In October 2019, the EDPB published Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR. These EDPB Guidelines specify which processing activities can be based on that provision. With lots of examples it helps to clear up some uncertainties. One of the key data protection principles is that the controller must have a lawful ground for processing personal data.
Article 6(1)(b) applies if the processing is necessary:
- “for the performance of a contract to which the data subject is party”, or
- “in order to take steps at the request of the data subject prior to entering into a contract”.
Necessity
For both options of Article 6(1)(b) the processing has to be “necessary”. This requirement needs to be looked at from an objective view. The company deciding on the processing ground needs to look at it not only from their own perspective but from a reasonable data subject’s perspective as well. The EDPB guidelines make it clear that the processing is not necessary if there are realistic, less intrusive alternatives.
Performance of a contract
Let’s look at the first option. For this purpose the controller needs a valid contract with the data subject which makes it objectively necessary to process the data. An example would be the processing of the delivery address of an online shop customer.
If the contract can be performed without the processing then another basis must be found. For example, the same online shop retailer would like to profile the shopping preferences of the data subject to improve its services that would not be deemed “necessary for the contract”. The EDPB Guidelines provide further examples of subjects that are not covered, such as processing for fraud prevention or online behavioural advertising.
The EDPB Guidelines, however, acknowledge that related activities to the performance of a contract can be covered as well. These include e.g. sending out reminders about outstanding payments, correcting errors or delays and the retention of the data to perform the contractual warranty.
If a contract is terminated in full, the general rule is that the processing needs to stop. You can’t swap legal bases without providing notice to the data subject. However, if you do processing activities that you have based on other legal bases from the beginning, you are still allowed to process data for those separate purposes. Additionally, the EDPB clarifies that the administration entailed in termination is also covered by this basis.
Prior to a contract
The second one only applies if the data subject makes the request prior to a contract. For example, a prospective customer contacts the controller with questions about a product. It doesn’t cover the contact on the sole initiative of the controller or a third party. Therefore unsolicited marketing is not covered under Article 6(1)(b) GDPR. Also bear in mind that the “necessity” criterion applies here as well.
It does not matter wether a contract will actually be entered into as long as the data subject is the one initiating the request in the context of potentially entering into a contract.
Other EDPB Guidelines
On the website of the EDPB you can find all guidelines, recommendations and best practices. Furthermore, the page offers all guidelines by the Article 29 Working Party which was the previous responsible EU organisation.
