- IVLawFirm - https://ivlawfirm.com -

What is the difference between consent and contract legal basis for processing personal data in online services?

Posted By Доника Илиева On In Publications | Comments Disabled

European Data Protection Board  adopted in October 2019 guidelines for the applicability of Article 6(1)(b) – processing of personal data in the context of contracts for online services, irrespective of how the services are financed. The guidelines outline the elements of lawful processing under Article 6(1)(b) GDPR and consider the concept of ‘necessity’ as it applies to ’necessary for the performance of a contract’.

Controllers must always ensure that they comply with the data protection principles set out in Article 5 and all other requirements of the GDPR and, where applicable, the ePrivacy legislation.

The lawful basis for processing on the basis of Article 6(1)(b) needs to be considered in the context of the GDPR as a whole, the objectives set out in Article 1, and alongside controllers’ duty to process personal data in compliance with the data protection principles pursuant to Article 5. This includes processing personal data in a fair and transparent manner and in line with the purpose limitation and data minimisation obligations. The principle of fairness includes, inter alia, recognising the reasonable expectations[1] of the data subjects, considering possible adverse consequences processing may have on them, and having regard to the relationship and potential effects of imbalance between them and the controller.

As a matter of lawfulness, contracts for online services must be valid under the applicable contract law. An example of a relevant factor is whether the data subject is a child. In such a case (and aside from complying with the requirements of the GDPR, including the ‘specific protections’ which apply to children)[2], the controller must ensure that it complies with the relevant national laws on the capacity of children to enter into contracts. Furthermore, to ensure compliance with the fairness and lawfulness principles, the controller needs to satisfy other legal requirements. For example, for consumer contracts, Directive 93/13/EEC on unfair terms in consumer contracts (the “Unfair Contract Terms Directive”) may be applicable.[3] Article 6(1)(b) is not limited to contracts governed by the law of an EEA member state.[4]

Both purpose limitation and data minimisation principles are particularly relevant in contracts for online services, which typically are not negotiated on an individual basis. Technological advancements make it possible for controllers to easily collect and process more personal data than ever before. As a result, there is an acute risk that data controllers may seek to include general processing terms in contracts in order to maximise the possible collection and uses of data, without adequately specifying those purposes or considering data minimisation obligations.

The purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is not included within the specified purpose, and to allow that compliance with the law can be assessed and data protection safeguards applied. For these reasons, a purpose that is vague or general, such as for instance ‘improving users’ experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of being ‘specific.

Processing is not considered ‘necessary for the performance of a contract’, i.e. when a requested service can be provided without the specific processing taking place. The EDPB recognises that another lawful basis may be applicable, provided the relevant conditions are met, e.g. consent, legitimate interest. The legal basis must be identified at the outset of processing, and information given to data subjects in line with Articles 13 and 14 must specify the legal basis. The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation.

When controllers set out to identify the appropriate legal basis in line with the fairness principle, this will be difficult to achieve if they have not first clearly identified the purposes of processing, or if processing personal data goes beyond what is necessary for the specified purposes.

In line with their transparency obligations, controllers should make sure to avoid any confusion as to what the applicable legal basis is. This is particularly relevant where the appropriate legal basis is Article 6(1)(b) and a contract regarding online services is entered into by data subjects. Depending on the circumstances, data subjects may erroneously get the impression that they are giving their consent in line with Article 6(1)(a) when signing a contract or accepting terms of service. At the same time, a controller might erroneously assume that the signature of a contract corresponds to a consent in the sense of article 6(1)(a). These are entirely different concepts. It is important to distinguish between accepting terms of service to conclude a contract and giving consent within the meaning of Article 6(1)(a), as these concepts have different requirements and legal consequences.

Scope of Article 6(1)(b)

Article 6(1)(b) applies where either of two conditions are met:

  1. the processing in question must be objectively necessary for the performance of a contract with a data subject, or
  2. the processing must be objectively necessary in order to take pre-contractual steps at the request of a data subject.

Necessity

It is important to note that the concept of what is ‘necessary for the performance of a contract’ is not simply an assessment of what is permitted by or written into the terms of a contract. The concept of necessity has an independent meaning in European Union law, which must reflect the objectives of data protection law. Therefore, it also involves consideration of the fundamental right to privacy and protection of personal data, as well as the requirements of data protection principles including, notably, the fairness principle.

