In order for a processing of personal data (which does not belong to any special category referred to in GDPR Article 9(1)) to be considered compatible with the GDPR, At least one of the following grounds for processing indicated in GDPR Article 6(1) must apply.
Grounds for processing:
The data subject has given consent of the processing;
Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into the contract;
Processing is necessary for the performance of a legal obligation;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Lawfulness of processing and GDPR Article 6(1)
One of the fundamental principles of personal data processing arising from the GDPR is the so-called principle of lawfulness of processing (for more on this principle, see the commentary to GDPR Article 5). According to this principle, in order for certain processing of personal data (other than the special categories of data referred to in GDPR Article 9(1)) to be considered compatible with GDPR, such processing must be based on one of the grounds for processing listed in GDPR Article 6(1).
In other words, if a personal data controller is unable to identify a ground for processing under GDPR Article 6(1) in relation to its processing of personal data, such processing constitutes a breach of the GDPR by that controller.
GDPR Article 6(1) provides for the following grounds for processing personal data:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the controller is subject;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Consent of the data subject as a basis for processing
The consent of the data subject as a basis for the processing of his or her personal data is described in the commentary to GDPR Article 7.
Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, as a basis for processing
According to the GDPR, the processing of personal data which is:
Necessary for the performance of a contract to which the data subject is a party; or
Necessary to take steps at the request of the data subject before entering into a contract.
When can processing be considered necessary for the performance of a contract to which the data subject is a party?
In order for the processing of personal data to be based on the ground referred to in GDPR Article 6(1)(b), in the case of processing for the performance of a contract, all of the following conditions must be met:
A contract has been concluded between the controller and the data subject;
The contract is legally valid;
The performance by the controller of the subject matter of the contract (e.g. services) for the benefit of the person with whom the controller has entered into the contract requires the processing of personal data of that person by the controller;
The processing of personal data referred to above is necessary for the performance of the subject matter of the contract by the controller.
The performance of contracts concluded with individuals often involves the processing of their personal data in different contexts, for different purposes and in different ways. In practice, it may be difficult to answer the question of whether, in a given context, a controller can rely on the above basis for processing personal data. In particular, it may be questionable to assess what is actually necessary for the performance of the contract. A careful analysis of the individual facts or service delivery models should be carried out in each case.
The European Data Protection Board's Guideline 2/2019 on the processing of personal data under Article 6(1)(b) of the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR) in the context of the provision of online services to data subjects, version 2.0, 8 October 2019, may be helpful in assessing the problematic issues related to the application of the processing ground in question. ("Guideline 2/ 2019 ").
The validity of the contract and basis for data processing
The 2/2019 Guideline indicates that:
A controller can rely on the first option of Article 6(1)(b) to process personal data when he or she can, in line with his or her accountability obligations under Article 5(2), establish both that the processing takes place in the context of a valid contract with the data subject and that processing is necessary in order that the particular contract with the data subject can be performed. Where controllers cannot demonstrate that (a) a contract exists, (b) the contract is valid pursuant to applicable national contract laws, and (c) that the processing is objectively necessary for the performance of the contract, the controller should consider another legal basis for processing.
The validity of the contracts referred to above should be assessed in each case from the point of view of the law applicable to the contract in question. Such an assessment may, depending on the rules to be applied, generally include an evaluation of:
Whether the form of the contract is correct;
Whether the person concluding the contract had the capacity to do so;
Whether the contract has a legitimate purpose.
In the absence of a valid contract between the controller and the data subject, the controller cannot rely on the ground set out in GDPR Article 6(1)(b) to process the data of the data subject.
Data processing is necessary for the performance of the contract
In general, only personal data processing that, firstly, serves the purpose of the performance of a contract by the controller for the benefit of the data subject (in other words, the processing of personal data by the controller is part of the activities/services ordered or purchased by the data subject from the controller, or is related to other activities without which the contract would not be performed, such as payment processing) is necessary for the performance of a contract with the data subject. Secondly, the link between such processing and the provisions of the service must be such that, objectively, it would be impossible for the controller to perform the contract/service to the data subject without such processing.
