Processing personal data on the basis of ‘Contractual Necessity’
Under the GDPR, organisations can only process data when it is lawful to do so. This means you must firstly identify the most appropriate of the six lawful bases, and then comply with the requirements attached to your chosen one.
The European Data Protection Board has now recently published its guidance on using ‘contractual necessity’ as a lawful basis.
When is ‘contractual necessity’ most appropriate?
Contractual necessity is the most appropriate basis when the processing is necessary in order for a product or service to be provided. Essentially, by choosing this basis you are saying ‘we can’t comply with our side of the contract without this processing’.
This is not a basis to use lightly – it means that the fundamental aspects of your product or service rely on the processing.
For example, you might be unable to complete an order without processing a delivery or home address. However, just because something is included or permitted by a contract doesn’t necessarily mean that it is contractually necessary. If you could deliver the product or service without the processing, then the contractual basis is not going to be the most appropriate.
In some cases, the distinction is clear – you need an address in order to deliver the socks a customer bought. However, any further uses of that address, such as using it for sending them marketing materials, will need a different lawful basis.
Similarly, whilst you need the address so you can post the socks, you don’t need to know why the customer bought them in order to do that – so you would need a different lawful basis to collect that information.
What should I consider when deciding on ‘grey areas’?
Some cases can seem less clear cut.
Let’s say you’re a motor manufacturer which provides cars on leasing agreements that include maintenance. You want to monitor the car’s usage so you can recommend appropriate service intervals.
Can you use contractual necessity or not? Firstly, you need to consider the driver’s expectations. What technology does the driver expect the car manufacturer to fit and how do they expect that it will be used?
The fundamental right to privacy means that the presumption should be that the driver’s car usage shouldn’t be monitored. The principle of fairness means that you need to demonstrate it’s more fair to monitor the usage than not.
It might be possible to make a case for this. Let’s say that your standard service intervals and protocols are set to ensure that 99% of serious defects can be avoided, and that the remaining 1% of defects will be caused by specific driving scenarios.
It could be possible to make a case that shows the potential consequences of such defects means that it’s fairer to monitor for those driving scenarios – which means contractual necessity could be a potential basis for doing so.
It’s likely that a motor manufacturer that is known for its use of technology and actively markets to people who are happy to have their data processed in order to receive a more personalised service will find it easier to demonstrate that such processing is within the expectations of the contract. On the other hand, a manufacturer that makes cars that are perceived to be simpler and does not market them on the basis of their information processing capabilities would find it harder to do so. The marketing strategy and the lawful basis are interconnected.
What do I need to demonstrate in order to use contractual necessity?
Once you have defined the processing that you wish to carry out on this basis, you need to ensure the following criteria are met:
- The processing is expected by the individual within the context of the contract.
- The processing is carried out in the context of a valid contract with the individual – this means that a contract is in place or in prospect.
- The reason for the processing is clearly defined and communicated to the individual, in line with the organisation’s purpose limitation and transparency obligations - even if these aren’t in the body of the contract.
- The processing is objectively necessary to achieve its purpose.
- There are no other feasible, less intrusive alternatives to achieve this purpose.
Processing which is useful to your organisation – but is not objectively necessary for the specific purpose stated – should not be included. You will also need to demonstrate that without the processing the main purpose stated in the contract with the individual cannot be performed.
It’s important to note that only the processing which meets the criteria counts. The presence of some processing that does meet the criteria will not legitimise the presence of other processing that does not.
So, let’s go back to our motor manufacturer example. Processing which identifies how often poorly executed hill starts occur would not legitimise other processing that, say, tracked the location or speed of the vehicle. The lawful basis for this additional processing would need to be considered separately.
When assessing if processing is necessary for a particular ‘online service’, you will need to consider a particular aim, purpose, or objective for the service. The EDPB says the term ‘online services’ used in its guidelines refers to ‘information society services’. These services are defined as:
“Any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of the service”.
The EDPB says this definition extends to services that are not paid for directly persons who receive them, such as online services funded through advertising.
The questions that you will need to answer when assessing contractual necessity are:
- What is the nature of the service being provided to the data subject?
- What are its distinguishing characteristics?
- What is the exact rationale of the contract?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the parties to the contract?
- How is the service promoted or advertised to the data subject?
- Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
You should also consider whether additional processing is necessary when introducing new features or technology that will affect the processing of information.
Additionally, if the contract consists of several separate services, or elements of a service, you will need to assess whether the processing is objectively necessary in the context of each of those services - separately.
Processing may be necessary for performance when:
- You need credit card information and a billing address for payment purposes
- You need a home address for delivery
- You need to give formal reminders regarding outstanding payments
- You need to correct errors or notify the individual of delays in the performance of the contract
- You need to store personal data for a specified retention period after an exchange of goods/services/payment for the purpose of warranties
- You need to terminate an agreement, i.e. returning goods, refunding payment or other administrative actions
- You need to personalise content that is intrinsic and necessary to performance and expected by the individual as part of the provision of an online service – but is not just being used to increase user engagement
- You need to establish a company-wide internal employee database: containing the name, business address, telephone number and email address of all employees, to enable employees contact their colleagues
- You need to retain, for a specified period of time, the address details and information for a request an individual has made
Processing is not likely to be necessary for performance when:
- You are building profiles of your user’s tastes and lifestyle choices based on their visits to your website
- Marketing is unsolicited and carried out solely on the initiative of your organisation, or at the request of a third party
- It is being collected for organisational metrics relating to a service
- It is for the purpose of improving a service
- It is to develop new functions within an existing service
- It is for fraud prevention purposes
- It is used for online behavioural advertising, and associated tracking and profiling
- You are providing personalised product suggestions to increase interactivity
- It is being used to electronically monitor employee use of the internet, email or telephones