Performance of a Contract with Data Subjects as Legal Basis
Article 6(1)(b) of the GDPR
Information about Performance of a contract with data subjects as legal basis
Performance of a contract with data subjects is one of the six legal bases of the GDPR
Companies have the right to process personal data when necessary for the performance of a contract with data subjects. Article 6(1)(b) of the GDPR states this legal basis. Processing of the data subject’s personal data may also take place if it is necessary for the company to enter into the contract. However, the company may not process more personal data than is necessary for the performance of the contract.
Requirements for the use of Performance of a Contract with Data Subjects as Legal Basis
Companies must remember the following when considering to use performance of a contract with data subjects as legal basis. The data subject must be a party to the contract concluded with the company.
If the company concludes that this legal basis may be used for the processing, the company must provide the data subject with specific information. Article 13 and/or Article 14 of the GDPR states this. These articles state that the company must inform about what categories of personal data the company processes. Also information about the purpose and when the company will delete the personal data. In addition, information about the rights of data subjects under the GDPR must be provided.
Processing personal data on the legal basis of performance of a contract with data subjects
The following are some examples of when it may be appropriate for a company to carry out a processing based on performance of a contract with data subjects as legal basis:
● E-commerce can process personal data on the performance of a contract with data subjects
Companies that conduct e-commerce and sell clothes, need to process the customer’s personal data. Such as name and delivery address. The company conducts these precesses to fulfill the delivery. Thus, the company fulfills its obligations under the purchase agreement with the data subject.
● Employers enter into employment agreements with its employees
Employers should not process the personal data of their employees on the basis of consent as a legal basis. This is because there is an unequal power relationship between them. Instead, the legal basis of performance of a contract with data subjects is usually more appropriate to use. The contract is in this example the employment contract. For example, an employer must pay wages to employees for their performed work. This can be done on the basis of performance of a contract with data subjects as legal basis, since the payment of wages is part of the employer’s obligations under the employment contract.
● Creditor can process personal data before a contract is entered into with the data subject
Before a creditor gives a person the possibility of credit, the company has the right to process the individual’s personal data in order to see if he or she has sufficient creditworthiness. However, this must be done at the request of the data subject. This means that the company processes personal data before entering into a contract with a data subject. The company may, as mentioned above, be allowed to do this pursuant to Article 6(1)(b) of the GDPR.
Do not process more personal data than necessary for the purpose
Please note that a company may wish to process more personal data than is necessary for the performance of the contract. For example, if an e-commerce platform wants to analyze the buying behavior of its customers in order to adapt its offering accordingly. In such cases, the company may not use the legal basis of contracts with data subjects for that purpose. Instead, consent may be the appropriate legal basis for this. The reason is that the analysis of purchasing behavior is not necessary to fulfill the purchase contract.
Delete the personal data when it is no longer necessary
Companies shall delete personal data when it is no longer necessary for the purpose for which it was collected. However, this does not mean that the company must delete the personal data immediately after they have delivered their product or service to the customer.
For example, if the company has certain obligations due to the customer’s right of complaint, offers a guarantee to the customer or similar, the company may need to save the personal data linked to the purchase as long as this applies. The purpose of this is to enable the company to know whether a person is entitled to what is requested. For example, in cases of complaints or invoking a guarantee.
The Data subjects Right of Data Portability
Data subjects may have the right to data portability. This applies if the controller process the personal data on performance of a contract with data subjects as legal basis. This means that the data subject has the right to have their personal data transferred to another controller. For example, from one social media platform to another. However, this only applies if it is technically possible for the company to carry out such a transfer.
A practical example of when this may occur is if an individual wants to change their electricity supplier. Let’s say it is because they have found a better alternative. In this case, the customer can request the current supplier to transfer the personal data directly to the new supplier, if this is technically possible. However, the customer always has the right to get its personal data from the current provider in a format that is machine-readable and widely used.
More information about the legal and lawful bases of the GDPR
Exercise of official authority and performance of tasks in the public interest is another legal basis
Government authorities may mostly use the legal basis for the exercise of official authority and tasks in the public interest. However, some companies can use it as well.
Exercise of official authority: This is when the state gives an entity a mandate to decide over citizens. For example, schools and prisons that are private. It must be based on national or EU law.
Tasks of public interest: In order to process personal data for a public interest, it must be based on a law or regulation.