The European Data Protection Board (EDPB) has issued draft guidelines on the GDPR legal basis of “necessary for the performance of a contract”.

Key takeaways:

  • You must specify the purpose of the processing and avoid vague or general purposes
  • Necessary for the performance of a contract is not a legal basis for “special categories of data”.
  • Necessity covers only situations where the processing is objectively necessary for the performance of a purpose that is integral to the delivery of the service.
  • Necessary for a contract generally applies to:
    • processing of payment details for the purpose of charging for the service
    • sending formal reminders about outstanding payments
    • bringing a contract back in conformity after smaller incidents and issues
  • Applies in some cases to personalization of content
  • Generally doesn’t apply to:
    • unsolicited marketing
    • collection of organizational metrics relating to a service, or details of user engagement
    • processing for the purposes of improving a service or developing new functions within an existing service
    • processing for fraud prevention purposes
    • behavioral advertising

Read the full text of the draft guidelines.