Sometimes, data might be processed based on article 6.1(b) of the GDPR:
Processing of personal data is lawful when it is necessary for the performance of a contract to which the data subject is party. The scope of this legal basis is limited by the criterion of “necessity”, which requires a direct and objective link between the processing itself and the purposes of the contractual performance expected from the data subject. Indeed, this legal basis only legitimates processing that is in fact necessary for such goal. On the contrary, if processing is not in fact necessary for the performance of a contract, such processing can take place only if it relies on another appropriate legal basis.
Thus, the idea of necessity is key in order to determine whether this legal basis is applicable to the processing or not. The EDBP adopted in 2019 its Guidelines on the processing of personal data under Article 6(1) (b) GDPR in the context of the provision of online services to data subjects that are particularly relevant to this issue. According to these Guidelines, the use of data might be necessary for the performance of a contract with a data subject, or in order to take pre-contractual steps at the request of a data subject.
It is important to note that the concept of what is ‘necessary for the performance of a contract’ is not simply an assessment of what is permitted by or written into the terms of a contract. The concept of necessity involves several requirements.
- First, the processor shall identify the concrete purpose for the processing, since in the context of a contractual relationship, there may be a variety of purposes for processing and not all of them are necessary for the performance of a contract or in order to take pre-contractual steps. Thus, the concrete purposes to be legitimated via this legal basis shall be clearly specified and communicated to the data subject, in line with the controller’s purpose limitation and transparency obligations. If, for instance, these purposes are necessary for the controller’s other business purposes, but not for the specific performance of the contract with the subject, these might be lawful under the legitimate interest legal basis or consent, but not under the performance of a contract basis. Moreover, of course, sometimes processing would not be covered by any legal basis and, thus, should be avoided.
- Second, one must keep in mind that there are three main conditions that need to be met to assess that this legal basis applies in a concrete contract, namely: (a) a contract exists, (b) the contract is valid pursuant to applicable national contract laws, and (c) that the processing is objectively necessary for the performance of the contract. This last part is particularly important: objectively necessary means that this need relates to “a purpose that is integral to the delivery of that contractual service to the data subject. Included here is processing of payment details for charging for the service. The controller should be able to demonstrate how the main object of the specific contract with the data subject cannot, in fact, be performed if the specific processing of the personal data in question does not occur. The important issue here is the nexus between the personal data and processing operations concerned, and the performance or non-performance of the service provided under the contract.”  That is, the fact that the processing of personal data is included as an obligation in a contract does not make it “necessary for the performance of a contract” in the terms of the data protection legislation. Thus, if the controller introduces a condition in the contract that obliges the data subject to allow the processing, even though this processing is not strictly necessary to perform the contract, the legal basis is not applicable to this scenario. If there are realistic, less intrusive alternatives, the processing is not ‘necessary’.” 
- Last but not least, controllers should always remember that both purpose limitation and data minimization principles are particularly relevant when a controller uses “performance of a contract” as a legal basis for data processing, since the contracts for online services (which are the typical services linked to IoT devices) are not usually negotiated on an individual basis.
|Box 5: Can profiling be considered as necessary for the performance of a contract? The EDPB acknowledged that personalization of content may constitute an essential or expected element of certain services, and therefore may be regarded as necessary for the performance of the contract with the service user in some cases. Whether such processing can be regarded as an intrinsic aspect of a service, will depend on the nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalization. Where personalization of content is not objectively necessary for the purpose of the underlying contract, for example where personalized content delivery is intended to increase user engagement with a service but is not an integral part of using the service, data controllers should consider an alternative lawful basis where applicable.
Instead, behavioral advertising and associated tracking and profiling of data subjects cannot be based on the performance of a contract legal basis, not even where such advertising indirectly funds the provision of the service. Such processing is separate from the objective purpose of the contract between the user and the service provider, and therefore not necessary for the performance of the contract at issue. Therefore, the controllers should use other legal basis like consent or legitimate interest if they are willing to proceed in such way.
Source: EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1) (b) GDPR in the context of the provision of online services to data subjects Adopted on 9 April 2019, at: https://edpb.europa.eu/sites/default/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf
|Checklist: performance of a contract
☐ The controllers are able to demonstrate that, after assessing the circumstances at stake they have concluded that performance of a contract is the most appropriate legal basis for processing.
☐ The controllers can demonstrate that processing is objectively necessary for the performance of the contract. To this purpose, they have answered to these questions:
☐ The controllers have informed the data subjects about the need to process their data on this legal basis.
☐ If special categories of data need to be processed, controllers have identified an exception to the veto included in article 9.1 the GDPR in article 9.2.
☐ Where broad consent is used, the controller is particularly the data subjects are given the opportunity to withdraw their consent and to choose whether to participate in certain research and parts of it.
☐ The controllers do not extend this legal basis to the processing of data that are not strictly necessary to perform the contract.
☐ The controllers are aware that the inclusion of a condition to sign the contract that involves data processing does not justify that this processing is necessary for the performance of the contract.
1Article 29 Working Party Guidelines on consent under Regulation 2016/679 (WP259), endorsed by the EDPB, page 19. ↑
2Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects Adopted on 9 April 2019, at: https://edpb.europa.eu/sites/default/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf ↑
3Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects Adopted on 9 April 2019, at: https://edpb.europa.eu/sites/default/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf ↑
4Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects Adopted on 9 April 2019, at: https://edpb.europa.eu/sites/default/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf ↑