The European Data Protection Board (EDPB) has issued draft guidelines on the GDPR legal basis of “necessary for the performance of a contract”.
Key takeaways:
- You must specify the purpose of the processing and avoid vague or general purposes
- Necessary for the performance of a contract is not a legal basis for “special categories of data”.
- Necessity covers only situations where the processing is objectively necessary for the performance of a purpose that is integral to the delivery of the service.
- Necessary for a contract generally applies to:
- processing of payment details for the purpose of charging for the service
- sending formal reminders about outstanding payments
- bringing a contract back in conformity after smaller incidents and issues
- Applies in some cases to personalization of content
- Generally doesn’t apply to:
- unsolicited marketing
- collection of organizational metrics relating to a service, or details of user engagement
- processing for the purposes of improving a service or developing new functions within an existing service
- processing for fraud prevention purposes
- behavioral advertising