Who: European Data Protection Board (EDPB)
Where: European Union
When: 8 October 2019
Law stated as at: 28 November 2019
What happened:
The EDPB has stressed the importance of identifying an appropriate legal basis for processing personal data in its Guidelines (2/2019) on the processing of personal data under Article 6(1)(b) of the GDPR. In particular, it has highlighted the importance of identifying the appropriate legal basis that corresponds to the objective and essence of the processing intended by the controller.
The Guidelines set out a procedure for establishing an appropriate legal basis for processing data:
- Prior to processing personal data, the controller must always first establish the purpose of processing and then assess the legal basis, under Article 6 (1)(a) to (f) of the GDPR, which the processing relies on. In the Guideline, the EDPB focuses primarily on Article 6(1)(b) of the GDPR.
- Under the legal basis of Article 6(1)(b) of the GDPR, processing is lawful, if and to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract“. Keeping in mind the principles of fairness, transparency and minimisation set out in Article (5)(1)(a) and (b) GDPR, when it comes to processing personal data, the emphasis of Article 6(1)(b) of the GDPR is on the word “necessary“.
- Processing for the performance of a contract is considered to be necessary when a data subject can reasonably expect the processing intended by the controller and the processing is “objectively necessary” for performing the contract. In other words, if the controller has less intrusive alternatives than processing the personal data at their disposal to perform the contract, and the processing of personal data is merely useful for them, Article 6(1)(b) of the GDPR is not the appropriate legal basis.
- The processing of personal data cannot be legitimised under Article 6(1)(b) of the GDPR by simply including a clause in the contract to make the processing binding on the parties; this type of clause would not usually meet the requirements for a valid consent according to Article 6(1)(a) in connection with Article 7 of the GDPR.
- If a specific process cannot rely on the legal basis of Article(1)(b) of the GDPR, this does not consequently lead to the effect that this specific process cannot be carried out. The controller must assess whether another legal basis of Article 6(1) of the GDPR can be considered appropriate.
In the context of advertising and marketing, establishing a legal basis for processing personal data has proven difficult for online advertising. In particular, for controllers providing online information society services, the controller is not able to process the personal data for behavioural advertising or be aware of the data collected for online behavioural advertising. This is often because cookies and other tracking technology may be applied without the controller’s knowledge. Many controllers seek to rely on legitimate interests on the basis that the advertising funds the service. This position is unlikely to be sustainable as data-protection rights tighten up through EDPB guidance and users become more aware of their rights.
Why this matters:
The Guideline confirms how strictly data protection is handled within the EU, but does not shed any new light on establishing a legal basis for processing data. Nonetheless, it sets out the considerations that platforms, brands and adtech providers should have in mind when conducting online advertising in detail.
