Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

The EDPB’s Narrow View of Contractual Necessity

The European Data Protection Board (EDPB) has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, 2019) provide a detailed assessment of the regulator’s interpretation of the law.

Article 6(1)(b) sets out one of the six possible lawful grounds for personal data processing under the European Union’s General Data Protection Regulation (GDPR). It states that processing will be lawful where it is either necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. The EDPB’s guidance is explicitly intended to ensure this lawful basis for processing is only relied on where appropriate. When the legal basis is inappropriate for one or several processing operations, the justification must be found elsewhere.

According to the EDPB, processing must be necessary for the particular contract at issue to be carried out. The guidelines go into some depth on the concept of “necessity,” which the EDPB says has an independent meaning established in case law. Necessity is to be assessed objectively, according to the perspective of a hypothetical reasonable data subject, and relates to the nature and purpose of the service being provided. The precise wording of the contract is less important, and making the service conditional on certain processing activities is not sufficient to make it necessary. The interpretation itself of necessity is very narrow, with the EDPB specifically stating that if there are realistic and less intrusive alternatives to the type of processing envisaged, it is not necessary.

The EDPB provides a number of examples to illustrate its position. Processing of credit card information and billing addresses for payment purposes, and processing a data subject’s home address for home delivery, by online retailers can be justified under Article 6(1)(b). However, the retailer would have to rely on a different legal basis if it wants to build a profile of user tastes and lifestyle choices, because such profiles are not necessary to carry out the contract. A number of further situations are listed in which data processing is not considered necessary for the performance of a contract, including improving a service or developing new functions within a service, fraud prevention and behavioural advertising.

The EDPB acknowledges that personalisation, on the other hand, may be necessary for the performance of some contracts. The EDPB provides further examples to illustrate this point: a news aggregation service which provides news based on a user-created profile of its own interests would entail personalisation which is objectively necessary for performance of the contract between the news aggregation service and the user. However, in the EDPB’s opinion monitoring past hotel bookings to profile user expenditure and recommend particular hotels when returning search results, when carried out by a hotel search engine, or an online marketplace personalising product suggestions on the basis of past searches to increase interactivity is not objectively necessary to provide the marketplace service and therefore is not objectively necessary processing.

In summary, to rely on Article 6(1)(b), it is required that the processing is objectively necessary for a purpose that is integral to the delivery of that contractual service to the data subject. To meet the EU regulators’ expectations, controllers seeking to rely on contractual necessity as a lawful ground for their data processing operations will need to be able to demonstrate how the main object of the contract with the data subject cannot, as a matter of fact, be performed without that data processing.