The European Data Protection Board has published its updated Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects following public consultation.
The Guidelines were adopted by the Board on 8 October 2019 and concern the “applicability of Article 6(1)(b) to processing of personal data in the context of contracts for online services” regardless of how the services themselves are financed, outlining “the elements of lawful processing under Article 6(1)(b) GDPR and consider[ing] the concept of ‘necessity’ as it applies to ‘necessary for the performance of a contract’.” Sometimes “contractual obligations towards the data subject cannot be performed without the data subject providing certain personal data” such as, for example, when “the specific processing is part and parcel of delivery of the requested service, it is in the interests of both parties to process that data, as otherwise the service could not be provided and the contract could not be performed. However, the ability to rely on this or one of the other legal bases mentioned in Article 6(1) does not exempt the controller from compliance with the other requirements of the GDPR.”
This Guidance issued by the EDPB provides a strong background to be used in determining whether or not it is appropriate to rely on Article 6(1)(b) as a legal basis for data processing. The EDPB points out that the Article should be contextualized within the GDPR and “the objectives set out in Article 1, and alongside controllers’ duty to process personal data in compliance with the data protection principles pursuant to Article 5. This includes processing personal data in a fair and transparent manner and in line with the purpose limitation and data minimisation obligations.” In some cases, such as “Where processing is not considered ‘necessary for the performance of a contract’, i.e. when a requested service can be provided without the specific processing taking place, the EDPB recognises that another lawful basis may be applicable, provided the relevant conditions are met. In particular, in some circumstances it may be more appropriate to rely on freely given consent under Article 6(1)(a). In other instances, Article 6(1)(f) may provide a more appropriate lawful basis for processing. The legal basis must be identified at the outset of processing, and information given to data subjects in line with Articles 13 and 14 must specify the legal basis.” Building on the Article 29 Working Party Guidelines on consent under Regulation 2016/679 (WP259), which state that when “a controller seeks to process personal data that are in fact necessary for the performance of a contract, then consent is not the appropriate lawful basis”, the EDPB has determined that “where processing is not in fact necessary for the performance of a contract, such processing can take place only if it relies on another appropriate legal basis.”
The complete Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR are worth reading in full here and should been consulted when relying on Article 6(1)(b) GDPR as a legal basis for data processing.