GDPR provides various legal basis for data processing activities, including consent, legitimate interest, mandatory processing. One option is the legal basis that can be applicable to contractual relationships. According to the Preamble to the Regulation:
Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.
When can this legal basis be applicable?
Processing shall be lawful only if and to the extent that at least one of the following applies:
- processing is necessary for the performance of a contract to which the data subject is party or
- in order to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) (b) of the GDPR).
It is therefore a prerequisite for the application of this legal basis that the data subject shall be a contracting party in the given contract or the data processing is necessary in order to take action at the request of the data subject prior to the conclusion of the contract. (In the latter case, it is also expected that the data subject shall become a contracting party in the contract that requires the preliminary steps to be taken at the request of the data subject.)
The legal basis in connection with the performance of contracts cannot be interpreted broadly, but it is only applicable to contracts where the data subject is a contracting party, or he/she becomes a contracting party after the steps requested by him/her have been taken. The mere existence of a contract does not provide a legal basis for the data processing of the personal data of those, who are not parties to the given contract. This means that, in connection with a contractual relationship, the data processing required for the performance of the contract may have a different legal basis, like the consent of the data subject, the legitimate interest of the controller or a third party, or even mandatory data processing may be linked to such processing. (For example, in the case of a contract between legal entities, the processing of personal data regarding the contact persons specified in the contract or employees involved in the performance of the contract, most probably, the legitimate interest can be applied as the legal basis of the processing. In the case of data processing for taxation or accounting purposes, compliance with the legal obligation will be the applicable legal basis.)
As regards the pre-contractual steps, it should be stressed that, even if the contract is finally concluded with the data subject, only the steps taken at the request of the data subject can be classified under this legal basis, i.e. the actions initiated by the controller are not. In the case of the actions initiated by the controller, the consent or legitimate interest may be the most relevant, as the applicable legal basis.
Which data processing activities are necessary to perform the contract? To what extent can the terms "performance of the contract" or "actions taken at the request of the data subject" be interpreted broadly?
In practice, it can provide a basis for discussion as to what data processing is actually required for the performance of the contract, and as to what extent the controller has freedom to determine the scope of data processing required for the contract.
A too broad interpretation could lead to the use of this legal basis for data processing activities, where the link to the performance of the contract is very weak (see also the Article 29 Working Party's Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC).
Therefore, in order to establish the applicability of this legal basis, the first step, taking into account the opinion of the Article 29 Working Party, is "... to determine the exact rationale of the contract, i.e. its substance and fundamental objective ....". This may serve as a basis to decide, which types of data processing can be performed under this legal basis and which are to be treated separately under a different legal basis. It is the task and responsibility of the data controller to define the substance of the contract and the underlying purpose and to adapt the necessary data processing to the contract.
At the same time, too narrow interpretation should be avoided, as this would severely limit the data controllers to define the substance, content and purpose of the contract and, on the other hand, the too narrow interpretation could separate strongly connected data processing activities, which may endanger transparency for the data subjects.
It is worth noting that, in the opinion of the Article 29 Working Party, this legal basis "[...] only applies to what is necessary for the performance of a contract. It does not apply to all further actions triggered by non-compliance or to all other incidents in the execution of a contract.” (p. 17)
Distinguishing between data processing activities based on consent or on contract
The performance of the contract and the consent as legal bases show some similarities in some respects. However, these are fully independent separate legal bases (for example the right of withdrawal associated with the consent is not applicable to data processing based on the performance of contracts).
An important link may be that the consent can be obtained even in the form of a declaration on other matters (e.g. in a contract): "If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.” (Article 7 (2) of the GDPR) However, the processing on the basis of a consent obtained in the contract and the processing of the data relating to the performance of the contract are different data processing activities.
(As regards the possible linking of data processing related to the performance of contracts and the separate processing of data on the basis of consent, account should also be taken of Article 7 (4) of the GDPR, according to which "when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. It is worth noting that different interpretations of this Section were published by the Italian and the Austrian Supreme Courts.)
What are the implications of applying this legal basis for data processing?
The application of a contractual basis has the following consequences:
- the controller must provide information to the data subject "whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data" (GDPR13). Article 2 (2) (e));
- if the other conditions are fulfilled, the data subject has the right to data portability (Article 20 of the GDPR);
- The data subject shall not have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller (Article 22 of the GDPR).
