is necessary in order that the particular contract with the data subject can be performed. Where controllers cannot demonstrate that (a) a contract exists, (b) the contract is valid pursuant to applicable national contract laws, and (c) that the processing is objectively necessary for the performance of t he contract, the controller should consider another legal basis for processing. 27. Merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6(1)(b). On the other hand, proces sing may be objectively necessary even if not specifically mention ed in the contract . In any case, the controller must meet its transparency obligations. Where a controller seeks to establish that the processing is based on the performance of a contract wi th the data subject, it is important to assess what is objectively necessary to perform the contract. ‘Necessary for performance’ clearly requires something more than a contractual clause . This is also clear in light of Article 7(4) . Albeit this provision only regards validity of consent, it illustratively makes a distinction between processing activities necessary for the performance of a contract, and clauses making the service conditional on certain processing activities that are not in fact necessary fo r the performance of the contract. 28. In this regard, the EDPB endorses the guidance previously adopted by WP29 on the equivalent provision under the previous Directive that ‘necessary for the performance of a contract with the data subject’ : … must be inter preted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller. Also the fact that some processing is covered by a contr act does not automatically mean that the processing is necessary for its performance. […] Even if these processing activities are specifically mentioned in the small print of the contract, this fact alone does not make them ‘necessary’ for the performance of the contract. 20 29. The EDPB also recalls the same WP29 guidance stating: There is a clear connection here between the assessment of necessity and compliance with the purpose limitation principle. It is important to determine the exact rationale of the cont ract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance. 21 30. When assessing whether Article 6(1)(b) is an appropriate legal basis for processing in the context of an online contractual service , regard should be given to the particular aim, purpose, or objecti ve of the service. For applicability of Article 6(1)(b), it i s require d that the processing is objectively necessary for a purpose that is integral to the delivery of that contractual service to the da ta subject . Not excluded is processing of payment details for the purpose of charging for the service . The controller should be able to de monstrate how the main subject - matter of the sp ecific contract with the data subject cannot, as a matter of fact, be performed if the specific processing of the personal data in question does not 20 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP 217), page 16 – 17. 21 Ibid. , page 17. 10 Adopted occur. The important issue here is the nexus between the personal data and processing operations concerned, and the performance or non - performance of the service provided under the contract. 31. Contracts for digital services may incorporate express terms that impose additional conditions about advertising, payments or cookies, amongst other things. A contract cann ot artificially expand the categories of personal data or types of processing operation that the controller needs to carry out for the performance of the contract within the meaning of Article 6(1)(b). 32. The controller should be able to justify the necessit y of its processing by reference to the fundamental and mutually understood contractual purpose. This depends not just on the controller’s perspective, but also a reasonable data subject’s perspective when entering into the contract, and whether the contra ct can still be considered to be ‘performed’ without the processing in question. Although the controller may consider that the processing is necessary for the contractual purpose, it is important that they examine carefully the perspective of an average da ta subject in order to ensure that there is a genuine mutual understanding on the contractual purpose. 33. In order to carry out the assessment of whether Article 6(1)(b) is applicable, the following questions can be of guidance:  What is the nature of the serv ice being provided to the data subject? What are its distinguishing characteristics?  What is the exact rationale of the contract (i.e. its substance and fundamental object)?  What are the essential elements of the contract?  What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party? 34. If the assessment of what is ‘necessary for the performance of a contract’, which must be conducted prior to the commencement of processing, shows that the intended processing goes beyo nd what is objectively necessary for the performance of a contract, this does not render such future processing unlawful per se. As already mentioned, Article 6 makes clear that other lawful bases are potentially available prior to the initiation of the pr ocessing. 22 35. If, over the lifespan of a service, new technology is introduced that changes how personal data are processed, or the service otherwise evolves, the criteria above need to be assessed anew to determine if any new or altered processing operations can be based on Article 6(1)(b). Example 1 A data subject buys items from an online retailer . The data subject wants to pay by credit card and for th e products to be delivered to their home address . In order to fulfil the contract, the retailer must proc ess the data subject’s credit card information and billing address for payment purposes and the data subject’s home address for delivery . Thus, Article 6(1)(b) is applicable as a legal basis for these processing activities. 