Entering into contracts or agreements is one of the main reasons to process personal data. However, most agreements usually are drafted by the companies from a one-sided perspective and presented to consumers as terms and conditions. This kind of contractual relations may cause data breaches as regard to whether collection of personal data is necessary or compliant with data protection laws and other laws. In this article the personal data processing in terms of agreements, in particularly consumer contracts, will be reviewed with the remarks and opinions of European Data Protection Board.

Determining the Purposes to Collect Personal Data

Initial to process personal data, in the process of deciding which data will be processed under a contractual relationship, data controllers have to define their purposes to process such data. Article 5(1)(b) of the GDPR[1] provides that, for the purpose limitation principle, personal data must be collected for specified, explicit, and legitimate purposes[2]. After the collection, such data also must not be processed in a manner that is incompatible with those initial purposes[3].

Purpose specification is the first step to establish a lawful processing and “lies at the core of the legal framework established for the protection of personal data[4]”. Data controllers must consider for what purposes the personal data will be processed, and “must not collect personal data which are not necessary, adequate or relevant for the purpose or purposes which are intended to be served[5]”. Purpose specification is an internal assessment has to be carried out by the data controller as a requirement of the accountability[6]. Moreover, purposes have to be detailed enough to prevent any vague or over general descriptions[7] when informing data subjects and be explicit, “in other words, they must be clearly revealed, explained or expressed in some intelligible form[8]”. Following the assessment of specification, the legitimacy of such purposes has to be checked not only under GDPR in terms of deciding which legal basis will apply to such processing but also under the laws other than GDPR to ensure that such processing is not violating any law and in compliance with all provisions of that legal system.

Identification of the Appropriate Lawful Basis

In terms of conditions stipulated under Article 6(1) of GDPR, Article 6(1)(b)[9] is the most relevant one when determining the proper legal basis for the processing for establishment and performance of a contract. In cases where the contractual obligations towards the data subject cannot be performed or the contract cannot be facilitated without the data subject providing certain personal data, such processing will be deemed necessary. However, for the establishing stage of the contract, such personal data has to be needed due to a request of the data subject.

In cases where one side of the contract is more dominant, such as consumer contracts or employment contracts, the dominant party usually set the terms and provision of the contract. However, where the necessity factor of a personal data in a contractual relationship is being assessed, the outcome has to be objective and the perspective of an average data subject has to be taken into consideration[10]. The contract by itself with having terms or provision indicating such data processing does not make it necessary under the contract[11]. Additionally, bundle services prepared by companies cannot also be accepted as a necessity to process personal data. Bundle services that can be divided from each other does not constitute an objective necessity under Article 6(1)(b).

The main subject of the contract has to be assessed and objective necessity has to be determined after such assessment. For example, the education level, job or sex of consumer is not necessary to facilitate an online magazine subscription contract.

However, most companies tend to collect more data than it is necessary for the establishment of performance of contacts. The main motive to collect more data than which is necessary under a contact is usually profiling[12] consumers for targeted advertising purposes. Even though profiling for adverting may have specified and explicit purposes, such processing cannot be regarded as a necessary step in terms of a contract under Article 6(1)(b) of GDPR.

To legalize a processing which contains profiling of consumers who entered a contractual relationship with controller where such controller did not collect any unnecessary data, however, the controller plans to profile its consumers based on their personal data concerning a contract (such as their previous transactions or delivery addresses), the controller cannot apply Article 6(1)(b) of GDPR to such processing and to apply Article 6(1)(f)[13] to such processing, it must carry out a balancing assessment[14] to decide whether its interests from such profiling are overridden by the data subject’s interests or fundamental rights and freedoms[15] under Article 6(1)(f).

Moreover, the consumers complain regarding a default on a product or requests under the warranty or termination notice can be processed based on Article 6(1)(f). However, in such situations data controllers have to foresee the lifespan of that service and inform data subjects on future data processing might be conducted in multiple scenarios, such as the legal requirements to retain such data after the termination or retention periods due to the legal claims etc.

Author: Aslı Naz Ünlü

[1] Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).

[2] For the similar Turkish data protection provision see Article 4(2)(c) of the Turkish Personal Data Protection Law no. 6698 that stipulates personal data has to be processed with specified, explicit, and legitimate purposes.

[3] The European Data Protection Board, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, October 8, 2019, p. 6(14).

[4] Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation, April 2, 2013, p. 15.

[5] Ibid, p. 15.

[6] See Article 5(2) of GDPR.

[7] See the examples of vague or general purposes from Article 29 Data Protection Working Party, such as 'improving users' experience', 'marketing', 'IT-security' or 'future research', Ibid, p. 52, examples 7-8.

[8] Ibid, p. 17.

[9] Article 6(1)(b) of GDPR, “…processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

[10] The European Data Protection Board, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, October 8, 2019, p. 10(32).

[11] Ibid, p. 9(27).

[12] For the definition of profiling see Article 4(4) of GDPR; see also Article 29 Data Protection Working Party, “Profiling means gathering information about an individual (or group of individuals) and evaluating their characteristics or behavior patterns in order to place them into a certain category or group, in particular to analyse and/or make predictions about, for example, their ability to perform a task, interests, likely behavior. Profiling may be occurred in three different forms such as general profiling, decision-making based on profiling, and automated decision-making, including profiling. Solely automated decision-making is the ability to make decisions by technological means without human involvement.”, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, February 6, 2018, p. 8.

[13] Article 6(1)(f) of GDPR, “…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

[14] The level of detail of the profile, the comprehensiveness of the profile, the impact of the profiling, the safeguards aimed at ensuring fairness, non-discrimination and accuracy in the profiling process to be taken into consideration, see Article 29 Data Protection Working Party, Ibid, p. 14.

[15] See also Article 29 Data Protection Working Party, “…it would be difficult for controllers to justify using legitimate interests as a lawful basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or  data-brokering.Ibid, p. 15.