With regard to the assessment of the necessity of the data processing in question for the performance of a contract, the 2/2019 Guideline further indicates that:
For applicability of Article 6(1)(b), it is required that the processing is objectively necessary for a purpose that is integral to the delivery of that contractual service to the data subject. (...) The controller should be able to demonstrate how the main subject matter of the specific contract concluded with the data subject could not actually be fulfilled without the processing of personal data. The relevant issue here is the relationship between the personal data and the processing operations on the one hand and the performance or non-performance of the service provided under the contract.
The above passage highlights the issue of the controller's ability to demonstrate that the processing in question is indeed necessary for the performance of the contract. The controller should prepare an adequate analysis and justification in this respect at the design stage of a given process, both for the accountability principle (see GDPR Article 5) and in the event that the lawfulness of the processing in question is audited or brought into question, for example by a supervisory authority.
Assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”. If there are realistic, less intrusive alternatives, the processing is not ‘necessary’. Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes.
A contract cannot artificially expand the categories of personal data or types of processing operation that the controller needs to carry out for the performance of the contract within the meaning of Article 6(1)(b).
The above passage emphasises that the necessity of the processing should be assessed from an objective perspective (and not solely from the perspective of the controller) and that third parties, including the supervisory authority, may challenge the controller's assessments in this regard.
Further guidance on the examination of the possibility of processing personal data based on the “necessity for the performance of a contract”
The 2/2019 Guideline indicates that, in a given case, a controller can base the processing of personal data on the premise of necessity for the performance of a contract by answering the following questions:
What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
What is the exact rationale of the contract (i.e. its substance and fundamental object)?
What are the essential elements of the contract?
What are the mutual perspectives and expectations of the parties to the contract?
How is the service promoted or advertised to the data subject?
Would an ordinary user of a service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
From a practical standpoint, the last question is particularly relevant. After all, if the average user or customer would not reasonably expect or anticipate that a certain processing of personal data would take place for the purpose of the performance of a contract they have entered into, it can be argued that such processing should not be carried out on the basis of GDR Article 6(1)(b).
Importantly, Guidance 2/2019 further indicate that:
If, over the lifespan of a service, new technology is introduced that changes how personal data are processed, or the service otherwise evolves, the criteria above need to be assessed anew to determine if any new or altered processing operations can be based on Article 6(1)(b).
Specific situations of personal data processing in the context of contract performance
A common mistake made in practice is to indicate the basis for processing from GDPR Article 6(1)(b) with regard to the processing of personal data of persons who contact or represent the counterparty - legal entity - during the performance or signing of the contract. Meanwhile, thenecessity for the purpose of performance of the contract cannot be the basis for the processing of personal data of persons other than the natural person who is a party to the contract. In other words, it cannot be the basis for the processing of data of, for example, persons who concluded the contract on behalf of the counterparty or who act on behalf of the counterparty in connection with the performance of the contract.
According to Guideline 2/2019:
Contractual warranty may be part of performing a contract, and thus storing certain data for a specified retention time after exchange of goods/services/payment has been finalised for the purpose of warranties may be necessary for the performance of a contract.
(...) Article 6(1)(b) would generally not be an appropriate and lawful basis for processing for the purposes of improving a service or developing new functions within an existing service.
As a general rule, processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services. Further to this, Article 6(1)(b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract at issue.
(…) personalisation of content may (but does not always) constitute an intrinsic and expected element of certain online services, and therefore may be regarded as necessary for the performance of the contract with the service user in some cases. Whether such processing can be regarded as an intrinsic aspect of an online service, will depend on the nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalisation. Where personalisation of content is not objectively necessary for the purpose of the underlying contract, for example where personalised content delivery is intended to increase userengagement with a service but is not an integral part of using the service, data controllers should consider an alternative lawful basis where applicable.
When can processing be considered necessary to take action at the request of the data subject before entering into a contract?
In order for the processing of personal data to be based on the ground referred to in GDPR Article 6(1)(b), the following conditions must be cumulatively met in the case of pre-contractual processing of personal data:
The data subject is involved in discussions / interactions with the controller in relation to the contemplated conclusion of a contract between the data subject and the controller. The initiative for the discussions/interactions in this regard should generally come from the data subject;
The data subject shall request action from the controller in relation to the envisaged conclusion of the contract referred to in a), e.g. the preparation of an offer or a draft contract for signature;
The activities referred to in point b) are related to the processing of personal data of the data subject by the controller;
The processing referred to in point c) is necessary for the activities referred to in point b).