22 See Article 29 Working Party Guidelines on consen t under Regulation 2016/679 (WP 259), endorsed by the EDPB, page 31, in which it is stated that: “Under the GDPR, it is not possible to swap between one lawful basis and another.” 11 Adopted However, if the customer has opt ed for shipment to a pick - up point, the processing of the data subject’s home address is no longer necessary for the performance of the purchase contract . Any processing of the data subject’s address in this context will require a different legal basis tha n Article 6(1)(b) . Example 2 The same online retailer wishes to build profiles of the user’s tastes and lifestyle choices based on their visits to the website. Completion of the purchase contract is not dependent upon building such profiles. Even if prof iling is specifically mentioned in the contract, this fact alone does not make it ‘necessary’ for the performance of the contract. If the on - line retailer wants to carry out such profiling, it needs to rely on a different legal basis. 36. Within the boundaries of contractual law, and if applicable, consumer law, controllers are free to design their business, services and contracts. In some cases, a controller may wish to bundle several separate services or elements of a service with differe nt fundamental purposes, features or rationale into one contract. This may create a ‘take it or leave it’ situation for data subjects who may only be interested in one of the services. 37. As a matter of data protection law, controllers need to take into acco unt that the processing activities foreseen must have an appropriate legal basis. Where the contract consists of several separate services or elements of a service that can in fact reasonably be performed independently of one another, the question arises t o which extent Article 6(1)(b) can serve as a legal basis. T he applicability of Article 6(1)(b) should be assessed in the context of each of those services separately , looking at what is objectively necessary to perform each of the individual services whic h the data subject has actively requested or signed up for . This assessment may reveal that certain processing activities are not necessary for the individual services requested by the data subject, but rather necessary for the controller’s wider business model. In that case, Article 6(1)(b) will not be a legal basis for those activities. However, other legal bases may be available for that processing, such as Article 6(1)(a) or (f), provided that the relevant criteria are met. Therefore, the assessment of the applicability of Article 6(1)(b) does not affect the legality of the contract or the bundling of services as such. 38. As WP29 has previously observed, the legal basis only applies to what is necessary for the performance of a contract. 23 As such, it does not automatically apply to all further actions triggered by non - compliance or to all other incidents in the execution of a contract. However, certain actions can be reasonably foreseen and necessary within a normal contractual relationship, such as sending formal reminders about outstanding payments or correcting errors or delays in the performance of the contract. Article 6(1)(b) may cover processing of personal data which is necessary in relation to such actions. 23 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 o f Directive 95/46/EC (WP217) page 17 – 18. 12 Adopted Example 3 A company sells products onli ne. A customer contacts the company because the colour of the product purchased is different from what was agreed upon. The processing of personal data of the customer for the purpose of rectifying this issue can be based on Article 6(1)(b). 39. Contractual w arranty may be part of performing a contract, and thus storing certain data for a specified retention time after exchange of goods/services/payment has been finalised for the purpose of warranties may be necessary for the performance of a contract . 2.6 Termination of contract 40. A controller needs to identify the appropriate legal basis for the envisaged processing operations before the processing commences. Where Article 6(1)(b) is the basis for some or all processing activities, the controller should anti cipate what happens if that contract is terminated. 24 41. Where the processing of personal data is based on Article 6(1)(b) and the contract is terminated in full, then as a general rule, the processing of that data will no longer be necessary for the performa nce of that contract and thus the controller will need to stop processing. T he data subject might have provided their personal data in the context of a contractual relationship trusting that the data would only be processed as a necessary part of that rela tionship. Hence, i t is generally unfair to swap to a new legal basis when the original basis ceases to exist. 42. When a contract is terminated, this may entail some administration, such as returning goods or payment. The associated processing may be based on Article 6(1)(b). 43. Article 17(1)(a) provides that personal data shall be erased when they are no longer necessary in relation to the purposes for which they were collected. Nonetheless, this does not apply if processing is necessary for certain specific purp oses, including compliance with a legal obligation pursuant to Article 17(3)(b), or the establishment, exercise or defence of legal claims, pursuant to Article 17(3)(e). In practice, if controllers see a general need to keep records for legal purposes, the y need to identify a legal basis for this at the outset of processing, and they need to communicate clearly from the start for how long they plan to retain records for these legal purposes after the termination of a contract. If they do so, they do not nee d to delete the data upon the termination of the contract. 