Contract is the third most common legal basis for organizations to process personal data. In order to determine whether a controller can use contract as the legal ground for processing personal data, ask whether the processing is:
- For the performance of a contract to which the individual is a party
- In order to take steps at the request of the individual prior to entering into a contract
Performance of a contract to which the individual is a party must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract. It is important to determine the exact rationale of the contract, i.e., its substance and fundamental objective. This legal ground only applies to “performance” of a contract and does not apply to all actions taken in the execution of a contract. The fact that some data processing is covered by a contract does not mean that the processing is “necessary” for its performance. Common examples of processing for the performance of a contract are processing an individual’s address so that goods bought online can be delivered or processing credit card details in order to pay for goods bought online.
Processing that takes place “prior” to entering into a contract covers precontractual actions provided that the steps are taken at the request of the individual and are not initiated by the controller or a third party. Common examples of processing prior to entering into a contract are individuals requesting retailers to send them offers for products and the retailers keeping the address details and information on the offers requested for a limited time period or an individual requesting a quote for car insurance and the insurer using the make and age of the car in order to prepare the quote. On the other hand, direct marketing at the initiative of the retailer is not an example of processing at the request of the individual.
This blog concludes the three most common legal grounds for processing personal data – consent, legitimate interest and contract. The next blog will start a discussion of the rights individuals have under the GDPR, beginning with the different types of privacy notices there are.
This blog is the 21st in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation.