The European Data Protection Board (EDPB) has issued draft guidelines on the GDPR legal basis of “necessary for the performance of a contract”.
Key takeaways:
-
You must specify the purpose of the processing and avoid vague or general purposes
-
Necessary for the performance of a contract is not a legal basis for “special categories of data”.
-
Necessity covers only situations where the processing is objectively necessary for the performance of a purpose that is integral to the delivery of the service.
-
Necessary for a contract generally applies to:
-
processing of payment details for the purpose of charging for the service
-
sending formal reminders about outstanding payments
-
bringing a contract back in conformity after smaller incidents and issues
-
Applies in some cases to personalization of content
-
Generally doesn’t apply to:
-
unsolicited marketing
-
collection of organizational metrics relating to a service, or details of user engagement
-
processing for the purposes of improving a service or developing new functions within an existing service
-
processing for fraud prevention purposes
-
behavioral advertising
Read the full text of the draft guidelines.
[View source.]