The European Data Protection Board has approved the “Guidelines on the processing of personal data on the basis of Article 6 (1) b DSGVO in the context of online services”. published. As expected, the EDSA clarifies that the legal basis of contract performance, at least in the area of online services, cannot be achieved by mere contract drafting. With regard to the area of conflict between restrictions on contract design motivated by data protection law on the one hand and contractual freedom on the other, the EDSA states:
Data subjects can agree to processing of their personal data, but cannot trade away their fundamental rights.
Therefore, the legal basis of the contractual arrangement is only relevant if
- a contract exists,
- the contract was valid under the applicable national law, and
- the data processing is objectively necessary for the performance of the contract.
To assess when data processing is “necessary for the performance of a contract,” the EDSA first refers to the Opinion 06/2014 of the Article 29 Working Party on the notion of legitimate interest of the controller under Article 7 of Directive 95/46/EC. and confirms the narrow interpretation of the concept of necessity there. In addition, the EDSA provides the following concrete “test questions” for better orientation:
- What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
- What is the exact rationale fo the contract (i.e. its substance and fundamental object)?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
Finally, EDSA gives a rough assessment (and provides examples worth reading) of the most common case studies:
- “Service improvement”: In this case, the legal ground “performance of contract” is generally not relevant;
- “Fraud prevention”: here, the legal ground “contract performance” is probably not the correct legal ground, but the correct legal ground could be a legal obligation or the legitimate interest;
- “Online behavioral advertising”: Behavioral advertising is generally not a necessary element for online services, even if it indirectly finances the provision of the service. Cookies in this regard, for example, require prior consent;
- “Personalization of content”: The personalization of content may (but does not always have to) be necessary for the fulfillment of the contract. The decisive factors here would be the type of service, the expectations of the data subject, also taking into account the way the service is advertised, and whether the service could also be provided without personalization.