In terms of assessing the necessity of a given processing for the purpose of pre-contractual actions, only such processing of personal data will be necessary in this sense which serves the purpose of the performance by the controller of an action in favour of the data subject which the data subject has requested. Secondly, the link between such processing and the performance of the pre-contractual action will be such that, objectively assessed, it will be impossible for the controller to perform such action without such processing.
In addition, Guideline 2/2019 indicates that:
The second option of Article 6(1)(b) applies where processing is necessary in order to take steps at the request of the data subject prior to entering into a contract. This provision reflects the fact that preliminary processing of personal data may be necessary before entering into a contract in order to facilitate the actual entering into that contract.In line with this, where a data subject contacts the controller to enquire about the details of the controller’s service offerings, the processing of the data subject’s personal data for the purpose of responding to the enquiry can be based on Article 6(1)(b)[for example, he or she sends a request for an offer via a contact form on the controller's website - authors' note].
In any case, this provision (i.e. GDPR Article 6(1)(b) – authors’ note) wouldnot cover unsolicited marketing or other processing carried out solely on the initiative of the data controller, or at the request of a third party.
Necessity of the processing for the performance of a legal obligation as a basis for processing
The processing of personal data carried out by the controller which is necessary for the controller to comply with a legal obligation is also compliant with the GDPR.
The processing of personal data on the basis in question will therefore be lawful if and to the extent that the following conditions are cumulatively met:
There is an obligation imposed on the controller to perform a specific act/omission under EU or Member State law to which the controller is subject (this includes laws, international agreements published in the Journal of Laws, EU regulations and national regulations). The purpose of the processing must be clearly indicated.
In order for the controller to comply with the aforementioned legal obligation, it is necessary for the controller to process personal data.
When relying on this basis for data processing, it is important from the practical standpoint to consider the following issues:
It is advisable to verify whether a given legal obligation actually rests with the controller, in particular whether there are legal grounds to expect a specific act or omission from the controller, in particular whether is indeed a legal obligation within the meaning of the GDPR. For example, documents in the form of recommendations, guidelines, standards, or documents published by associations or chambers of commerce do not establish legal obligations within the meaning of the GDPR.
If the legislation contains more specific processing obligations, e.g. indicating what personal data and how to process it in order to comply with a given obligation, the controller should strictly comply with the content of the legislation when processing personal data.
If the regulations provide for the possibility of processing data of varying intrusiveness or intensity, leaving the choice to the controller, the latter should select, to the extent possible, choose methods with a lower level of intrusiveness or intensity (provided that the purpose of the obligation is achieved).
If the legislation does not explicitly indicate which personal data and how to process it, imposing only a general obligation, it must be assessed whether and to what extent the processing of personal data is necessary for the fulfilment of such obligation. Only processing in a manner and to an extent without which it is objectively impossible to fulfil the obligation is necessary.
It is important to consider whether the legislation provides for the possibility of processing personal data (e.g. the power to use monitoring by the employer under the Labour Code) or mandates specific processing. This affects the possibility of relying on the basis for processing under GDPR Article 6(1)(c).
Necessity of the processing to protect the vital interests of the data subject or another natural person
The processing of personal data by a controller that is necessary to protect the vital interests of the data subject or another natural person is also complies with the GDPR.
In general, the relevant processing ground will apply in exceptional circumstances. Recital 46 to the GDPR states that:
Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.
Moreover, as the doctrine rightly emphasises:
The determination of the necessity of data processing should be made on a case-by-case basis, taking into account the factual circumstances of the processing (see P. Fajgielski [in:] Commentary to Regulation No. 2016/679 on the protection of natural persons in relation to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, Article 6).
Processing of personal data on this basis is lawful if and to the extent that the following conditions are met:
The vital interests of the data subject or another natural person are at stake and must be protected;
The controller is able to protect the interests in question, but the processing of personal data by the controller is necessary to do so – “necessity” in this context should be understood as meaning that, from an objective point of view, the vital interests in question cannot be effectively protected without the processing of personal data.
