Key References:

Contractual Necessity

  • Pursuant to Art. 6(1)(b), contractual necessity is one of the six available lawful bases for processing personal data.
  • Pursuant to Recital 44, processing will be lawful even when there is only the intention to enter into a contract.

Art. 6: Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

EDPB Guidelines 2/2019 on the processing of personal data under Article (6)(1)(b)

  • The EDPB has provided guidance on when it is applicable to rely on Art. 6(1)(b) as the lawful basis for processing.
  • The EDPB has said that it is important to consider the interaction of contractual necessity under Art. 6(1)(b) with other lawful bases in Art. 6(1)(a)-(f). The Guidance states that the lawful basis or bases for processing must be identified prior to processing, and when processing is not considered ‘necessary for the performance of a contract’, then other bases such as freely given consent under Art. 6(1)(a) or legitimate interests under Art.6(1)(f) might be more appropriate.
  • The Guidance states that Art. 6(1)(b) applies where either of two conditions are met:
    • (1) the processing is objectively necessary for the performance of a contract with a data subject, or
    • (2) the processing is objectively necessary in order to take pre-contractual steps at the request of a data subject.
  • The Guidance further states that when processing is based on Art. 6(1)(b) and the contract is terminated in full, then as a general rule, the controller will need to stop processing.
  • The EDPB provides some examples of specific situations where contractual necessity is generally not considered as being objectively necessary for the performance of the contract with the user. These include:
    • processing for ‘service improvement’,
    • processing for ‘fraud prevention’, (when it may involve monitoring and profiling customers)
    • processing for online behavioural advertising

However, EDPB states processing for ‘personalisation of content’ may be regarded as necessary for the performance of the contract depending on factors such as whether such processing is “an intrinsic aspect of an online service”, “the nature of the service”, “the expectations of the average data subject”, “the terms of service”, “the way the service is promoted to users, and whether the service can be provided without personalisation”.