Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Tools

EDPB on (not) Necessary for Contract

The European Data Protection Board’s (EDPB) latest Guidelines further develop the idea that we should not always expect relationships involving personal data to have a single legal basis. Although the subject of the Guidelines is the legal basis “Necessary for Contract”, much of the text is dedicated to pointing out the other legal bases that will often be involved in a contractual relationship. Trying to squeeze all of the processing into a single legal basis is unlikely to help either the individual (“data subject”) or organisation (“data controller”).

The Necessary for Contract basis is, itself, much narrower than is often claimed. First because it is limited to processing that is necessary for the performance of the specific contract with that particular data subject (para 26), or for preparatory steps such as responding to an enquiry (para 46); and second because – according to the definition of “necessary” common to all legal bases – the processing must be the least intrusive that will permit the contract to be performed (para 25). In particular, the EDPB point out that “necessary for contract” does not mean “required by contract” (para 27). Conversely, by entering into a contract, an individual does not Consent to the processing that is necessary to deliver it (para 20), otherwise they could withdraw consent at any time, which probably isn’t what the supplier wants! An interesting test is suggested in paragraph 33’s checklist – would the data subject view this data/processing as necessary in order to deliver what they have asked for? An important test for the data controller is that processing that is claimed to be “necessary for contract” should usually cease when the contract terminates (para 44); the EDPB mention a few exceptions, such as providing product warranties, but these are very limited (para 39). If you expect the processing to continue after the contract is performed, then it probably isn’t necessary for the performance of the contract!

Instead, many of the processing activities that often surround a contract should be done under different bases and, importantly, subject to the legal conditions that apply to those bases. For example fraud prevention might be Necessary for a Legal Duty, or Necessary in the Legitimate Interests of the supplier, but it is not necessary for contract (para 51). If the legitimate interests basis is used then, as usual, there must be a balancing test of those interests against the rights and freedoms of the individual. Service improvement is not necessary for contract (para 49): it might be done by consent (for example through optional feedback forms), or perhaps as a legitimate interest, subject to the balancing test. If consent is used then it must be free, informed and opt-in, and definitely not tied to the delivery of the product or service.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *