The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being funded through advertising dollars, for example). The EDPB guidance points out that these services typically fall under the provision of GDPR that permits processing of personal information when it is “necessary to perform a contract.” In that regard, the guidance attempts to scope out processing that is necessary in the contractual realm. Information might be processed under one of the other legal basis that exists under GDPR, as the EDPB highlights throughout the guidance, including legitimate interest and consent. This guidance thus provides businesses with ideas about when processing might fall under the “necessary for a contract” basis as opposed to another legal basis.
In the proposed guidance, the EDPB points out that just because a particular use of information is outlined in a contract, this does not make such use “necessary.” Instead, the EDPB looks to the purpose of processing and the context of the contractual relationship. If there are less intrusive ways to process information, then the use is, according to the EDPB, not “necessary.” The EDPB provides examples, including where a user purchases something from an eRetail company by credit card, to be delivered to the user’s home. In this situation processing both the credit card number and getting the home address is “necessary.” But, if the person wanted to pick the product up, then gathering the home address would not be “necessary.” Expanding on the example, if this same eRetailer wants to create a profile of the user’s “tastes and lifestyle choices” it will need to rely on a legal basis outside of the contractual one, according to the guidance. Similarly, using information to understand usage of an online platform would not be use “necessary to perform a contract,” and instead would fall under an alternate legal basis, like (according to the EDPB) legitimate interest or consent.
Putting It Into Practice: Those interested can provide comments by 24 May to EDPV@edpb.europa.eu (comments will be published on the EDPB website). In the meantime, the proposal provides a useful overview of what the EDPB considers processing that is “necessary” for the performance of a contract, and when a company would need to rely on another legal basis.