Data : a contract cannot justify everything!

Anne Cousin – May 28, 2019


According to Article 6 of the GDPR, one of the legal bases of a data processing, i.e. what makes it lawful, may be the performance of a contract to which the person whose data are processed is a party.

However, data controllers are very often tempted to extend this legal basis as much as possible and to attach to it “pre or peri-contractual” data processing operations which have difficulties in entering one of the other five legal basis also provided by Article 6.

The European Data Protection Board has clearly rejected such an approach in its guidelines published on 9 April.

It for instance considers that the data collected for the purpose of improving the provision of the services by the data controller are not likely to be justified by the requirements of the performance of the contract because the service can be provided or the goods delivered independently of any such processing. It is therefore another basis (the legitimate interest pursued by the controller) that can provide a legal basis for the collection of such information.

Fraud prevention provides another good example of the impossibility of extending the performance of the contract as the legal basis for data processing. This is also the case for behavioural advertising, to which consumers also have the right to object.

In conclusion, the contract must under no circumstances serve as a convenient pretext for data processing that would struggle to find its own legal basis.

What any data controller must bear in mind is that in order to be linked to the execution of a contract, the data processing must be necessary for this execution.

This demonstration – as well as that of the validity of the contract – is the responsibility of the controller. However, the necessity of the processing will be strictly understood and will not be taken into account, for example, if the performance of the contract is only facilitated.

Just like the “legitimate interest” of the controller, a basis too often called upon to justify data processing, the parties’ contract has a relatively limited supporting role. Be aware therefore, about the multiple implications of such limits.