Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

EDPB on (not) Necessary for Contract

Wednesday, October 23, 2019 - 10:22

The European Data Protection Board's (EDBP) latest Guidelines further develop the idea that we should not always expect relationships involving personal data to have a single legal basis. Although the subject of the Guidelines is the legal basis "Necessary for Contract", much of the text is dedicated to pointing out the other legal bases that will often be involved in a contractual relationship. Trying to squeeze all of the processing into a single legal basis is unlikely to help either the individual ("data subject") or organisation ("data controller").

The Necessary for Contract basis is, itself, much narrower than is often claimed. First because it is limited to processing that is necessary for the performance of the specific contract with that particular data subject (para 26), or for preparatory steps such as responding to an enquiry (para 46); and second because – according to the definition of "necessary" common to all legal bases – the processing must be the least intrusive that will permit the contract to be performed (para 25). In particular, the EDPB point out that "necessary for contract" does not mean "required by contract" (para 27). Conversely, by entering into a contract, an individual does not Consent to the processing that is necessary to deliver it (para 20), otherwise they could withdraw consent at any time, which probably isn't what the supplier wants! An interesting test is suggested in paragraph 33's checklist – would the data subject view this data/processing as necessary in order to deliver what they have asked for? An important test for the data controller is that processing that is claimed to be "necessary for contract" should usually cease when the contract terminates (para 44); the EDPB mention a few exceptions, such as providing product warranties, but these are very limited (para 39). If you expect the processing to continue after the contract is performed, then it probably isn't necessary for the performance of the contract!

Instead, many of the processing activities that often surround a contract should be done under different bases and, importantly, subject to the legal conditions that apply to those bases. For example fraud prevention might be Necessary for a Legal Duty, or Necessary in the Legitimate Interests of the supplier, but it is not necessary for contract (para 51). If the legitimate interests basis is used then, as usual, there must be a balancing test of those interests against the rights and freedoms of the individual. Service improvement is not necessary for contract (para 49): it might be done by consent (for example through optional feedback forms), or perhaps as a legitimate interest, subject to the balancing test. If consent is used then it must be free, informed and opt-in, and definitely not tied to the delivery of the product or service.