At a glance
- You can rely on this lawful basis if you need to process someone’s personal data:
- to fulfil your contractual obligations to them; or
- because they have asked you to do something before entering into a contract (eg provide a quote).
- The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply.
- You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.
What does the GDPR say?
Article 6(1)(b) gives you a lawful basis for processing where:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
When is the lawful basis for contracts likely to apply?
You have a lawful basis for processing if:
- you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract.
- you have a contract with the individual and you need to process their personal data so that they can comply with specific counter-obligations under the contract (eg you are processing payment details).
- you haven’t yet got a contract with the individual, but they have asked you to do something as a first step (eg provide a quote) and you need to process their personal data to do what they ask. This applies even if they don’t actually go on to enter into a contract with you, as long as the processing was in the context of a potential contract with that individual.
An individual shopping around for car insurance requests a quotation. The insurer needs to process certain data in order to prepare the quotation, such as the make and age of the car.
It does not apply if you need to process one person’s details but the contract is with someone else.
It does not apply if you collect and reuse your customer’s data for your own business purposes, even if this is permitted under your standard contractual terms and is part of your funding model.
It does not apply if you take pre-contractual steps on your own initiative, to meet other obligations, or at the request of a third party.
Note that, in this context, a contract does not have to be a formal signed document, or even written down, as long as there is an agreement which meets the requirements of contract law. Broadly speaking, this means that the terms have been offered and accepted, you both intend them to be legally binding, and there is an element of exchange (usually an exchange of goods or services for money, but this can be anything of value). However, this is not a full explanation of contract law, and if in doubt you should seek your own legal advice.
When is processing ‘necessary’ for a contract?
‘Necessary’ does not mean that the processing must be absolutely essential or ‘the only way’ to perform the contract or take relevant pre-contractual steps. However, it must be more than just useful, and more than just part of your standard terms. It must be a targeted and proportionate step which is integral to delivering the contractual service or taking the requested action. This lawful basis does not apply if there are other reasonable and less intrusive ways to deliver the contractual service or take the steps requested.
The processing must be necessary to perform the contract with this particular person. If the processing is instead necessary to maintain your business model more generally, or is included in your terms for other business purposes beyond delivering the contractual service, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests.Example
When a data subject makes an online purchase, a controller processes the address of the individual in order to deliver the goods. This is necessary in order to perform the contract.
However, the profiling of an individual’s interests and preferences based on items purchased is not necessary for the performance of the contract and the controller cannot rely on Article 6(1)(b) as the lawful basis for this processing. Even if this type of targeted advertising is a useful part of your customer relationship and is a necessary part of your business model, it is not necessary to perform the contract itself.
This does not mean that processing which is not necessary for the contract is automatically unlawful, but rather that you need to look for a different lawful basis (and other safeguards such as the right to object may come into play).
What else should we consider?
If the processing is necessary for a contract with the individual, processing is lawful on this basis and you do not need to get separate consent.
If processing of special category data is necessary for the contract, you also need to identify a separate condition for processing this data. Read our guidance on special category data for more information.
If the contract is with a child under 18, you need to consider whether they have the necessary competence to enter into a contract. If you have doubts about their competence, you may wish to consider an alternative basis such as legitimate interests, which can help you to demonstrate that the child’s rights and interests are properly considered and protected. Read our guidance on children and the GDPR for more information.
If the processing is not necessary for the contract, you need to consider another lawful basis such as legitimate interests or consent. Note that if you want to rely on consent you will not generally be able to make the processing a condition of the contract. Read our guidance on consent for more information.
If you are processing on the basis of contract, the individual’s right to object and right not to be subject to a decision based solely on automated processing will not apply. However, the individual will have a right to data portability. Read our guidance on individual rights for more information.
Remember to document your decision that processing is necessary for the contract, and include information about your purposes and lawful basis in your privacy notice.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.
The EDPB has adopted draft guidelines for public consultation on processing under Article 6(1)(b) in the context of online services.
Thank you for reading.