What is meant by 'vital interests'?
The GDPR does not provide a definition of ‘vital interests’, which appear to be primarily at stake in situations where a person's life or, in a serious way, health is at risk. It is debatable whether the 'vital interests' referred to in GDPR Article 6 include interests of a pecuniary nature.
Some interpretative guidance has been provided in the doctrine:
As a general rule, the processing of personal data should be allowed in those cases where it can be reasonably assumed that the data subject would - if possible - have given his or her consent to the processing of the data. (P. Fajgielski [in:] Commentary to Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, Article 6).
Necessity of the processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
The processing of personal data by the controller, which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, also complies with the GDPR.
The processing of personal data on the basis is therefore lawful if and to the extent that the following cumulative conditions are met:
The controller performs tasks in the public interest or in the exercise of official authority vested in the controller and the performance of these tasks is governed by legal provisions (laws, international agreements published in the Journal of Laws, EU regulations, national regulations) which specify, inter alia, the purpose of the data processing by the controller;
The processing of personal data by the controller is necessary for the controller to carry out the above-mentioned tasks.
From a practical point of view, when relying on this ground for data processing, it is advisable to consider the following in each case:
It is advisable to consider whether the necessity of the task in question is actually incumbent on the controller, in particular whether there are legal grounds for expecting the controller to perform a particular act or omission;
It should be considered whether the task in question is regulated by law - for example, documents in the form of recommendations, guidelines, standards, documents published by associations or chambers of commerce do not normally constitute 'tasks' within the meaning of, for example, GDPR Article 6(1)(e);
If the legislation contains more specific processing obligations, e.g. specifying what personal data and how it must be processed in order to perform a given task, the controller should strictly comply with the content of the legislation when processing personal data;
Where the regulations provide for the possibility of processing data with different levels of intrusiveness or intensity, leaving the choice to the controller, the controller should, as far as possible, choose modalities with a lower level of intrusiveness or intensity (provided that the purpose of the obligation is achieved);
Where the legislation does not explicitly specify which personal data is to be processed and how, but only imposes a general obligation to perform the tasks, it should be assessed whether and to what extent the processing of personal data is necessary for the performance of that task, and only in a manner and to an extent without which it is objectively impossible to perform the task.
Necessity of the processing for the purposes of the legitimate interests of the controller or a third party
The processing of personal data is also in compliance with the GDPR if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
The processing of personal data on the basis in question will therefore be lawful if and to the extent that the following cumulative conditions are met:
The controller intends to carry out certain activities within the framework of legitimate interests pursued by the controller or by a third party;
Those activities involve the processing of personal data;
The processing of data in the course of the above activities is carried out to the extent necessary for the purposes of the processing within the framework of the above-mentioned legitimate interests;
The interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child, do not override thelegitimate interests referred to above.
What do we mean by “activities within the framework of legitimate interests”?
‘Legitimate interests’ is not defined in the GDPR. However, GDPR recitals provide some interpretative guidance. Recital 47 states that:
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
With the above in mind, one can try to formulate the following general practical guidance as to whether certain activities can be considered 'legitimate interest activities':
They must be lawful activities;
At the same time, the controller must generally be authorised to carry out such activities (i.e. such activities can - even in theory - be carried out by the controller in accordance with the law);
At the same time, they must be activities that bring real, definable and describable benefits to the controller or a third party.
How do we understand “the necessity of the processing for the purposes of the processing under legitimate interests”?
As regards the assessment of the necessity of a particular processing operation for the purposes of pursuing a legitimate interest, in general, only processing of personal data which, firstly, serves a legitimate interest of the controller and, secondly, the link between such processing and the pursuit of the activity is such that, objectively assessed, it will be impossible for the controller to pursue the legitimate interest without such processing.
The “balancing test” - a key tool for processing personal data under legitimate interests
According to the GDPR Recital 47:
At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
It follows that any processing of personal data based on a legitimate interest should be preceded by a thorough assessment by the controller of at least whether, at the time and in the context in which the personal data are collected, the data subject has reasonable grounds to expect that processing may take place for that purpose. It is desirable that such an assessment (often referred to as the “balancing test”) should also be complemented, from the perspective of the principle of accountability, by an analysis justifying the controller's position that:
The specific processing of personal data is carried out for the legitimate interest of the controller or of a third party (including through an adequate description of that interest);
And the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular, where the data subject is a child) do not override the legitimate interests referred to above.
