France: CNIL guidance on contracts as legal basis under the GDPR
The French data protection authority ('CNIL') issued, on 21 February 2020, guidance ('the Guidance') on the conditions and requirements for relying on the performance of a contract between the data controller and the data subject as a legal basis for processing under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This Insight provides an analysis of the Guidance, outlining when controllers can rely on contracts to process personal data.
Who can use contracts as a legal basis for processing personal data?
The Guidance outlines that the performance of a contract constitutes one of the six legal bases for the processing of personal data under the GDPR. In particular, the use of contracts as a legal basis concerns, primarily, processing activities of private organisations in the context of a contractual relationship with the individuals involved in the processing. Contracts can also be used as a legal basis for the processing activities of public bodies, as long as there is firstly an existing contractual or pre-contractual relationship with the data subject, and another legal basis would not be more appropriate.
Under what conditions can organisations rely on contracts as a legal basis for processing?
According to the Guidance, the performance of a contract can be relied upon under the three following conditions:
- a contractual or pre-contractual relationship exists between the concerned organisation and individual;
- the contract is valid under the applicable law; and
- the contract cannot be used unless the processing is considered necessary.
Existing contractual or pre-contractual relationship
Firstly, the Guidance outlines that the data subjects and the organisations processing the personal data must have an existing contractual relationship in order to rely on this legal basis. However, the legal basis also applies for processing necessary for the execution of precontractual measures requested by the data subject. Therefore, this legal basis can be relied upon when the data processing is necessary for executing measures that must be taken prior to the signing of a contract and/or the conclusion of a contract, even in the absence of a definitive conclusion of a contract, provided that such measures are in response to the wishes of the data subject.
The Guidance provides practical examples for this condition. For instance, an individual can provide their postcode to an organisation in order to determine if the latter delivers to their area. In such case, the data controller can rely upon the performance of a contract as a legal basis for the processing of this personal data, despite the fact that a contract between the data controller and the individual has not yet been concluded.
However, the Guidance notes that data controllers seeking to process data for the purposes of locating prospective clients, without any impetus from the relevant data subjects, cannot rely upon the performance of a contract as a legal basis. This is because the processing would occur following only the initiative of the data controller, and not following a request by the data subject. Such processing activities for the purposes of commercial prospecting must, according to the Guidance, rely upon the legitimate interest of the data controller or the consent of the data subject.
Similarly, if organisations, for example, in the banking sector, have legal obligations to perform identity verification before a contract can be concluded, the processing of personal data necessary for the same cannot rely upon the contract as a legal basis. This is because the processing has not been requested by the data subjects. However, such processing could rely upon the legal obligations of the data controller.
Valid contract under the applicable law
Secondly, the Guidance outlines that a contract concluded, or to be concluded, between the data controller and the data subject must be legal under French law.
In particular, the contract must comply with contract law and, where possible, respect the specific provisions of certain contracts. Such contracts might include contracts concluded with customers or contracts for providing content or digital services.
The 'necessity' condition
Thirdly, the Guidance states that the processing must be objectively necessary for the performance of the contract. This means that the processing must allow the organisation to perform a specific contract with an individual, which might represent the provision of a service or product.
Furthermore, the purposes of processing must not fulfil other objectives, such as the exclusive interests of the data controller.
Moreover, organisations must ensure that there is not an alternative less intrusive method available for the performance of the contract, in other words, that the provision of the product or service could not occur without the relevant processing activity.
The Guidance provides practical examples of the necessity condition. For instance, in the event that an individual is making a purchase online for home delivery for which they want to pay by card, the online vendor will need to process personal data such as the client's payment data and home address. Such processing occurs exclusively in the context of the performance of a contract with the data subject and the personal data being processed is limited to that which is necessary for the purposes. Therefore, the organisation will be able to rely on the contract as a legal basis for the processing of personal data.
The Guidance highlights that the 'necessity' of a processing activity is evaluated through the following criteria:
- the objective of the contract; and
- the mutual expectations of the parties regarding this objective - organisations must ensure that both parties share a similar understanding.
However, the necessity of a processing activity cannot be determined by the content of the contract, which means that the necessity condition cannot be evaluated in light of what is allowed or written in the contract proposed by the data controller.
What happens at the end of a contract?
Finally, the Guidance addresses what organisations can do after the conclusion of a contract. In principle, contracts are to be used as a legal basis for processing which occurs before or during the performance of a contract. However, processing activities which are inextricably linked to the performance of a contract may occur after the provision of a service or product, where it is still necessary for the contractual relationship. Such processing activities can rely on contracts as a legal basis. However, the processing of personal data to this end will no longer be necessary once the service or product has been provided, and the data controller must then delete any such personal data under the conditions prescribed by Article 17 of the GDPR.
Amelia Williams Privacy Analyst