44. In any case, it may be that several processing operations with separate purposes and legal bases were identified at the outset of processing. As long as those other processing operations remain la wful and the controller communicated clearly about those operations at the commencement of processing in line with the transparency obligations of the GDPR, it will still be possible to process personal data about the data subject for those separate purposes after the contract has been terminated. 24 If a contract is subsequently invalidated, it will impact the lawfulness (as understood in Article 5(1)(a)) of continued processing. However, it doe s not automatically imply that the choice of Article 6(1)(b) as the legal basis was incorrect. 13 Adopted Example 4 An online service provides a subscription service that can be cancelled at any time. When a contract for the service is concluded, the controller provides information to the data subject on the processing of personal data. The controller explains, inter alia , that a s long as the contract is in place, it will process data about the use of the service to issue invoices. The applicable legal basis is Article 6(1)(b) as the processing for invoicing purposes can be considered to be objectively necessary for the performanc e of the contract. However, when the contract is terminated and assuming there are no pending, relevant legal claims or legal requirements to retain the data , the usage history will be deleted. Furthermore, the controller informs data subjects that it has a legal obligation in national law to retain certain personal data for accounting purposes for a specified number of years. The appropriate legal basis is Article 6(1)(c), and retention will take place even if the contract is terminated. 2.7 Necessary for tak ing steps prior to entering into a contract 45. The second option of Article 6(1)(b) applies where processing is necessary in order to take steps at the request of the data subject prior to entering into a contract . This provision reflects the fact that preliminary processing of personal data may be necessary before entering into a contract in order to facilitate the actual entering into that contract. 46. At the time of processing, it may not be clear whether a contract will actually be entered into. T he sec ond option of Article 6(1)(b) may nonetheless apply as long as the data subject makes the re quest in the context of potentially entering into a contract and the processing in question is necessary to take the steps requested . In line with this, where a dat a subject contacts the controller to enquire about the details of the controller’s service offerings , the processing of the data subject’s personal data for the purpose of responding to the enquiry can be based on Article 6(1)(b). 47. In any case, this provis ion would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party. Example 5 A data subject provides their postal code to see if a particular service pro vider operates in their area. This can be regarded as processing necessary to take steps at the request of the data subject prior to entering into a contract pursuant to Article 6(1)(b). Example 6 In some cases, financial institutions have a duty to identify their customers pursuant to national laws. In line with this, before entering into a contract with data subjects, a bank requests to see their identity documents. In this case, the identificati on is necessary for a legal obligation on behalf of the bank rather than to take steps at the data subject’s request. Therefore, the appropriate legal basis is not Article 6(1)(b), but Article 6(1)(c). 14 Adopted 3 PART 3 – APPLICABILI TY OF ARTICLE 6(1)(B ) IN SPECIFIC SITUATIONS 3.1 Processing for ‘service improvement’ 25 48. Online services often collect detailed information on how users engage with their service. In most cases, collection of organisational metrics relating to a service or details of user engagement, cannot be regarded as necessary for the provision of the service as the service could be delivered in the absence of processing such personal data. Nevertheless, a service provider may be able to rely on alternative lawful bases for this processing, such as legitima te interest or consent. 49. The EDPB does not consider that Article 6(1)(b) would generally be an appropriate lawful basis for processing for the purposes of improving a service or developing new functions within an existing service. In most cases, a user enters into a contract to avail of an existing service. While the possibility of improvements and modifications to a service may routinely be included in contractual terms, such processing usually cannot be regarded as being objectively necessary for the p erformance of the contract with the user. 3.2 Processing for ‘fraud prevention’ 50. A s WP29 has previously noted, 26 processing for fraud prevention purposes may involve monitoring and profiling customers. In the view of the EDPB, such processing is likely to go be yond what is objectively necessary for the performance of a contract with a data subject. However, the processing of personal data strictly necessary for the purposes of preventing fraud may constitute a legitimate interest of the data controller 27 and coul d thus be considered lawful, if the specific requirements of Article 6(1)(f)(legitimate interests) are met by the data controller . In addition Article 6(1)(c) (legal obligation) could also provide a lawful basis for such processing of data. 3.3 Processing for online behavioural advertising 51. Online behavioural advertising, and associated tracking and profiling of data subjects, is often used to finance online services. WP29 has previously stated its view on such processing, stating: [contractual necessity] is no t a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his clickstream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to del iver particular goods and services, for example. 