New guidelines for data processing in the context of online services
On 9 April 2019, the European Data Protection Board (EDPB) adopted guidelines on the application of Article 6(1)(b) of the General Data Protection Regulation (GDPR) in the context of online services. These guidelines cover all services in the field of e-commerce, in particular data processing in connection with the online sale of goods. They restrict the possiblility for companies to rely on the basis "performance of a contract" when processing the personal data of their users.
Article 6(1)(b) GDPR permits the processing of personal data if this is necessary for the performance of a contract or to take pre-contractual steps.
As a result of technological advances, it is particularly easy for online service providers to collect a large amount of data of their users. According to the EDPB, there is a risk that providers on online services may classify all data processing as part of the contract by including them in the contract text, thereby circumventing the strict rules requiring separate consent of the user. This is not allowed under the new guidelines.
Accordingly, data processing only falls under Art. 6(1)(b) GDPR if it is objectively necessary to perform a valid contract. However, this does not merely depend upon the contract text, which is usually issued by the service provider, but requires an evaluation of the nature and the rationale of the contract, taking into account the principles of data minimisation, fairness and transparency as well as the mutual expectations of the contracting parties.
Although it should be noted that the guidelines by the EDPB are not legally binding, it is nevertheless to be expected that the supervisory authorities will comply with them. The EDPB is an independent European body with the objective of contributing to the uniform application of data protection law in the European Union and facilitating cooperation between the supervisory authorities.
In cases where these new requirements are not satisfied, the data processing must be based on another legal basis, such as consent or legitimate interest.