The starting point is to identify the purpose for the processing.In the context of a contractual relationship, there may be a variety of purposes for processing. Those purposes must be clearly specified and communicated to the data subject, in line with the controller’s purpose limitation and transparency obligations.

Assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”.

Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes.

Where controllers cannot demonstrate that (a) a contract exists, (b) the contract is valid pursuant to applicable national contract laws, and (c) that the processing is objectively necessary for the performance of the contract, the controller should consider another legal basis for processing.

Merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6(1)(b). On the other hand, processing may be objectively necessary even if not specifically mentioned in the contract. In any case, the controller must meet its transparency obligations.

When assessing whether Article 6(1)(b) is an appropriate legal basis for processing in the context of an online contractual service, regard should be given to the particular aim, purpose, or objective of the service. For applicability of Article 6(1)(b), it is required that the processing is objectively necessary for a purpose that is integral to the delivery of that contractual service to the data subject. Not excluded is processing of payment details for the purpose of charging for the service. The controller should be able to demonstrate how the main subject-matter of the specific contract with the data subject cannot, as a matter of fact, be performed if the specific processing of the personal data in question does not occur. The important issue here is the nexus between the personal data and processing operations concerned, and the performance or non-performance of the service provided under the contract.

Contracts for digital services may incorporate express terms that impose additional conditions about advertising, payments or cookies, amongst other things. A contract cannot artificially expand the categories of personal data or types of processing operation that the controller needs to carry out for the performance of the contract within the meaning of Article 6(1)(b).

In order to carry out the assessment of whether Article 6(1)(b) is applicable, the following questions can be of guidance:

If the assessment of what is ‘necessary for the performance of a contract’, which must be conducted prior to the commencement of processing, shows that the intended processing goes beyond what is objectively necessary for the performance of a contract, this does not render such future processing unlawful per se. Article 6 makes clear that other lawful bases are potentially available prior to the initiation of the processing.

This assessment may reveal that certain processing activities are not necessary for the individual services requested by the data subject, but rather necessary for the controller’s wider business model. In that case, Article 6(1)(b) will not be a legal basis for those activities. However, other legal bases may be available for that processing, such as Article 6(1)(a) or (f), provided that the relevant criteria are met. Therefore, the assessment of the applicability of Article 6(1)(b) does not affect the legality of the contract or the bundling of services as such.

Certain actions can be reasonably foreseen and necessary within a normal contractual relationship, such as sending formal reminders about outstanding payments or correcting errors or delays in the performance of the contract. Article 6(1)(b) may cover processing of personal data which is necessary in relation to such actions.

⇒Example: A company sells products online. A customer contacts the company because the colour of the product purchased is different from what was agreed upon. The processing of personal data of the customer for the purpose of rectifying this issue can be based on Article 6(1)(b).

Contractual warranty may be part of performing a contract, and thus storing certain data for a specified retention time after exchange of goods/services/payment has been finalised for the purpose of warranties may be necessary for the performance of a contract.

Termination of contract

Where the processing of personal data is based on Article 6(1)(b) and the contract is terminated in full, then as a general rule, the processing of that data will no longer be necessary for the performance of that contract and thus the controller will need to stop processing. The data subject might have provided their personal data in the context of a contractual relationship trusting that the data would only be processed as a necessary part of that relationship. Hence, it is generally unfair to swap to a new legal basis when the original basis ceases to exist.

When a contract is terminated, this may entail some administration, such as returning goods or payment. The associated processing may be based on Article 6(1)(b).

Article 17(1)(a) provides that personal data shall be erased when they are no longer necessary in relation to the purposes for which they were collected. Nonetheless, this does not apply if processing is necessary for certain specific purposes, including compliance with a legal obligation pursuant to Article 17(3)(b), or the establishment, exercise or defence of legal claims, pursuant to Article 17(3)(e). In practice, if controllers see a general need to keep records for legal purposes, they need to identify a legal basis for this at the outset of processing, and they need to communicate clearly from the start for how long they plan to retain records for these legal purposes after the termination of a contract. If they do so, they do not need to delete the data upon the termination of the contract.

