Basis for Use
Annex 2. Practical examples on balancing test
This Annex provides examples with regard to some of the most common contexts in which
the issue of legitimate interest in the meaning of Article 7(f) may arise. In most cases, we
grouped together two or more related examples that are worth comparing under a single
heading. Many of the examples are based on actual cases, or elements of actual cases handled
by data protection authorities in the different Member States. However, we have sometimes
changed the facts to some degree to help better illustrate how to carry out the balancing test.
The examples are included in order to illustrate the thinking process – the method to be used
to carry out the multi-factor balancing test. In other words, the examples are not meant to
provide a conclusive assessment of the cases described. Indeed, in many cases, by changing
the facts of the case in some way (for example, if the controller were to adopt additional
safeguards such as more complete anonymisation, better security measures, and more
transparency and more genuine choice for the data subjects), the outcome of the balancing test
could change.116
This should encourage controllers to better comply with all horizontal provisions of the
Directive and offer additional protection where relevant based on privacy and data protection
by design. The greater care controllers take to protect personal data overall, the more likely it
is that they will satisfy the balancing test.
Exercise of the right to freedom of expression or information117, including in the media and
the arts
Example 1: NGO republishes expenses of Members of Parliament
A public authority publishes – under a legal obligation (Article 7(c)) – expenses of members of
parliament; a transparency NGO, in turn, analyses and re-publishes data in an accurate,
proportionate, but more informative annotated version, contributing to further transparency
and accountability.
Assuming the NGO carries out the re-publication and annotation in an accurate and
proportionate manner, adopts appropriate safeguards, and more broadly, respects the rights of
the individuals concerned, it should be able to rely on Article 7(f) as a legal ground for the
processing. Factors such as the nature of the legitimate interest (a fundamental right to
freedom of expression or information), the interest of the public in transparency and
accountability, and the fact that the data have already been published and concern (relatively
116 Applying correctly Article 7(f) may raise complex issues of assessment, and to help guide the assessment,
specific legislation, case law, jurisprudence, guidelines, as well as codes of conduct and other formal or less
formal standards may all play an important role.
117 On freedom of expression or information, see page 34 of the Opinion. Any relevant derogations under
national law for processing for journalistic purposes under Article 9 of the Directive must also be taken into
account when assessing these examples.
58
less sensitive) personal data related to the activities of the individuals relevant to the exercise
of their public functions118, all weigh in favour of the legitimacy of the processing. The fact
that the initial publication has been required by law, and that individuals should thus expect
their data would be published, also contribute to the favourable assessment. On the other side
of the balance, the impact on the individual may be significant, for example, because of public
scrutiny, the personal integrity of some individuals may be questioned, and this may lead, for
instance, to loss of elections, or in some cases to a criminal investigation for fraudulent
activities. The factors above, taken together, however, show that on the balance, the
controller’s interests (and the interests of the public to whom the data are disclosed) override
the interests of the data subjects.
Example 2: Local councillor appoints his daughter as special assistant
A journalist publishes a factually accurate, well-researched article in a local online newspaper
about a local councillor revealing that he has only attended one of the last eleven council
meetings and he is unlikely to be re-elected because of a recent scandal involving the
appointment of his seventeen-year-old daughter as a special assistant.
A similar analysis as in Example 1 also applies here. On the facts, it is in the legitimate
interests of the newspaper in question to publish the information. Even though personal data
has been revealed about the councillor, the fundamental right to freedom of expression and to
publish the story in the newspaper is not overridden by the right to privacy of the councillor.
This is because the privacy rights of public figures are relatively limited in respect of their
public activities and because of the special importance of freedom of expression – especially
where publication of a story is in the public interest.
Example 3: Top search results continue to show minor criminal offence
The on-line archive of a newspaper contains an old article concerning an individual, once a
local celebrity, captain of a small town amateur football team. The individual is identified
with his full name, and the story relates to his involvement in a relatively minor criminal
proceeding (drunk and disorderly behaviour). The criminal records of the individual are now
clean and no longer show the past offence for which he served his sentence several years ago.
What is most disturbing for the individual is that by searching his name with common search
engines online, the link to this old piece of news is among the first results concerning him.
Notwithstanding his request, the newspaper refuses to adopt technical measures, which would
restrict the broader availability of the piece of news related to the data subject. For example,
the paper refuses to adopt technical and organisational measures that would aim – to the extent
technology allows – limiting access to the information from external search engines using the
individual’s name as a search category.
This is another case to illustrate the possible conflict between freedom of expression and
privacy. It also shows that in some cases additional safeguards – such as ensuring that, at least
in case of a justified objection under Article 14(a) of the Directive, the relevant part of the
118 It cannot be excluded that some expenses may reveal more sensitive data, such as health data. If this is the
case, these should be edited out of the dataset before it is published in the first place. It is good practice to take a
‘proactive approach’ and give individuals an opportunity to review their data before their publication and to
clearly inform them about the possibilities and modalities of publication.