28 52. As a general rule, processing of personal data for b ehavioural advertising is not necessary for the performance of a contract for online services. Normally, it would be hard to argue that the contract 25 Online services may also need to take into account Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects conc erning contracts for the supply of digital content and digital services (OJ L 136, 22.05.2019, p. 1), which will apply as from 1 January 2022. 26 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Art icle 7 of Directive 95/46/EC (WP 217), page 17. 27 See Recital 47, sixth sentence. 28 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP 217), page 17. 15 Adopted had n ot been performed because there were no behavioural ads. This is all the more supported by the fact that data subjects have the absolute right under Article 21 to object to processing of their data for direct marketing purposes . 53. Further to this, Article 6(1)(b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, this in itself is not sufficient to esta blish that it is necessary for the performance of the contract at issue. The controller would need to consider the factors outlined in paragraph 33. 54. Considering that data protection is a fundamental right guaranteed by Article 8 of the Charter of Fundament al Rights, and taking into account that one of the main purposes of the GDPR is to provide data subjects with control over information relating to them , personal data cannot be consid ered as a tradeable commodity. Even if the data subject can agree to the processing of personal data, 29 they cannot trade away their fundamental rights through this agreement . 30 55. The EDPB also notes that, in line with ePrivacy requirements and the existing WP29 opinion on behavioural advertising, 31 and Working Document 02/2013 providing guidance on obtaining consent for cookies, 32 controllers must obtain data subjects’ prior consent to place the cookies necessary to engage in behavioural advertising. 56. The EDPB also notes that tracking and profiling o f users may be carried out for the purpose of identifying groups of individuals with similar characteristics, to enable targeting advertising to similar audiences. Such processing cannot be carried out on the basis of Article 6(1)(b), as it cannot be said to be objectively necessary for the performance of the contract with the user to track and compare users’ characteristics and behaviour for purposes which relate to advertising to other individuals. 33 3.4 Processing for p ersonalisation of content 34 57. The EDPB acknowledges that personalisation of content may (but does not always) constitute an intrinsic and expected element of certain online services, and therefore may be regarded as necessary for the performance of the contract with the service user in some cases. Whether such processing can be regarded as an intrinsic aspect of an online service, will depend on the nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalisation. Where personalisation of content is not objectively necessary for the purpose of the underlying contract, for example where personalised content delivery is int ended to increase user 29 See Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services. 30 Besides the fact that the use of personal data is regulated by the G DPR, there are additional reasons why processing of personal data is conceptually different from monetary payments. For example, money is countable, meaning that prices can be compared in a competitive market, and monetary payments can normally only be mad e with the data subject’s involvement. Furthermore, personal data can be exploited by several services at the same time. Once control over one’s personal data has been lost, that control may not necessarily be regained. 31 Article 29 Working Party Opinion 2 /2010 on onl ine behavioural advertising (WP 171). 32 Article 29 Working Party Working Document 02/2013 providing guidance on obtaining consent for cookies (WP208). 33 See also Article 29 Working Party Guidelines on Automated individual decision - making and Pro filing for the purposes of Regulation 2016/679 (WP251 rev.01 ), endorsed by the EDPB, page 13. 34 Online services may also need to take into account Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 22.05.2019, p. 1), w hich will apply as from 1 January 2022. 16 Adopted engagement with a service but is not an integral part of using the service, data controllers should consider an alternative lawful basis where applicable. Example 7 An online hotel search engine monitors past bookings of users in order to create a profile of their typical expenditure. This profile is subsequently used to recommend particular hotels to the user when returning search results. In this case, profiling of user’s past behaviour and financial data would not be objectively necessary for the performance of a contract, i.e. the provision of hospitality services based on particular search criteria provided by the user. Therefore, Article 6(1)(b) would not be applicable to this processing activity. Exampl e 8 An online marketpl ace allows potential buyers to browse for and purchase products. The marketplace wishes to display personalised product suggestions based on which listings the potential buyers have previously viewed on the platform in order to increase interactivity. This personalisation it is not objectively necessary to provide the marketplace service. Thus, such processing of personal data cannot rely on Article 6(1)(b) as a legal basis.

Similar Content