The European Data Protection Board has issued issued final guidelines on the “necessary for the performance of a contract” legal basis for processing data under the General Data Protection Regulation (GDPR).

To use this legal basis, you need to show:

  • The processing is carried out in the context of a valid contract with the individual.
  • The purpose for the processing in question is clearly specified and communicated to the relevant individual, in line with the company’s purpose limitation and transparency obligations (even if not in the body of the contract).
  • The processing needs to be objectively necessary to achieve this particular purpose.
  • There are no realistic, less intrusive processing alternatives.

For details on the guidelines, see my extended analysis.