GDPR in EU
Processing of personal data by companies providing online services
Here you can read information about the processing of personal data carried out by companies operating online services.
Definition of online services
“Online services” are legally and formally referred to as “Information Society services” under EU law and the national law of some Member States. The legal term is defined in EU Directive 2015/1535 Article 1(1)(b), often referred to as the “Notification Directive”.
An online service is a service provided by a company at a distance, which means that the provider and the recipient of the online service are not simultaneously present at the same place. It is also a service in which the provider obtains an economic advantage, for example through advertising revenues, remuneration from users for the use or collected data that confers an economic advantage. Furthermore, the online service shall be provided electronically, for example via the internet or other means of transmission by electronic means. In addition, online services are provided at the individual request of the recipient of the service, and therefore not via mass distribution such as television or radio broadcasting.
Examples of online services are the following
Examples of online services are the following:
- Social media
- E-commerce platforms
- Search engines
Processing of personal data by companies providing online services
Companies that provide online services almost always process personal data. Therefore, it is important to know the rules in order to comply with them. In addition, it is important that the service provider adapts the online service to the GDPR, for example by implementing data protection by design, such as having settings for the user to withdraw their given consent.
Purpose of the processing of personal data
Companies subject to the GDPR must always have a purpose with each of their processing of personal data. It is important for the provider of an online service to analyse what the purpose of the processing is, and what personal data is necessary to achieve it. This constitutes a fundamental basis of the GDPR, pursuant to the principle of purpose limitation as further regulated in Article 5(1)(b) of the GDPR.
Transparency towards data subjects in relation to the processing
Companies must always be transparent with the data subjects when processing their personal data. This also applies to online service providers.
For example, many mobile applications usually process certain types of personal data in order for the user to register their user account and use the service. In such cases, the legal basis is often the contract with the data subject pursuant to Article 6(1)(b) GDPR. Information about the legal basis shall be set out in a privacy notice, which the user must certify that the user has read.
Processing of personal data for other purposes
It is common for a company to want to process personal data that they have collected in connection with the conclusion of the contract in order to carry out behavioural marketing. However, it is then not allowed to support that processing on the legal basis of contract with data subjects, as such processing is not necessary for the conclusion or performance of the contract. Instead, the company may use consent pursuant to Article 6(1)(a) of the GDPR or legitimate interests pursuant to Article 6(1)(f) of the GDPR as the legal basis for the processing.
Stricter rules when the data subjects are children
Many online services are aimed at children, or have many children as users. For example, social media. It is allowed to obtain a consent from a child for a personal data processing in accordance with the GDPR, but the rules are stricter. The age limit for a valid consent from a child regarding the processing of the child’s personal data in the context of online services is 16 years according to Article 8 of the GDPR. However, the Member States have the right to lower the age limit, to a minimum of 13 years, if they so wish in their national law.
Penalty for a company that informed children about the processing of personal data in English
A company that operates a mobile application with many children as users received a fine issued by the Dutch Data Protection Authority for its breaches of the GDPR. The company had, among other things, informed the data subjects about the processing of personal data in English, even though they were children. The company should have conveyed the information in Dutch, as English is not the national language of the country. When the data subjects are children, the company must ensure that the children understand the information about the processing of their personal data.
Legal bases businesses operating online services can use
This legal basis means that a company has the right to process the data subject’s personal data necessary for the conclusion and performance of the contract. For example, the provider of an e-commerce platform needs to process the customer's name and address, in order to be able to complete the delivery of the goods that has been ordered by the customer.
Process personal data to:
Developing a service
It is common to process personal data in order to develop a service, such as social media or a marketplace. However, in most cases these processing operations are not necessary for the performance of the contract entered with the user, and therefore contract with data subject is not an appropriate legal basis. Consent or legitimate interest may be a better choice in such cases.
Prevention of crime
Many companies work to prevent crime, such as fraud, and many also have an obligation to do so. The legal bases on which companies usually support such processing of personal data in these cases are legal obligation or legitimate interest.
Behavioral advertising
Many online services are free for the user and are instead funded through advertising revenue and behavioral advertising. In such cases, the processing of users' personal data for marketing purposes is usually based on consent or legitimate interest as the legal basis. The EDPB issued an opinion on ‘consent or pay’ models.
It is important to bear in mind that companies must carry out a balancing of interests to see if they have a legitimate interest, as well as document the outcome, before using this legal basis to support the processing.
Acceptance of contractual terms and giving consent to a certain processing of personal data are not the same thing
When a company operates an online service, they need to have general terms and conditions, which govern, among other things, the respective rights and obligations of the company and the user. In order for the user to be entitled to use the online service, the user must accept the current general terms and conditions. When the user does so, a contractual relationship arises between the user and the company. The legal basis for the company’s processing of the user’s personal data, in order to be able to conclude and perform the contract, thus becomes a contract with the data subject.
However, the company may only process the personal data that is necessary for the conclusion and performance of the contract. The company must not process the personal data for other incompatible purposes, such as to carry out behavioural marketing. In such cases, the company needs a different legal basis for the processing. For example, consent or legitimate interest.
Please note that it may not be a requirement that the user must consent to a certain processing in order to use the online service. In such cases, the consent is not freely given, as it entails a negative consequence for the data subject if the consent is not given, and thus the consent is not valid.
Learn more about GDPR
Cookies on websites
It is common for websites to store cookies on the visitor’s device in order to, for example, carry out targeted marketing or analyse the website’s use. Cookies may collect personal data covered by the GDPR, such as IP addresses, and in such cases the company must comply with the GDPR. There is a difference between essential cookies and non-essential cookies. If the company wants to process non-essential cookies, the company needs to obtain explicit consent from the user. This is different from essential cookies, which do not require any consent to be used.