As long as those other processing operations remain lawful and the controller communicated clearly about those operations at the commencement of processing in line with the transparency obligations of the GDPR, it will still be possible to process personal data about the data subject for those separate purposes after the contract has been terminated.

Necessary for taking steps prior to entering into a contract

This provision reflects the fact that preliminary processing of personal data may be necessary before entering into a contract in order to facilitate the actual entering into that contract.

At the time of processing, it may not be clear whether a contract will actually be entered into. The second option of Article 6(1)(b) may nonetheless apply as long as the data subject makes the request in the context of potentially entering into a contract and the processing in question is necessary to take the steps requested. In line with this, where a data subject contacts the controller to enquire about the details of the controller’s service offerings, the processing of the data subject’s personal data for the purpose of responding to the enquiry can be based on Article 6(1)(b).

This provision would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party.

Applicability of Article 6(1)(B) in specific situations 

Processing for ‘service improvement’[5]    

Online services often collect detailed information on how users engage with their service. In most cases, collection of organisational metrics relating to a service or details of user engagement, cannot be regarded as necessary for the provision of the service as the service could be delivered in the absence of processing such personal data. Nevertheless, a service provider may be able to rely on alternative lawful bases for this processing, such as legitimate interest or consent.

The EDPB does not consider that Article 6(1)(b) would generally be an appropriate lawful basis for processing for the purposes of improving a service or developing new functions within an existing service.

Processing for ‘fraud prevention’

Processing for fraud prevention purposes may involve monitoring and profiling customers. In the view of the EDPB, such processing is likely to go beyond what is objectively necessary for the performance of a contract with a data subject. However, the processing of personal data strictly necessary for the purposes of preventing fraud may constitute a legitimate interest of the data controller and could thus be considered lawful, if the specific requirements of Article 6(1)(f)(legitimate interests) are met by the data controller. In addition Article 6(1)(c) (legal obligation) could also provide a lawful basis for such processing of data.

Processing for online behavioural advertising

Online behavioural advertising, and associated tracking and profiling of data subjects, is often used to finance online services. WP29 has previously stated its view on such processing, stating:

[contractual necessity] is not a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his clickstream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services…..

As a general rule, processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services. Normally, it would be hard to argue that the contract had not been performed because there were no behavioural ads. This is all the more supported by the fact that data subjects have the absolute right under Article 21 to object to processing of their data for direct marketing purposes.

Further to this, Article 6(1)(b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract at issue.

The EDPB also notes that, in line with ePrivacy requirements and the existing WP29 opinion on behavioural advertising, controllers must obtain data subjects’ prior consent to place the cookies necessary to engage in behavioural advertising.

Processing for personalisation of content

The EDPB acknowledges that personalisation of content may (but does not always) constitute an intrinsic and expected element of certain online services, and therefore may be regarded as necessary for the performance of the contract with the service user in some cases. Whether such processing can be regarded as an intrinsic aspect of an online service, will depend on the nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalisation. Where personalisation of content is not objectively necessary for the purpose of the underlying contract, for example where personalised content delivery is intended to increase user engagement with a service but is not an integral part of using the service, data controllers should consider an alternative lawful basis where applicable.

To summarize the Guidelines provided by the European Data Protection Board, we can derive these basic rules for using Article 6 (1) (b) as a legal basis for processing:

[1]  Some personal data are expected to be private or only processed in certain ways, and data processing should not be surprising to the data subject. In the GDPR, the concept of ‘reasonable expectations’ is specifically referenced in recitals 47 and 50 in relation to Article 6(1)(f) and (4).

[2] See Recital 38, which refers to children meriting specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.

[3] A contractual term that has not been individually negotiated is unfair under the Unfair Contract Terms Directive “if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer”. Like the transparency obligation in the GDPR, the Unfair Contract Terms Directive mandates the use of plain, intelligible language. Processing of personal data that is based on what is deemed to be an unfair term under the Unfair Contract Terms Directive, will generally not be consistent with the requirement under Article 5(1)(a) GDPR that processing is lawful and fair

[4] The GDPR applies to certain controllers outside the EEA; see Article 3 GDPR.

[5] Online services may also need to take into account Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 22.05.2019, p. 1), which will apply as from 1 January 2022.