Metamorphosis of contractual necessity as a lawful basis of processing under the GDPR

Under the GDPR, the processing of personal data requires a lawful basis. These include, among others, the processing of data: with the data subject’s consent; where processing is necessary for the performance of a contract; and where processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party. 

Legitimate interests and consent are frequently relied upon by organizations, with contractual necessity tending to be one of the lesser used bases of processing. However, two recent decisions by the Irish data protection regulator (the DPC) have brought the lawful basis of contractual necessity into focus, and relying on contractual necessity as a lawful basis of processing may not as straightforward as it might have seemed.

Assessments of contractual necessity under the DPC decisions

In the decisions, the DPC found that, in relation to its processing of personal data for targeted advertising on its social media platforms, the service provider in this case was not entitled to rely on contractual necessity as a lawful basis of processing, nor had it provided data subjects with sufficient information with regards to its processing, as a result of the way its terms of service were structured and presented to users. 

The DPC decisions also contain excerpts of the European Data Protection Board’s (EDPB) binding decisions, which reflect the outcome of objections raised by other EEA data protection regulators to the EDPB regarding the DPC’s initial decisions in 2021. The DPC decisions thus contain two slightly differing assessments of contractual necessity; the DPC’s assessment, and the EDPB’s assessment.

Under the DPC’s assessment, an organization may only rely on contractual necessity if it can establish: (i) the relevant contract; (ii) the performance of the contract; and (iii) the necessity of the processing.

1. Contract: As a preliminary point, the DPC noted that it, as a data protection regulator, was not empowered to determine the validity of contracts under the GDPR. However, with regards to the particular aim, purpose or objective of the service, the DPC found that the relevant contract between the service provider and its users were the service provider’s terms of service. A separate data policy, which was referenced in the terms of service through a hyperlink, was not deemed to be a part of the relevant contract as it was a “transparency and not a contractual document”.
2. Performance: The DPC deemed a contract to be performed when each party “discharges their contractual obligations as has been agreed by reference to the bargain struck between the parties”.
3. Necessity: The processing must be necessary to perform the “core functions” of the contract, which should be considered in conjunction with the performance, necessity and content of the contract. The DPC also found that processing does not necessarily have to be minimal in order to meet the necessity test; such processing will still meet the necessity test if it renders a lawful objective “more effective”, although the mere inclusion of a term in a contract does not necessarily mean that it would meet this test.

Under the EDPB’s assessment, an organization may only rely on contractual necessity if it can establish that: (i) the contract exists and is valid under national law; and (ii) the processing is objectively necessary to perform the contract. To look at this in detail:

1. Existence and validity: While the EDPB agreed that supervisory authorities do not have a broad and general competence to determine contractual matters under the GDPR, it nevertheless considered that the GDPR granted supervisory authorities a limited competence to assess a contract’s general validity insofar as it was relevant to the fulfilment of their tasks under the GDPR. In this regard, the EDPB determined that the validity of the contract would be questionable if users were unaware of it, or if they were not provided sufficient information on, when acting as data controller, the service provider’s reliance on contractual necessity as a lawful basis of processing.
2. Objectively necessary: The EDPB set out that objective necessity should be assessed with regards to the particular aim, purpose or objective of the service, and the data controller should be able to justify the necessity of its processing by reference to a mutually understood contractual purpose, which includes both the data controller’s perspective and a reasonable data subject’s perspective when entering into the contract. The EDPB determined that the main purpose of the relevant contract was the provision of a communication platform, rather than for a contract for the receipt of personalized advertisements, and further the EDPB viewed the lack of a binding contractual obligation to provide tailored advertising to users (and the absence of a contractual penalty for failing to do so), as indicative that such processing was not necessary for the performance of the contract.

On this basis the EDPB supported a narrow and strict interpretation of “necessity”, particularly in order to prevent organizations from circumventing the requirement of consent. The EDPB determined that pursuant to the DPC’s interpretation, supervisory authorities would be obliged to consider a contract valid even in situations where it is manifestly evident that it is not, such as when there is no proof of agreement between the parties or if the contract does not comply with applicable local rules on contract. Such an interpretation risked encouraging other economic operators to rely on contractual necessity for all processing of personal data, by arguing for a connection between their economic interests and a wide ambit of processing.

Commentary and takeaways for organizations 

The DPC decisions raise several questions with regards to the use of contractual necessity as a lawful basis for processing personal data. While the EDPB’s assessment reflects the majority approach in the EEA, it is not clear what constitutes the relevant contract; in particular whether a separate document incorporated through a hyperlink would be deemed to be a part of the contract or a mere “transparency” document, as the EDPB did not expressly agree or disagree with the DPC’s assessment of the service provider’s terms of service as being the relevant contract.

Both the EDPB and DPC viewed the core, or aim/purpose/objective, of the contract as fundamental to validating the necessity of processing required for it. The EDPB’s interpretation however is considerably narrower than the DPCs, which has created some confusion as to whether the DPC decisions open the door for data protection regulators to take a more active role in enforcement actions to determine a core or aim/purpose/objective of a contract.

For now, the following considerations should thus be taken into account prior to relying on contractual necessity as a lawful basis of processing:

• The underlying contract. Organizations should examine the relevant contract with its data subjects, in particular to: (i) examine whether it is valid under national laws (such as the Unfair Contract Terms Act 1977 in the UK); (ii) assess the “core” or aim/purpose/objective of the contract; and (iii) determine whether the processing is objectively necessary to perform the contract by fulfilling the “core” or aim/purpose/objective of the contract in question. To that end, the following questions from the EDPB will also be relevant in assisting organizations to assess the suitability of contractual necessity:
  • What is the nature of the service being provided to the data subject?
  • What are its distinguishing characteristics?
  • What is the exact rationale of the contract (i.e. its substance and fundamental object)?
  • What are the essential elements of the contract?
  • What are the mutual perspectives and expectations of the parties to the contract?
  • How is the service promoted or advertised to the data subject?
  • Would an ordinary user of the service reasonably expect?
• Relevant processing activity. Contractual necessity may not be suitable as a lawful basis of processing for certain processing activities; in particular, the EDPB has indicated that as a general rule the processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services. This will be the case even if the online service provider (such as social media providers) relies on such advertising to fund their services. In certain cases, the personalization of content may constitute an intrinsic and expected element of the service, depending on the relevant online service in question, although this is likely to be interpreted narrowly.
• Special categories of personal data. Where special categories of personal data (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data concerning a natural person’s sex life or sexual orientation, etc.) are to be processed, contractual necessity is not a valid option as a lawful basis of processing. A lawful basis under Article 9 of the GDPR, such as explicit consent, must be relied upon instead.
• Applicability of the e-Privacy Directive. The e-Privacy Directive requires consent to be obtained prior to sending certain electronic communications and prior to the use of certain trackers (i.e. cookies). It also applies to information stored in a user's terminal equipment as part of their "private sphere", regardless of whether it constitutes personal data. This means that where the relevant processing activity or data falls within the scope of the e-Privacy Directive (or its national implementations in the EU or UK), contractual necessity will not be appropriate lawful basis of processing.

Organizations should also carefully examine their lawful bases of processing. It is important to get this right from the outset, as it will be difficult to swap lawful bases once the processing has commenced. As evident from the DPC decisions, the wrong choice of lawful basis may also undermine an organization's compliance with its transparency requirements under the GDPR. While there is no hierarchy or lawful bases under the GDPR, each lawful basis comes with its own unique considerations and will need to be tailored to the relevant processing at hand.