59
newspaper archives will no longer be accessible by external search engines or the format used
to display the information will not allow search by name – may play a key role in striking an
appropriate balance between the two fundamental rights concerned. This is without prejudice
to any other measures that might be taken by search engines or other third parties.119
Conventional direct marketing and other forms of marketing or advertisement
Example 4: Computer store advertises similar products to clients
A computer store obtains from its customers their contact details in the context of the sale of a
product, and uses these contact details for marketing by regular mail of its own similar
products. The shop also sells products on-line and sends out promotional emails when a new
product line comes into stock. Customers are clearly informed about their opportunity to
object, free of charge and in an easy manner when their contact details are collected, and each
time a message is sent, in case the customer did not object initially.
The transparency of the processing, the fact that the customer can reasonably expect to
receive offers for similar products as a client of the shop, and the fact that he/she has the right
to object helps strengthen the legitimacy of the processing and safeguard individuals’ rights.
On the other side of the balance, there appears to be no disproportionate impact on the
individual’s right to privacy (in this example we assumed that there are no complex profiles
created by the computer shop of its consumers, for example, using detailed analysis of clickstream
data).
Example 5: On-line pharmacy performs extensive profiling
An online pharmacy carries out marketing based on the medicines and other products
customers have purchased, including products obtained by prescription. It analyses this
information – combined with demographic information about customers – for example, their
age and gender – to build up a ‘health and wellbeing’ profile of individual customers. Clickstream
data is also used, which is collected not only about the products the customers
purchased but also about other products and information they were browsing on the website.
The customer profiles include information or predictions suggesting that a particular customer
is pregnant, suffering from a particular chronic illness, or would be interested in purchasing
dietary supplements, suntan lotion or other skin-care products at certain times of the year. The
online pharmacy’s analysts use this information to offer non-prescription medicines, health
supplements and other products to particular individuals by email. In this case the pharmacy
cannot rely on its legitimate interests when creating and using its customer profiles for
marketing. There are several problems posed by the profiling described. The information is
particularly sensitive and can reveal a great deal about matters that many individuals would
expect to remain private.120 The extent and manner of profiling (use of click-stream data,
predictive algorithms) also suggest a high level of intrusiveness. Consent based on Article
7(a) and Article 8(2)(a) (where sensitive data are involved) could, however, be considered as
an alternative where appropriate.
119 See also Case C-131/12 Google Spain v Agencia Española de Proteccion de Datos, currently before the Court
of Justice of the European Union.
120 Beyond any restrictions posed by data protection laws, advertisement of prescription products is also strictly
regulated in the EU, and there are also some restrictions regarding advertisement on non-prescription drugs.
Further, the requirements of Article 8 on special categories of data (such as health data) must also be considered.
60
Unsolicited non-commercial messages, including for political campaigns or charitable
fundraising
Example 6: Candidate in local election makes targeted use of electoral register
A candidate in local election uses the electoral register121 to send an introduction letter
promoting her campaign for the upcoming elections to each potential voter in her election
district. The candidate uses the data obtained from the electoral register only to send the letter
and does not retain the data once the campaign has ended.
Such use of the local register is in the reasonable expectations of individuals, when it takes
place in the pre-election period: the interest of the controller is clear and legitimate. The
limited and focused use of the information also contributes to tip the balance in favour of the
legitimate interest of the controller. Such use of electoral registers may also be regulated by
law at national level, in a public interest perspective, providing for specific rules, limitations
and safeguards with regard to the use of the electoral register. If this is the case, compliance
with these specific rules is also required to ensure the legitimacy of the processing.
Example 7: Non-profit-seeking body collects information for targeting purposes
A philosophical organisation dedicated to human and social development decides to organise
fundraising activities based on the profile of its members. To this end, it collects data on
social networking sites by means of ad-hoc software targeting individuals who ‘liked’ the
organisation’s page, ‘liked’ or ‘shared’ the messages the organisation posted on its page,
regularly viewed certain items or re-tweeted the organisation’s messages. It then sends
messages and newsletters to its members according to their profiles. For example, elderly dog
owners who ‘liked’ articles on animal shelters receive different fundraising appeals from
families with small children; people from different ethnic groups also receive different
messages.
The fact that special categories of data are processed (philosophical beliefs) requires
compliance with Article 8, a condition which seems to be met as the processing takes place in
the course of the legitimate activities of the organisation. However, this is not a sufficient
condition in this case: the way data are being used exceeds the reasonable expectations of
individuals. The amount of data collected, the lack of transparency about the collection and
the reuse of data initially published for one purpose for a different purpose contribute to the
conclusion that Article 7 (f), cannot be relied on in this case. The processing should therefore
not be allowed except if another ground can be used, for instance the consent of individuals
under Article 7(a).
121 It is assumed that in the Member State where the example applies an electoral register is established by law.
61
Enforcement of legal claims, including debt collection via out-of-court procedures
Example 8: Dispute on quality of renovation work
A customer disputes the quality of kitchen renovation work and refuses to pay the full price.
The building company transfers the relevant and proportionate data to his lawyer in order that
he could remind the customer of payment and negotiate a settlement with the customer if he
continues to refuse to pay.