The GDPR does not specify how such an assessment should be carried out or any formal requirements in this regard - the controller is free to determine the manner, form and content of such an assessment. However, it is important that the assessment includes, at a minimum, an adequate justification in relation to the issues identified above. It is also recommended that the controller documents the conduct of such an assessment and archives it appropriately so that it is readily available in the event of an inspection by the authorities.
Specific situations of processing of personal data under legitimate interest
In practice, data controllers often choose to process personal data under legitimate interests for the purpose of pursuing, establishing or defending a claim within the limitation period. From a pragmatic point of view, this approach seems justified. However, it should be noted that supervisory authorities, including the Polish Office for the Protection of Personal Data (PUODO), sometimes argue that this type of processing is not justified unless it concerns a specific claim or only claims with a high risk of occurrence.
The GDPR Recital 47 states that:
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller.
The GDPR Recital 47 further states that:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimateinterest.
However, it should be noted that not every direct marketing activity can be considered a legitimate interest activity. Moreover, sometimes the implementation of such activities will require additional steps on the part of the controller, such as obtaining the consent of the addressee to send commercial information by electronic means.
The GDPR Recital 48 states that:
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.
The transfer of personal data within a group of companies is a complex issue that raises a number of questions. In general, although the GDPR indicates that:
controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes,
it is advisable to analyse whether and to what extent companies can rely on a legitimate interest to transfer data and whether additional obligations under the GDPR need to be fulfilled in this respect.
In particular, consideration should be given to whether:
The data transfer will take place in a controller-controller or other relationship, e.g. controller-processor, which would require the conclusion of a data processing outsourcing agreement;
The data transfer would involve the transfer of personal data outside the European Economic Area, which would require a legal basis for such a transfer;
The data transfer would involve a special category of personal data - then GDPR Article 6(1)(f) could not be the basis for such data transfer.
The GDPR Recital 49 states that:
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
Legitimate interest and the performance of the tasks of public authorities
This ground cannot apply to the processing of personal data by public authorities in the performance of their tasks. Public authorities in the performance of their tasks should rely on other grounds for processing, which will most often be:
The necessity of the processing in order to comply with a legal obligation; or
The necessity of the processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
However, in the opinion of PUODO, this does not mean that public authorities may not rely at all on the premise in question when processing data:
An analysis of this standard leads to the conclusion that the premise in question can also be applied by public authorities, but not in a situation where they are carrying out their tasks defined by law as statutory competences.
Commentary to art. 6
Lawfulness of processing and GDPR Article 6(1)
One of the fundamental principles of personal data processing arising from the GDPR is the so-called principle of lawfulness of processing (for more on this principle, see the commentary to GDPR Article 5). According to this principle, in order for certain processing of personal data (other than the special categories of data referred to in GDPR Article 9(1)) to be considered compatible with GDPR, such processing must be based on one of the grounds for processing listed in GDPR Article 6(1).
In other words, if a personal data controller is unable to identify a ground for processing under GDPR Article 6(1) in relation to its processing of personal data, such processing constitutes a breach of the GDPR by that controller.
GDPR Article 6(1) provides for the following grounds for processing personal data:
Consent of the data subject as a basis for processing
The consent of the data subject as a basis for the processing of his or her personal data is described in the commentary to GDPR Article 7.
Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, as a basis for processing
According to the GDPR, the processing of personal data which is:
When can processing be considered necessary for the performance of a contract to which the data subject is a party?
In order for the processing of personal data to be based on the ground referred to in GDPR Article 6(1)(b), in the case of processing for the performance of a contract, all of the following conditions must be met:
The performance of contracts concluded with individuals often involves the processing of their personal data in different contexts, for different purposes and in different ways. In practice, it may be difficult to answer the question of whether, in a given context, a controller can rely on the above basis for processing personal data. In particular, it may be questionable to assess what is actually necessary for the performance of the contract. A careful analysis of the individual facts or service delivery models should be carried out in each case.
