On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects (the “Guidelines”).
Background
The basis for processing personal data must rest on one of the six legal bases provided for in Article 6(1)(a) to (f) of the EU General Data Protection Regulation (“GDPR”). Article 6(1)(b) of the GDPR provides the “contract” legal basis: situations where the processing is necessary (1) for the performance of a contract to which the data subject is party or (2) to take steps at the request of the data subject prior to entering into a contract, regardless of whether the contract is governed by the law of an EU Member State of the European Economic Area (“EEA”) or the law of a third country.
The Guidelines discuss how the “contract” legal basis applies in the context of online services or “information society services,” defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” This includes services that are not paid for directly by the individuals who receive them, such as online services funded through advertising.
The Guidelines note that the Article 29 Working Party’s previous guidance on the “contract” legal basis under the EU Data Protection Directive remains generally relevant. Against that background, the Guidelines focus on appropriate recourse to the “contract” legal basis in the context of online services. To that end, the Guidelines (1) outline the general conditions that data controllers must meet in order to rely on the basis and (2) discuss how it applies in specific situations when providing online services.
Conditions for Relying on the “Contract” Legal Basis
- Necessity: Necessity is a prerequisite for relying on the “contract” legal basis. The processing must be objectively “necessary” either for performing a contractual service or for taking relevant pre-contractual steps at the request of the data subject. If there are realistic, less intrusive alternatives to achieve the objective pursued, the data processing will not be considered “necessary.”
- Necessary for performance of a contract with the data subject: Where a data controller seeks to establish that the processing is based on the performance of a contract with the data subject, the data controller must be able to demonstrate for accountability purposes that (1) a contract exists between the parties; (2) the contract is legally valid; (3) the processing is objectively necessary for a purpose that is integral to delivering the online contractual service to the data subject. The Guidelines confirm that merely referencing or mentioning the data processing in a contract is not enough to establish that the processing is necessary to perform the contract. In this respect, the Guidelines endorse the guidance previously provided by the Working Party in its Opinion on the notion of legitimate interests under the EU Data Protection Directive; and in so doing, suggesting a narrow interpretation of the “contract” legal basis under the GDPR in the context of online services. The Guidelines further provide four questions to help businesses assess whether they may rely on the “contract” legal basis for processing in that context. This assessment must be conducted before data processing commences, and for each individual service the data subject has actively requested or signed up for if the contract consists of several separate services or elements of a service that can in fact reasonably be performed independently of one another.
- Necessary for taking steps prior to entering into a contract: The Guidelines clarify that the “necessity to take pre-contractual steps” will not cover unsolicited marketing or other data processing activity that is driven solely by the data controller’s initiative or at the request of a third party.
Applicability of the “Contract” Legal Basis in Specific Situations
The Guidelines also discuss using the “contract” legal basis for the following purposes in the context of online services:
- improving a service or developing new functions within an existing service;
- fraud prevention;
- online behavioral advertising; and
- personalization of content.
The Guidelines note that data controllers must also ensure that they comply with all the basic data protection principles set out in Article 5 of the GDPR (such as the purpose limitation and data minimization principles which are particularly relevant in contracts for online services), the other requirements of the GDPR and, where applicable, the ePrivacy requirements (such as the cookie law requirements). The EDPB is accepting comments on these Guidelines until May 24, 2019.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code