In this case, the preliminary steps taken by the building company using basic information of
the data subject (e.g. name, address, contract reference) to send a reminder to the data subject
(directly or via its lawyer as in this case) may still fall within the processing necessary for the
performance of the contract (Article 7(b)). Further steps taken,122 including the involvement
of a debt collection agency, should however be assessed under Article 7(f) considering,
among others, their intrusiveness and impact on the data subject as will be shown in the
following example.
Example 9: Customer disappears with car purchased on credit
A customer fails to pay for the instalments that are due on an expensive sports car purchased
on credit, and then ‘disappears’. The car dealer contracts a third-party ‘collection agent’. The
collection agent carries out an intrusive ‘law-enforcement style’ investigation, using, among
others, practices such as covert video-surveillance and wire-tapping.
Although the interests of the car dealer and the collection agent are legitimate, the balance
does not tip in their favour because of the intrusive methods used to collect information, some
of which are explicitly prohibited by law (wire-tapping). The conclusion would be different if,
for instance, the car dealer or the collection agent only carried out limited checks to confirm
the contact details of the data subject in order to start a court procedure.
Prevention of fraud, misuse of services, or money laundering
Example 10: Verification of clients’ data before opening of a bank account
A financial institution follows reasonable and proportionate procedures – as per non-binding
guidelines of competent government financial supervisory authority – to verify the identity of
any person seeking to open an account. It maintains records of the information used to verify
the person’s identity.
The interest of the controller is legitimate, the processing of data involves only limited and
necessary information (standard practice in the industry, to be reasonably expected by data
subjects, and recommended by competent authorities). Appropriate safeguards are in place to
limit any disproportionate and undue impact on the data subjects. The controller can therefore
rely on Article 7(f). Alternatively, and to the extent that the actions taken are specifically
required by applicable law, Article 7(c) could apply.
122 There is currently, among the different Member States, a degree of variance as to which measures may be
considered necessary for the performance of a contract.
62
Example 11: Exchange of information to fight money laundering
A financial institution – after obtaining advice of the competent data protection authority –
implements procedures based on specific and limited criteria to exchange data regarding
suspected abuse of anti-money laundering rules with other companies within the same group,
with strict limitation on access, security, and prohibition of any further use for other purposes.
For reasons similar to those explained above, and depending on the facts of the case, the
processing of data could be based on Article 7(f). Alternatively, and to the extent that the
actions taken are specifically required by applicable law, Article 7(c) could apply.
Example 12: Black list of aggressive drug-addicts
A group of hospitals create a joint black list of ‘aggressive’ individuals in search of drugs,
with the aim of prohibiting them access to all medical premises of the participating hospitals.
Even if the interest of the controllers in maintaining safe and secure premises is legitimate, it
has to be balanced against the fundamental right of privacy and other compelling concerns
such as the need not to exclude the individuals concerned from access to health treatment. The
fact that sensitive data are processed (e.g. health data related to drug addiction) also supports
the conclusion that in this case the processing is unlikely to be acceptable under Article
7(f).123 The processing might be acceptable if it were to be for instance regulated in a law
providing for specific safeguards (checks and controls, transparency, prevention of automated
decisions) ensuring that it would not result in discrimination or violation of fundamental
rights of individuals124. In this latter case, depending on whether this specific law requires or
only permits the processing, either Article 7(c) or Article 7(f) may be relied on as a legal
ground.
Employee monitoring for safety or management purposes
Example 13: Working hours of lawyers used both for billing and bonus purposes
The number of billable hours worked by lawyers at a law firm is processed both for billing
purposes and for determination of annual bonuses. The system is transparently explained to
employees who have an explicit right to express disagreement with the conclusions in terms
of both billing and bonus payment, to be then discussed with their management.
The processing appears necessary for the legitimate interests of the controller, and there does
not appear to be a less intrusive way to achieve the purpose. The impact on employees is also
limited due to the safeguards and processes put in place. Article 7(f) could therefore be an
appropriate legal ground in this case. There may also be an argument to support that
processing for one or both purposes is also necessary for the performance of the contract.
123 The requirements of Article 8 on special categories of data (such as health data) must also be considered.
124 See the Working document on Black Lists (WP 65) adopted on 3 October 2002.
63
Example 14: Electronic monitoring of internet use125
The employer monitors internet use during working hours by employees to check they are not
making excessive personal use of the company’s IT. The data collected include temporary
files and cookies generated on the employees’ computers, showing websites visited and
downloads performed during working hours. The data is processed without prior consultation
of data subjects and the trade union representatives/work council in the company. There is
also insufficient information provided to the individuals concerned about these practices.
The amount and nature of the data collected represents a significant intrusion into the private
life of the employees. In addition to proportionality issues, transparency about the practices,
closely linked to the reasonable expectations of the data subjects, is also an important factor to
be considered. Even if the employer has a legitimate interest in limiting the time spent by the
employees visiting websites not directly relevant to their work, the methods used do not meet
the balancing test of Article 7(f). The employer should use less intrusive methods (e.g.
limiting accessibility of certain sites), which are, as best practice, discussed and agreed with
employees’ representatives, and communicated to the employees in a transparent way.
Whistle-blowing schemes
Example 15: Whistleblowing scheme to comply with foreign legal obligations
An EU branch of a US group establishes a limited whistle-blowing scheme to report serious
infringements in the field of accounts and finance. The entities of the group are subjected to a
code of good governance that calls for strengthening procedures for internal control and risk
management. Because of its international activities, the EU branch is required to supply
reliable financial data to other members of the group in the US. The scheme is designed to be
compliant with both US law and the guidelines provided by the national data protection
authorities in the EU.
Among the safeguards, employees are given clear guidance as to the circumstances in which
the scheme should be used, through training sessions and other means. Staff are warned not to
abuse the scheme – for example by making false or unfounded allegations against other
members of staff. It is also explained to them that if they prefer they can use the scheme
anonymously or if they wish they can identify themselves. In the latter case, employees are
informed of the circumstances in which information identifying them will be fed back to their
employer or passed-on to other agencies.
If the scheme were required to be established under EU law or under the law of an EU
Member State, the processing could be based on Article 7(c). However, foreign legal
obligations do not qualify as a legal obligation for purposes of Article 7(c), and therefore,
such an obligation could not legitimise the processing under Article 7(c). However, the
processing could be based on Article 7(f), for example, if there is a legitimate interest in
guaranteeing the stability of financial markets, or the fight against corruption, and provided
125 A few Member States consider that some limited electronic monitoring may be ‘necessary for the
performance of a contract’, and therefore, may be based on the legal ground of Article 7(b) rather than 7(f).
64
that the scheme includes sufficient safeguards, in accordance with guidance from the relevant
regulatory authorities in the EU.
Example 16: ‘In-house’ whistle-blowing scheme without consistent procedures
A financial services company decides to set up a whistle-blowing scheme because it suspects
widespread theft and corruption amongst its staff and is keen to encourage employees to
inform on each other. In order to save money, the company decides to operate the scheme inhouse,
staffed by members of its Human Resources department. In order to encourage
employees to use the scheme it offers a cash ‘no questions asked’ reward to employees whose
whistle-blowing activities lead to the detection of improper conduct and the recovery of
monies.
The company does have a legitimate interest in detecting and preventing theft and corruption.
However, its whistle-blowing scheme is so badly designed and lacking in safeguards that its
interests are overridden by both the interests and right to privacy of its employees – particular
those who may be the victim of false reports filed purely for financial gain. The fact that the
scheme is operated in-house rather than independently is another problem here, as is the lack
of training and guidance on the use of the scheme.
Physical security, IT and network security
Example 17: Biometric controls in a research laboratory
A scientific research laboratory working with lethal viruses uses a biometric entrance system
due to the high risk to public health in case these viruses were to escape the premises.
Appropriate safeguards are applied, including the fact that biometric data are stored on
personal employee cards and not in a centralised system.
Even if data are sensitive in the broad sense, the reason for their processing is in the public
interest. This and the fact that risks of misuse are reduced by appropriate use of safeguards
make Article 7(f) an appropriate basis for the processing.
Example 18: Hidden cameras to identify smoking visitors and employees
A company makes use of hidden cameras to identify employees and visitors who smoke in
unauthorised areas of the building.
While the controller has a legitimate interest to ensure compliance with non-smoking rules,
the means used to reach this end are – generally speaking – disproportionate and unnecessarily
intrusive. There are less intrusive and more transparent methods (such as smoke detectors and
visible signs) available. The processing thus fails to comply with Article 6, which requires
data to be ‘not excessive’ in relation to the purposes for which they are collected or further
processed. At the same time, it will probably fail to meet the balancing test of Article 7.
65
Scientific research
Example 19: Research on effects of divorce and parental unemployment on children’s education attainment
Under a research programme adopted by the government, and authorised by a competent
ethics committee, research is performed into the relationship between divorce, parental
unemployment and children’s educational attainment. While not classified as ‘special
categories of data’, the research is nevertheless focusing on issues that for many families,
would be considered very intimate personal information. The research will allow special
educational assistance to be targeted at children who may otherwise fall into absenteeism,
poor educational attainment, adult unemployment and criminality. The law of the Member
State concerned explicitly allows processing of personal data (other than special categories of
data) for research purposes, provided the research is necessary for important public interests,
and carried out subject to adequate safeguards, which are then further detailed in
implementing legislation. This legal framework includes specific requirements but also an
accountability framework that allows for assessment on a case-by-case basis of the
permissibility of the research (if carried out without the consent of the individuals concerned)
and the specific measures to be applied to protect the data subjects.
The researcher runs a secure research facility and, under secure conditions, the relevant
information is provided to it by the population registry, courts, unemployment agencies, and
schools. The research centre then ‘hashes’ individuals’ identities so that divorce,
unemployment and education records can be linked, but without revealing individuals’ ‘civic’
identities – e.g. their names and addresses. All the original data is then irretrievably deleted.
Further measures are also taken to ensure functional separation (i.e. that data will only be
used for research purposes) and reduce any further risk of re-identification.
Staff members working at the research centre receive rigorous security training and are
personally – possibly even criminally – liable for any security breach they are responsible for.
Technical and organisational measures are taken, for example, to ensure that staff using USB
sticks could not remove personal data from the facility.
It is in the legitimate interests of the research centre to carry out the research, in which there is
a strong public interest. It is also in the legitimate interests of the employment, educational
and other bodies involved in the scheme, because it will help them to plan and deliver
services to those that most need them. The privacy aspects of the scheme have been well
designed and the safeguards that are in place mean that the legitimate interests of the
organisations involved in carrying out the research are not overridden by either the interests or
privacy rights of the parents or children whose records formed the basis of the research.
Example 20: Research study on obesity
A university wants to carry out research into levels of childhood obesity in several cities and
rural communities. Despite generally having difficulties gaining access to the relevant data
from schools and other institutions, it does manage to persuade a few dozens of school
teachers to monitor for a period of time children in their classes who appear obese and to ask
them questions about their diet, levels of physical activity, computer-game use and so forth.
These school teachers also record the names and addresses of the children interviewed so that
an online music voucher can be sent to them as a reward for taking part in the research. The
66
researchers then compile a database of children, correlating levels of obesity with physical
activity and other factors. The paper copies of the completed interview questionnaires – still
in a form that identifies particular children – are kept in the university archives for an
indefinite period of time and without adequate security measures. Photocopies of all
questionnaires are shared on request with any MD or PhD student of the same and of partner
universities across the world who show interest in further use of the research data.
Although it is in the legitimate interests of the university to carry out research, there are
several aspects of the research design that mean these interests are overridden by the interests
and rights to privacy of the children. Besides the research methodology, which is lacking in
scientific rigour, the problem emanates in particular from the lack of privacy enhancing
approaches in the research design and the broad access to the personal data collected. At no
point are children’s records coded or anonymised and no other measures are taken to ensure
either security of the data or functional separation. Valid Article 7(a) and Article 8(2)(a)
consent is not obtained, either, and it is not clear that it has been explained to either the
children or their parents what their personal data will be used for or with whom it will be
shared.
Foreign legal obligation
Example 21: Compliance with third country tax law requirements
EU banks collect and transfer some of their clients’ data for purposes of their clients’
compliance with third country taxation obligations. The collection and transfer is specified in
and takes place under conditions and safeguards agreed between the EU and the foreign
country in an international agreement.
While a foreign obligation in itself cannot be considered a legitimate basis for processing
under Article 7(c), it may well be if such obligation is upheld in an international agreement. In
this latter case, the processing could be considered necessary for complying with a legal
obligation incorporated into the internal legal framework by the international agreement.
However, if there is no such agreement in place, the collection and transfer will have to be
assessed under Article 7(f) requirements, and may only be considered permissible provided
that adequate safeguards are put in place such as those approved by the competent data
protection authority (see also Example 15 above).
Example 22: Transfer of data on dissidents
Upon request, an EU company transfers data of foreign residents to an oppressive regime in a
third country that wishes to access data of dissidents (e.g. their email traffic data, email
content, browsing history, or private messages in social networks).
In this case, unlike in the previous example, there is no international agreement that would
allow for applying Article 7(c) as a legal ground. Besides, several elements argue against
Article 7(f) as an appropriate ground for processing. Although the controller may have an
economic interest in ensuring that it complies with foreign government requests (otherwise it
might suffer less favourable treatment by the third country government compared to other
companies), the legitimacy and proportionality of the transfer is highly questionable under the
EU fundamental rights framework. Its potentially huge impact on the individuals concerned
67
(e.g. discrimination, imprisonment, death penalty) also greatly argue in favour of the interests
and rights of the individuals concerned.
Reuse of publicly available data
Example 23: Rating of politicians126
A transparency NGO uses publicly available data on politicians (promises made at the time of
their election and actual voting records) to rate them based on how well they kept their
promises.
Even if the impact on politicians concerned may be significant, the fact that processing is
based on public information and in relation to their public responsibilities makes, with a clear
purpose of enhancing transparency and accountability, the balance tips in the interest of the
controller127
.
Children and other vulnerable persons
Example 24: Information website for teenagers
An NGO website offering advice to teenagers regarding issues such as drug abuse, unwanted
pregnancy and alcohol abuse collects data via its own server about visitors to the site. It then
immediately anonymises these data and turns them into general statistics about which parts of
the website are most popular among visitors coming from different geographical regions of
the country.
Article 7(f) could be used as a legal ground even if data concerning vulnerable individuals are
concerned, because the processing is in the public interest and strict safeguards are put in
place (the data are immediately rendered anonymous and only used for the creation of
statistics), which helps tipping the balance in favour of the controller.
Privacy by design solutions as additional safeguards
Example 25: Access to mobile phone numbers of users and non-users of an app:
‘compare and forget’
Personal data of individuals are processed to check whether they had already granted
unambiguous consent in the past (i.e., ‘compare and forget’ as a safeguard).
An application developer is required to have the data subjects’ unambiguous consent for
processing their personal data: for example, the app developer wishes to access and collect the
entire electronic address book of users of the app, including the mobile phone numbers of
contacts that are not using the app. To be able to do this, it may first have to assess whether
126 See and compare also with Example 7 above.
127 As in Examples 1 and 2, we assumed that the publication is accurate and proportionate – lack of safeguards
and other factors may change the balance of interests depending on the facts of the case.
68
the holders of the mobile phone numbers in the address books of users of the app have
granted their unambiguous consent (under Article 7(a)) for their data to be processed.
For this limited initial processing (i.e., short-term read access to the full address book of a
user of the app), the app developer may rely on Article 7(f) as a legal ground, subject to
safeguards. These safeguards should include technical and organisational measures to ensure
that the company only uses this access to help the user identify which of his contact persons
are already users, and which therefore had already granted unambiguous consent in the past to
the company to collect and process phone numbers for this purpose. The mobile phone
numbers of non-users may only be collected and used for the strictly limited objective of
verifying whether they have granted their unambiguous consent for their data to be processed,
and they should be immediately deleted thereafter.
Combination of personal information across web services
Example 26: Combination of personal information across web services
An internet company providing various services including search engine, video sharing, social
networking, develops a privacy policy which contains a clause that enables it ‘to combine all
personal information’ collected on each of its users in relation to the different services they
use, without defining any data retention period. According to the company, this is done in
order to ‘guarantee the best possible quality of service’.
The company makes some tools available to different categories of users so that they can
exercise their rights (e.g. deactivate targeted advertisement, oppose to the setting of a specific
type of cookies).
However, the tools available do not allow users to effectively control the processing of their
data: users cannot control the specific combinations of their data across services and users
cannot object to the combination of data about them. Overall, there is an imbalance between
the company’s legitimate interest and the protection of users’ fundamental rights and Article
7(f) should not be relied on as a legal ground for processing. Article 7(a) would be a more
appropriate ground to be used, provided that the conditions for a valid consent are met.
Cases
Vesta Mortgage Investments Ltd -v- Devine & anor [
[2014] IEHC 109
Mr. Justice Brian J. McGovern delivered on the 6th day of March 2014
1. This is an application brought by the plaintiff against the defendants for summary judgment in the sum of €18,872,399.47 together with continuing interest.
2. The debt was incurred by the defendants on foot of facilities granted to them by EBS Building Society (“EBS”). EBS was converted into a private limited company (EBS Ltd.) on 1st July, 2011. On 30th November, 2012, the plaintiff (“Vesta”) purchased from EBS Ltd. the facilities together with related security and other rights.
3. Because this is an application for a summary judgment, the principles set out by the Supreme Court in Danske Bank v. Durkan New Homes [2010] IESC 22 apply. If the judge hearing the application is satisfied that the defendant has a real or bona fide defence, whether based on fact or on law, he is bound to afford the defendant an opportunity of having the issue tried in the appropriate manner. In Aer Rianta cpt. v. Ryanair Ltd. [2001] 4 IR 607, Hardiman J., having reviewed the Irish cases on the subject, said at p. 623:
“In my view, the fundamental questions to be posed on an application such as this remain: is it ‘very clear’ that the defendant has no case? Is there either no issue to be tried or only issues which are simple and easily determined? Do the defendant’s affidavits fail to disclose even an arguable defence?”
In McGrath v. O’Driscoll [2007] ILRM 203, Clarke J. said that a court can, on a motion for summary judgment, resolve questions of law or construction but should only do so where the issues which arise are relatively straightforward and there is no real risk of injustice in determining them in a summary fashion. In First National Commercial Bank plc. v. Anglin [1996] 1 IR 75, Murphy J. cited with approval at p. 76 the following summary of the test set out in Banque de Paris v. de Naray [1984] 1 Lloyd’s Rep. 21:
“The mere assertion in an affidavit of a given situation which was to be the basis of a defence did not of itself provide leave to defend; the court had to look at the whole situation to see whether the defendant had satisfied the court that there was a fair or reasonable probability of the defendants having a real or bona fide defence.”
4. These are the tests that I have to apply in determining this application.
5. The defendants in this case have adopted something of a “scattergun approach” in defending the claim. They have raised the following issues in defence of the application for summary judgment:
(i) The plaintiff’s capacity to bring these proceedings;
(ii) the plaintiff’s capacity to claim interest as it is not a bank;
(iii) whether the requirements of the Bankers Books Evidence Act 1879 and 1959 have been complied with;
(iv) whether the plaintiff is estopped from maintaining these proceedings on the basis of an alleged undertaking by an employee of EBS that the loans would not be sold;
(v) whether a partnership agreement existed between the EBS and the defendants in connection with the purchase of property in Germany;
(vi) whether the plaintiff has breached the Data Protection Acts;
(vii) whether the first named defendant was an employee of the EBS;
(viii) whether the plaintiff was obliged to take into account certain tax implications arising for the defendants if the loans are called in;
(ix) whether the debt is ascertained.
The Plaintiff’s Capacity to bring these Proceedings
6. These proceedings arise out of a series of twelve loan facilities advanced to the defendants by EBS Building Society between 1998 and 2008. On 1st July, 2011, EBS Building Society was converted into a private limited company named EBS Ltd. That conversion occurred under an Acquisition Conversion Scheme which was confirmed and registered by the Central Bank pursuant to s. 104 of the Building Societies Act 1989. The plaintiff acquired the facilities from EBS Ltd. under a Deed of Assignment dated 30th November, 2012.
7. Clause 2 of EBS Standard Conditions provided that the facilities are “subject to the Rules of EBS except where the security documentation and/or Offer Letter provide otherwise”. Clause 7(1)(d) of the Rules entitles EBS to transfer, assign or dispose of any of its loans, whether absolutely or by way of security or otherwise. The requirements of s. 28(6) of the Supreme Court of Judicature Act (Ireland) 1877 for a valid legal assignment of a debt have been met in this case. The Deed of Assignment expressly provides at clause 2.1 for the absolute assignment of the facilities to the plaintiff. The Deed of Assignment is in writing and has been sealed by EBS Ltd. in the presence of two authorised signatories. The defendants were notified in writing of the assignment. I am satisfied, therefore, that there was a valid assignment of the defendants’ loans with EBS to the plaintiff.
The Plaintiff’s Capacity to Claim Interest
8. The defendants assert that the plaintiff is not entitled to recover the monies advanced under the facilities and, in particular, interest on those monies, because it is not licensed by the Central Bank to do so. I accept the plaintiff’s contention that it is not engaged in any regulated activity which requires a banking licence. It does not carry on “banking business” within the meaning of the Central Bank Act 1971, and, in particular, it does not receive monies from members of the public on deposit or as repayable funds. This assertion has not been challenged by the defendants. Neither is the plaintiff a money lender within the meaning of the Consumer Credit Act 1995, because it does not supply credit to consumers. This is not disputed by the defendants. The plaintiff’s entitlement to levy interest arises on a contractual basis, on foot of the assignment of rights by the EBS to it. In my view, therefore, the defendants’ assertion that the plaintiff is not entitled to claim interest is unsustainable.
Have the Provisions of the Bankers Books Evidence Act been complied with?
9. Mr. Mark Hughes, a manager in EBS Ltd., swore an affidavit verifying the sums due under each of the facilities granted to the defendants. It is clear from his affidavit and the exhibits therein that the provisions of the Bankers’ Books Evidence Act have been complied with. Mr. Hughes is an officer of the EBS and as such is entitled to prove its books and records. He has exhibited copy statements of account in respect of each of the twelve facilities granted to the defendants.
Alleged Undertaking by EBS through Ms. Emer Finnan that the Facilities would not be sold by EBS
10. This claim by the defendant involves setting up a collateral agreement. The defendants allege that Ms. Emer Finnan on behalf of EBS said that the facilities would be “rolled on a long-term sustainable basis” and not sold. In support of this claim, the first named defendant exhibited an email from him to Ms. Finnan on 17th June, 2011, in which he said “I appreciate EBS’s willingness in principle to roll the facility forward on an interest only basis for the next 12 months. I am also much more comfortable that it is acknowledged that the portfolio will need to be kept intact to enjoy the much needed recovery to build back value”. In the same email he said “I, and the majority of your commercial clients like myself are in limbo until a long-term plan is agreed . . . this is a piece of work that Conor and I will work on over the coming months, but your input will be necessary and invaluable”. That was as far as any discussion went on the issue as to how the loans were to be managed and falls way short of establishing a collateral agreement.
11. Furthermore, the Rules of the EBS prohibited Ms. Finnan from entering into the agreement contended for by the defendants as clause 12(4) provides that the Board of EBS is the entity which can, in agreement with a borrower, vary the terms of repayment of a loan facility. The Defendants agreed to accept the facilities on those terms. The plaintiff also argues that even if the agreement contended for by the defendants existed that it could not affect the plaintiff’s title to the facilities having acquired them for value and without notice of any such agreement. While it might potentially give rise to a claim by the defendants against EBS, it could not affect the plaintiff’s title to the facilities.
12. It is of some significance that although the defendants sought and were granted liberty to issue a motion to join EBS as a third party in these proceedings they did not do so. The defendants have not raised any issue to be tried on this point.
Was there a Partnership between the EBS and the Defendants?
13. The defendants claim that their purchase of property in Germany with monies advanced by EBS constituted a joint undertaking or partnership arrangement. The first named defendant exhibited a letter from Mr. Mark Hughes of EBS dated 17th January, 2011, in support of this contention. But the letter does nothing to suggest that it was written other than in the context of a relationship of lender and borrower and in no way supports a contention that there was a partnership. While I cannot ignore the fact that the defendants contend that there was a partnership, it is clear that the mere assertion of this in an affidavit does not of itself provide leave to defend since the court has to look at the overall situation to see whether there is a fair or reasonable probability of the defendant having a real or bona fide defence on the issue.
14. Having read the voluminous amount of documents in this case and considered the pleadings and submissions, it is clear beyond any doubt that the relationship between the EBS and the defendants was one of lender and borrower. The defendants have adduced no evidence which would call into question that relationship to the extent that this is an issue which should go for plenary hearing. In Badeley v. Consolidated Bank [1888] 38 Ch. D 238, Cotton L.J. held at p. 250 that where the participation in profits arises from a clause in an agreement entered into between parties, it is wrong to say that this is prima facie evidence of a partnership “because you must look, not only to that stipulation, but all the other stipulations in the contract, and to determine whether on the stipulations of the contract taken as a whole you can come to the conclusion that there is a partnership – that there is a joint business carried on behalf of the two – or whether the transaction is one of loan between debtor and creditor, a loan secured by giving a certain interest in the profits”.
