Published on Monday, November 4, 2019 - 14:25 by Cameron Troake
Under the GDPR, organisations can only process data when it is lawful to do so. This means you must firstly identify the most appropriate of the six lawful bases, and then comply with the requirements attached to your chosen one.
The European Data Protection Board has now recently published its guidance on using ‘contractual necessity’ as a lawful basis.
When is ‘contractual necessity’ most appropriate?
Contractual necessity is the most appropriate basis when the processing is necessary in order for a product or service to be provided. Essentially, by choosing this basis you are saying ‘we can’t comply with our side of the contract without this processing’.
This is not a basis to use lightly – it means that the fundamental aspects of your product or service rely on the processing.
For example, you might be unable to complete an order without processing a delivery or home address. However, just because something is included or permitted by a contract doesn’t necessarily mean that it is contractually necessary. If you could deliver the product or service without the processing, then the contractual basis is not going to be the most appropriate.
In some cases, the distinction is clear – you need an address in order to deliver the socks a customer bought. However, any further uses of that address, such as using it for sending them marketing materials, will need a different lawful basis.
Similarly, whilst you need the address so you can post the socks, you don’t need to know why the customer bought them in order to do that – so you would need a different lawful basis to collect that information.
What should I consider when deciding on ‘grey areas’?
Some cases can seem less clear cut.
Let’s say you’re a motor manufacturer which provides cars on leasing agreements that include maintenance. You want to monitor the car’s usage so you can recommend appropriate service intervals.
Can you use contractual necessity or not? Firstly, you need to consider the driver’s expectations. What technology does the driver expect the car manufacturer to fit and how do they expect that it will be used?
The fundamental right to privacy means that the presumption should be that the driver’s car usage shouldn’t be monitored. The principle of fairness means that you need to demonstrate it’s more fair to monitor the usage than not.
It might be possible to make a case for this. Let’s say that your standard service intervals and protocols are set to ensure that 99% of serious defects can be avoided, and that the remaining 1% of defects will be caused by specific driving scenarios.
It could be possible to make a case that shows the potential consequences of such defects means that it’s fairer to monitor for those driving scenarios – which means contractual necessity could be a potential basis for doing so.
It’s likely that a motor manufacturer that is known for its use of technology and actively markets to people who are happy to have their data processed in order to receive a more personalised service will find it easier to demonstrate that such processing is within the expectations of the contract. On the other hand, a manufacturer that makes cars that are perceived to be simpler and does not market them on the basis of their information processing capabilities would find it harder to do so. The marketing strategy and the lawful basis are interconnected.
What do I need to demonstrate in order to use contractual necessity?
Once you have defined the processing that you wish to carry out on this basis, you need to ensure the following criteria are met:
Processing which is useful to your organisation – but is not objectively necessary for the specific purpose stated – should not be included. You will also need to demonstrate that without the processing the main purpose stated in the contract with the individual cannot be performed.
It’s important to note that only the processing which meets the criteria counts. The presence of some processing that does meet the criteria will not legitimise the presence of other processing that does not.
So, let’s go back to our motor manufacturer example. Processing which identifies how often poorly executed hill starts occur would not legitimise other processing that, say, tracked the location or speed of the vehicle. The lawful basis for this additional processing would need to be considered separately.
When assessing if processing is necessary for a particular ‘online service’, you will need to consider a particular aim, purpose, or objective for the service. The EDPB says the term ‘online services’ used in its guidelines refers to ‘information society services’. These services are defined as:
“Any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of the service”.
The EDPB says this definition extends to services that are not paid for directly persons who receive them, such as online services funded through advertising.
The questions that you will need to answer when assessing contractual necessity are:
You should also consider whether additional processing is necessary when introducing new features or technology that will affect the processing of information.
Additionally, if the contract consists of several separate services, or elements of a service, you will need to assess whether the processing is objectively necessary in the context of each of those services - separately.
Processing may be necessary for performance when:
Processing is not likely to be necessary for performance when:
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: