On 8 October 2019, the European Data Protection Board (EDPB) adopted the final version of its guidelines regarding the processing of personal data when providing online services (Guidelines 2/2019). These guidelines focus in particular on the scope and applicability of Article 6(1)(b) GDPR (“performance of a contract”) in the context of information society services in order to ensure that this legal basis for processing personal data is only relied upon where appropriate. Indeed, where processing is not in fact necessary for the performance of a contract, other appropriate legal bases should be considered, such as Article 6(1)(a) (“consent”) or Article 6(1)(f) (“legitimate interests”).
The EDPB’s guidelines are in line with case law from the EU Court of Justice (e.g. Cases C-524/06, C-13/16, C-92/09 and C-93/09), and build further on earlier guidelines from the Article 29 Working Party (e.g. Opinion 06/2014 concerning the notion of the legitimate interests of the data controller under Article 7 of Directive 95/46/EC).
These are some of the key considerations of the EDPB:
- For Article 6(1)(b) to apply, it is required that the processing is objectively necessary for the performance of the contract with the data subject. The controller should be able to demonstrate how the main subject matter of the contract cannot be performed if the specific processing of the personal data in question does not take place;
Article 6(1)(b) only applies to that which is necessary for the performance of a contract. As such, it does not automatically apply to all further actions triggered by non-compliance or to all other incidents in the execution of a contract. However, certain actions can be reasonably foreseen and necessary within a normal contractual relationship, such as sending formal reminders about outstanding payments or correcting errors or delays in the performance of the contract. Article 6(1)(b) may also cover the processing of personal data which is necessary in relation to such actions;
-
Article 6(1)(b) also applies where processing is necessary in order to take steps at the request of the data subject prior to entering into a contract. However, this does not cover unsolicited marketing or other processing which is carried out solely at the initiative of the data controller or at the request of a third party;
- Online services often collect detailed information about how users engage with their service in order to improve a service or develop new functions within an existing service. However, in most cases, the collection of organisational metrics relating to a service or details of user engagement cannot be regarded as necessary for the provision of the service. Alternative legal bases may be more appropriate;
- As a general rule, the processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services. Furthermore, Article 6(1)(b) cannot provide a legal basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service;
- Personalisation of content may (but does not always) constitute an intrinsic and expected element of certain online services and therefore may be regarded, in some cases, as necessary for the performance of the contract with the service user. However, this will not be the case:
- for an online hotel search engine that monitors the past bookings of users in order to create a profile of their typical expenditure which is then used to recommend particular hotels to the user when returning the search results;
- for an online marketplace that wishes to display personalised product suggestions based on the listings potential buyers have previously viewed on the platform in order to increase interactivity.
Please contact Karel Janssens for further information on this topic and/or for general legal advice relating to privacy and data protection law.