The European Data Protection Board's Guideline 2/2019 on the processing of personal data under Article 6(1)(b) of the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR) in the context of the provision of online services to data subjects, version 2.0, 8 October 2019, may be helpful in assessing the problematic issues related to the application of the processing ground in question. ("Guideline 2/ 2019 ").
The validity of the contract and basis for data processing
The 2/2019 Guideline indicates that:
The validity of the contracts referred to above should be assessed in each case from the point of view of the law applicable to the contract in question. Such an assessment may, depending on the rules to be applied, generally include an evaluation of:
In the absence of a valid contract between the controller and the data subject, the controller cannot rely on the ground set out in GDPR Article 6(1)(b) to process the data of the data subject.
Data processing is necessary for the performance of the contract
In general, only personal data processing that, firstly, serves the purpose of the performance of a contract by the controller for the benefit of the data subject (in other words, the processing of personal data by the controller is part of the activities/services ordered or purchased by the data subject from the controller, or is related to other activities without which the contract would not be performed, such as payment processing) is necessary for the performance of a contract with the data subject. Secondly, the link between such processing and the provisions of the service must be such that, objectively, it would be impossible for the controller to perform the contract/service to the data subject without such processing.
With regard to the assessment of the necessity of the data processing in question for the performance of a contract, the 2/2019 Guideline further indicates that:
The above passage highlights the issue of the controller's ability to demonstrate that the processing in question is indeed necessary for the performance of the contract. The controller should prepare an adequate analysis and justification in this respect at the design stage of a given process, both for the accountability principle (see GDPR Article 5) and in the event that the lawfulness of the processing in question is audited or brought into question, for example by a supervisory authority.
The above passage emphasises that the necessity of the processing should be assessed from an objective perspective (and not solely from the perspective of the controller) and that third parties, including the supervisory authority, may challenge the controller's assessments in this regard.
Further guidance on the examination of the possibility of processing personal data based on the “necessity for the performance of a contract”
The 2/2019 Guideline indicates that, in a given case, a controller can base the processing of personal data on the premise of necessity for the performance of a contract by answering the following questions:
From a practical standpoint, the last question is particularly relevant. After all, if the average user or customer would not reasonably expect or anticipate that a certain processing of personal data would take place for the purpose of the performance of a contract they have entered into, it can be argued that such processing should not be carried out on the basis of GDR Article 6(1)(b).
Importantly, Guidance 2/2019 further indicate that:
Specific situations of personal data processing in the context of contract performance
A common mistake made in practice is to indicate the basis for processing from GDPR Article 6(1)(b) with regard to the processing of personal data of persons who contact or represent the counterparty - legal entity - during the performance or signing of the contract. Meanwhile, the necessity for the purpose of performance of the contract cannot be the basis for the processing of personal data of persons other than the natural person who is a party to the contract. In other words, it cannot be the basis for the processing of data of, for example, persons who concluded the contract on behalf of the counterparty or who act on behalf of the counterparty in connection with the performance of the contract.
According to Guideline 2/2019:
When can processing be considered necessary to take action at the request of the data subject before entering into a contract?
In order for the processing of personal data to be based on the ground referred to in GDPR Article 6(1)(b), the following conditions must be cumulatively met in the case of pre-contractual processing of personal data:
In terms of assessing the necessity of a given processing for the purpose of pre-contractual actions, only such processing of personal data will be necessary in this sense which serves the purpose of the performance by the controller of an action in favour of the data subject which the data subject has requested. Secondly, the link between such processing and the performance of the pre-contractual action will be such that, objectively assessed, it will be impossible for the controller to perform such action without such processing.
In addition, Guideline 2/2019 indicates that:
Necessity of the processing for the performance of a legal obligation as a basis for processing
The processing of personal data carried out by the controller which is necessary for the controller to comply with a legal obligation is also compliant with the GDPR.
The processing of personal data on the basis in question will therefore be lawful if and to the extent that the following conditions are cumulatively met:
When relying on this basis for data processing, it is important from the practical standpoint to consider the following issues:
Necessity of the processing to protect the vital interests of the data subject or another natural person
The processing of personal data by a controller that is necessary to protect the vital interests of the data subject or another natural person is also complies with the GDPR.
