<iframe src="//www.googletagmanager.com/ns.html?id=GTM-5T7PGR" height="0" width="0" style="display:none;visibility:hidden">


The EDPB is limiting the application of certain lawful bases for data processing around online services – what you need to know

Posted by on 15 April 2019

The European Data Protection Board (EDPB) has published guidelines on the use of processing of personal data necessary for the performance of a contract as a legal basis under Art. 6.1 lit. b General Data Protection Regulation (GDPR). The guidelines are now in the public consultation phase.

EDPB-lawful-basis-data-processing-benz-mattigThe Charter of Fundamental Rights of the European Union and the GDPR require that data has to be processed in a fair manner, for a specified purpose and on the basis of a legitimate ground. One of the recognised grounds is the necessity of processing for the performance of a contract. When opting for this or any other ground for processing, a controller always has to take into account the impact on the data subject as well as the principle of fairness. This also includes the principle of transparency.

Against the backdrop of today's society, the always-on mobile internet and wide variety of connected devices that foster the development of online services such as social media, e-commerce and internet searches financed by advertisement, the EDPB considered it appropriate to draft guidelines regarding the use of Art. 6 lit. b GDPR in the context of online services. The guidelines shall ensure that controllers only rely upon the legal ground of processing necessary for performance of a contract where that is appropriate and fair.

The newly published "Guidelines 2/2019 on the processing of personal data under Art. 6.1 lit. b GDPR in the context of the provision of online services to data subjects" restrict the use of this lawful basis in the context of online services substantially. The guidelines are applicable to the processing of personal data in the context of contracts for online services irrespective of where their funding comes from. In particular, they focus on the following issues:

  • The interaction of Art. 6 lit. b GDPR with other lawful bases for processing. In particular, the EDPB considers that where processing is not in fact necessary for the performance of a contract, the controller should rely upon another lawful basis.
  • The scope of Art. 6.1 lit. b GDPR and the term necessity. The EDPB states in this regard that "necessity" does not simply mean what is permitted by or written in the contract.
  • 6.1 lit. b GDPR together with the accountability principle requires that the processing takes place in the context of a valid contract and that the processing is necessary so that the particular contract with the data subject can be performed.
  • The effects of the termination of a contract on processing, a point that has to be anticipated by the controller when the contract enters into effect.
  • The necessity for taking steps prior to entering into a contract should not cover unsolicited marketing or other processing activities which are carried out solely on the initiative of the data controller or at the request of a third party.
  • The application of Art. 6.1 lit. b GDPR to specific situations.

For more information, please do get in touch with us or click on the button below for the full text of the guidelines in English.



If you liked this article, you might be interested in reading about:

Shedding some light on the territorial scope of the GDPR, by Nicola Benz and Cornelia Mattig

Checklist for a controller and processor agreement under the GDPR, by Nicola Benz and Ronald Kogens

Checklist Privacy Policy under the GDPR, by Nicola Benz and Cornelia Mattig

Simple in theory, complex in practice: the dual role as controller and processor under the General Data Protection Regulation, by Nicola Benz and Ronald Kogens 

Check for GDPR Compliance and receive a customised list of next steps for free, by Ronald Kogens and Nicola Benz


Photo by Josh Sorenson/Pexels

Topics: Data Protection | Intellectual Property

Name 13

Nicola Benz

Nicola Benz’s practice is focused on technology and life sciences transactions. She assists technology companies of all sizes, from start-ups to established players, as well as investors, suppliers and customers across a broad range of industries and sectors. Nicola Benz’s expertise covers outsourcing, licensing, joint ventures and collaborations and associated intellectual property issues. She also has considerable experience advising on all types of commercial contracts, competition and regulatory issues and data protection. Nicola Benz is recognised as a globally leading patent and technology licensing lawyer, as well as a leading practitioner in the field of intellectual property. Chambers Europe (2018) ranked her as leader in the fields of Intellectual Property and Life Science, and she was recommended in the 2018 edition of the Legal 500 EMEA for Intellectual Property as well as TMT matters. She has also been named as a thought leader for data law in the publication "Who's Who Legal 2018". Born in Scotland, Nicola obtained her law degree from the University of Edinburgh (LLB Hons) in 1997. She joined our firm as an associate in 2002 and became a partner in 2010. Since 2017 she has been the managing partner of our firm. Her working languages are English and German. Nicola is a member of the Zurich Bar Association, the International Trademark Association (INTA), the Licensing Executives Society (LES) and the International Technology Law Association (iTechLaw).

Connect with me:
Name 13

Cornelia Mattig

Cornelia Mattig specialises in data protection and intellectual property law, as well as corporate and commercial law issues. Cornelia Mattig joined Froriep as an associate in 2018. Before joining Froriep, Cornelia Mattig trained with firms in Ireland, Germany and Switzerland as well as at the District Court of March in the Canton of Schwyz. After she passed the Bar exam in the Canton of Schwyz, she worked as a notary public and lawyer in an accounting and auditing firm. She graduated from the University of Zurich with a Master of Law (Business Law) in 2014 before obtaining her LL.M. in European Law at Queen Mary University of London in 2017. She was admitted to the Bar in 2018. She also holds a Data Protection Officer Certificate from the University of Maastricht. Her working languages are German and English.

Connect with me: