EDSA: Update: Gui­de­lines on the inter­pre­ta­ti­on of Art. 6 para. 1 b GDPR published

The Euro­pean Data Pro­tec­tion Board has appro­ved the “Gui­de­lines on the pro­ce­s­sing of per­so­nal data on the basis of Artic­le 6 (1) b DSGVO in the con­text of online ser­vices”. published. As expec­ted, the EDSA cla­ri­fi­es that the legal basis of con­tract per­for­mance, at least in the area of online ser­vices, can­not be achie­ved by mere con­tract draf­ting. With regard to the area of con­flict bet­ween rest­ric­tions on con­tract design moti­va­ted by data pro­tec­tion law on the one hand and con­trac­tu­al free­dom on the other, the EDSA states:

Data sub­jects can agree to pro­ce­s­sing of their per­so­nal data, but can­not trade away their fun­da­men­tal rights.

The­r­e­fo­re, the legal basis of the con­trac­tu­al arran­ge­ment is only rele­vant if

1. a con­tract exists,
2. the con­tract was valid under the appli­ca­ble natio­nal law, and
3. the data pro­ce­s­sing is objec­tively neces­sa­ry for the per­for­mance of the contract.

To assess when data pro­ce­s­sing is “neces­sa­ry for the per­for­mance of a con­tract,” the EDSA first refers to the Opi­ni­on 06/2014 of the Artic­le 29 Working Par­ty on the noti­on of legi­ti­ma­te inte­rest of the con­trol­ler under Artic­le 7 of Direc­ti­ve 95/46/EC. and con­firms the nar­row inter­pre­ta­ti­on of the con­cept of neces­si­ty the­re. In addi­ti­on, the EDSA pro­vi­des the fol­lo­wing con­cre­te “test que­sti­ons” for bet­ter orientation:

• What is the natu­re of the ser­vice being pro­vi­ded to the data sub­ject? What are its distin­gu­is­hing characteristics?
• What is the exact ratio­na­le fo the con­tract (i.e. its sub­stance and fun­da­men­tal object)?
• What are the essen­ti­al ele­ments of the contract?
• What are the mutu­al per­spec­ti­ves and expec­ta­ti­ons of the par­ties to the con­tract? How is the ser­vice pro­mo­ted or adver­ti­sed to the data sub­ject? Would an ordi­na­ry user of the ser­vice rea­son­ab­ly expect that, con­side­ring the natu­re of the ser­vice, the envi­sa­ged pro­ce­s­sing will take place in order to per­form the con­tract to which they are a party?

Final­ly, EDSA gives a rough assess­ment (and pro­vi­des examp­les worth rea­ding) of the most com­mon case studies:

• “Ser­vice impro­ve­ment”: In this case, the legal ground “per­for­mance of con­tract” is gene­ral­ly not relevant;
• “Fraud pre­ven­ti­on”: here, the legal ground “con­tract per­for­mance” is pro­ba­b­ly not the cor­rect legal ground, but the cor­rect legal ground could be a legal obli­ga­ti­on or the legi­ti­ma­te interest;
• “Online beha­vi­oral adver­ti­sing”: Beha­vi­oral adver­ti­sing is gene­ral­ly not a neces­sa­ry ele­ment for online ser­vices, even if it indi­rect­ly finan­ces the pro­vi­si­on of the ser­vice. Coo­kies in this regard, for exam­p­le, requi­re pri­or consent;
• “Per­so­na­lizati­on of con­tent”: The per­so­na­lizati­on of con­tent may (but does not always have to) be neces­sa­ry for the ful­fill­ment of the con­tract. The decisi­ve fac­tors here would be the type of ser­vice, the expec­ta­ti­ons of the data sub­ject, also taking into account the way the ser­vice is adver­ti­sed, and whe­ther the ser­vice could also be pro­vi­ded wit­hout personalization.