In general, the relevant processing ground will apply in exceptional circumstances. Recital 46 to the GDPR states that:
Moreover, as the doctrine rightly emphasises:
Processing of personal data on this basis is lawful if and to the extent that the following conditions are met:
What is meant by 'vital interests'?
The GDPR does not provide a definition of ‘vital interests’, which appear to be primarily at stake in situations where a person's life or, in a serious way, health is at risk. It is debatable whether the 'vital interests' referred to in GDPR Article 6 include interests of a pecuniary nature.
Some interpretative guidance has been provided in the doctrine:
Necessity of the processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
The processing of personal data by the controller, which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, also complies with the GDPR.
The processing of personal data on the basis is therefore lawful if and to the extent that the following cumulative conditions are met:
From a practical point of view, when relying on this ground for data processing, it is advisable to consider the following in each case:
Necessity of the processing for the purposes of the legitimate interests of the controller or a third party
The processing of personal data is also in compliance with the GDPR if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
The processing of personal data on the basis in question will therefore be lawful if and to the extent that the following cumulative conditions are met:
What do we mean by “activities within the framework of legitimate interests”?
‘Legitimate interests’ is not defined in the GDPR. However, GDPR recitals provide some interpretative guidance. Recital 47 states that:
With the above in mind, one can try to formulate the following general practical guidance as to whether certain activities can be considered 'legitimate interest activities':
How do we understand “the necessity of the processing for the purposes of the processing under legitimate interests”?
As regards the assessment of the necessity of a particular processing operation for the purposes of pursuing a legitimate interest, in general, only processing of personal data which, firstly, serves a legitimate interest of the controller and, secondly, the link between such processing and the pursuit of the activity is such that, objectively assessed, it will be impossible for the controller to pursue the legitimate interest without such processing.
The “balancing test” - a key tool for processing personal data under legitimate interests
According to the GDPR Recital 47:
It follows that any processing of personal data based on a legitimate interest should be preceded by a thorough assessment by the controller of at least whether, at the time and in the context in which the personal data are collected, the data subject has reasonable grounds to expect that processing may take place for that purpose. It is desirable that such an assessment (often referred to as the “balancing test”) should also be complemented, from the perspective of the principle of accountability, by an analysis justifying the controller's position that:
The GDPR does not specify how such an assessment should be carried out or any formal requirements in this regard - the controller is free to determine the manner, form and content of such an assessment. However, it is important that the assessment includes, at a minimum, an adequate justification in relation to the issues identified above. It is also recommended that the controller documents the conduct of such an assessment and archives it appropriately so that it is readily available in the event of an inspection by the authorities.
Specific situations of processing of personal data under legitimate interest
In practice, data controllers often choose to process personal data under legitimate interests for the purpose of pursuing, establishing or defending a claim within the limitation period. From a pragmatic point of view, this approach seems justified. However, it should be noted that supervisory authorities, including the Polish Office for the Protection of Personal Data (PUODO), sometimes argue that this type of processing is not justified unless it concerns a specific claim or only claims with a high risk of occurrence.
The GDPR Recital 47 states that:
The GDPR Recital 47 further states that:
However, it should be noted that not every direct marketing activity can be considered a legitimate interest activity. Moreover, sometimes the implementation of such activities will require additional steps on the part of the controller, such as obtaining the consent of the addressee to send commercial information by electronic means.
The GDPR Recital 48 states that:
The transfer of personal data within a group of companies is a complex issue that raises a number of questions. In general, although the GDPR indicates that:
it is advisable to analyse whether and to what extent companies can rely on a legitimate interest to transfer data and whether additional obligations under the GDPR need to be fulfilled in this respect.
In particular, consideration should be given to whether:
The GDPR Recital 49 states that:
Legitimate interest and the performance of the tasks of public authorities
This ground cannot apply to the processing of personal data by public authorities in the performance of their tasks. Public authorities in the performance of their tasks should rely on other grounds for processing, which will most often be:
However, in the opinion of PUODO, this does not mean that public authorities may not rely at all on the premise in question when processing data: