Guidelines 02/2019 on processing of personal data under 6(1)(b) GDPR in the context of the provision of online services to data subjects
Section 1.1 Background
1. Pursuant to Article 8 of the Charter of Fundamental Rights of the European Union, personal data must be processed fairly for specified purposes and on the basis of a legitimate basis laid down by law. In this regard, Article 6(1) of the General Data Protection Regulation (GDPR) specifies that processing shall be lawful only on the basis of one of six specified conditions set out in Article 6(1)(a) to (f). Identifying the appropriate legal basis that corresponds to the objective and essence of the processing is of essential importance. Controllers must, inter alia, take into account the impact on data subjects’ rights when identifying the appropriate lawful basis in order to respect the principle of fairness.
2. Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. This supports the freedom to conduct a business, which is guaranteed by Article 16 of the Charter, and reflects the fact that sometimes the contractual obligations towards the data subject cannot be performed without the data subject providing certain personal data. If the specific processing is part and parcel of delivery of the requested service, it is in the interests of both parties to process that data, as otherwise the service could not be providedand the contract could not be performed. However, the ability to rely on this or one of the other legal bases mentioned in Article 6 (1) does not exempt the controller from compliance with the other requirements of the GDPR.
3. Articles 56 and 57 of the Treaty on the Functioning of the European Union define and regulate thefreedom to provide services within the European Union. Specific EU legislative measures have beenadopted in respect of ‘information society services’.3These services are defined as “any servicenormally provided for remuneration, at a distance, by electronic means and at the individual requestof a recipient of services.” This definition extends to services that are not paid for directly by thepersons who receive them,4such as online services funded through advertising.‘Online services’ asused in these guidelines refers to ‘information society services’.
4. The development of EU law reflects the central importance of online services in modern society. The proliferation of always-on mobile internet and the widespread availability of connected devices have enabled the development of online services in fields such as social media, e-commerce, internet search, communication, and travel. While some of these services are funded by user payments, others are provided without monetary payment by the consumer, instead financed by the sale of online advertising services allowing for targeting of data subjects. Tracking of user behaviour for the purposes of such advertising is often carried out in ways the user is often not aware of , and it may not be immediately obvious from the nature of the service provided, which makes it almost impossible inpractice for the data subject to exercise an informed choice over the use of their data.
5. Against this background, the European Data Protection Board (EDPB) considers it appropriate to provide guidance on the applicability of Article 6 (1) (b) to processing of personal data in the context of online services, in order to ensure that this lawful basis is onlyrelied upon where appropriate.
6. The Article 29 Working Party (WP29) has previously expressed views on the contractual necessity basis under Directive 95/46/EC in its opinion on the notion of legitimate interests of the data controller. Generally, that guidance remains relevant to Article 6 (1)(b) and the GDPR.