15. In this case, there is no provision for a sharing of profits or anything to suggest a partnership, and looking at the agreements as a whole, they are quite clearly agreements between a lender and a borrower. But even if the defendants were able to establish a partnership with regard to the monies advanced to purchase properties in Germany, it would not afford a defence to the plaintiff’s claim for payment of the monies due and owing on foot of the facilities granted.
16. The defendants also raise a subsidiary objection in relation to the funds advanced for the purchase of properties in Germany. They claim that a building society is not entitled to exercise its power outside the State without the approval of the Central Bank. I am satisfied on the evidence that the facilities were advanced to the defendants in this jurisdiction and did not involve the exercise by the EBS of powers outside the State, even if security was provided by the defendants over properties in Germany. The defendants have not raised any arguable defence on this basis.
Data Protection
17. The defendants’ assertion that the sale of the facilities by ESB to the plaintiff “may be in breach of the Data Protection Act size=”2″ face=”Verdana”>” is unsustainable. In the first place, they do not allege that it is a breach. But, in any event, personal data may be processed in a variety of circumstances including where “necessary . . . for the performance of a contract to which the data subject is a party” (s. 2A of the Data Protection Act 1988, as inserted by s. 4 of the Data Protection (Amendment) Act 2003). Since the facilities granted to the defendants included an entitlement for EBS to assign them to a third party, and this was accepted by the defendants, it would not be possible for the assignment to have taken place without providing to the plaintiff information from which the defendants could be identified. That data was therefore necessary for the performance of that part of the contract between the defendants and EBS which provided for the assignment of the facilities. The point taken by the defendants on this issue does not give rise to an arguable defence.
Employment Relationship between First Named Defendant and EBS
18. One of the more puzzling claims made by the first named defendant is that he was an employee of EBS because he was in receipt of a sum of €8,000 per month on foot of variations agreed between EBS and the defendants in respect of a number of facility letters. In an affidavit sworn by him on 7th February, 2014, he claims that he was induced by EBS to resign from Cobalt Technology Ltd. (“Cobalt”) and was paid €8,000 net per month by EBS. He says “I was employed for over a year so I am a permanent pensionable employee of EBS”. There seems to be little evidence to support this extravagant claim of the first named defendant. Furthermore, it is difficult to see how this would afford a defence to the plaintiff’s claim.
19. The first named defendant never took any proceedings against EBS in relation to any breach of an employment contract and existence of any employment contract between him and the EBS is denied. He claims that the EBS or the plaintiff will have to fully address his entire employment, tax and pension rights in the context of these proceedings. It is difficult to see how this could be so. But what I have to decide is whether it meets the test for leave to defend in a summary judgment application.
20. In January 2012, the EBS varied a number of facility letters as follows:
“EBS agrees to the transfer by Standing Order of €8,000 on the first day of each month from the rent account to Paul Devine personal bank account 63409583 in BOI subject to all interest payments charged on the EBS commercial loan accounts being up to date.”
In the same facility letter, it is provided that EBS had agreed to an interest only-period for a period of twelve months, expiring 21st September, 2012. It also provided that all rental income from certain secured properties in Germany and Ireland were to be mandated to EBS. The plaintiff argues that this is clearly one of the conditions on which EBS agreed to provide an interest-only period to the defendants and that the facility letter permitted the first named defendant to retain a portion of the rental income that he would otherwise be required under the facilities to remit to the EBS as a condition of the interest-only period. The plaintiff argues that there is no evidence to suggest that this gave rise to an employment relationship between EBS and the first named defendant.
21. Furthermore, the defendants do not deny that they have failed to make interest payments due under the facilities and therefore the first named defendant’s entitlement to retain €8,000 per month from the rental income on the secured properties ceased when the defendants failed to pay the interest.
22. Applying the Summary Judgment test outlined in para 3 above, it seems to me that the defendants have raised an arguable case and that there is an issue to be tried as to whether or not the agreement contended for by the first named defendant exists and, if so, whether there should be any set-off arising from any such agreement.
Defendants’ Tax Liability
23. The defendants claim that they will be exposed to a significant tax liability on the sale of the assets on which the facilities are secured. It seems to me that this is of no relevance to these proceedings. The plaintiff’s claim is for judgment in respect of the monies due under the facilities only. No relief is sought concerning the security acquired by the plaintiff from EBS. But even if the plaintiff ultimately relies on such security and it has tax implications for the defendants, this is not something which affords a defence to the plaintiff’s claim and therefore is not an answer to the claim for summary judgment.
Is the Debt Ascertained?
24. This is the real issue in the case. The defendants admit borrowing monies from EBS and acknowledge that monies were due to EBS on the date of acquisition of the facilities by the plaintiff. But, while they allege that the sums due are “unascertained”, there has been no real attempt by the defendants to engage with the evidence proffered by the plaintiff setting out the amounts claimed to be due. No affidavit from a financial expert has been submitted on behalf of the defendants to suggest that the sums claimed are not due and owing or that the sums set out in the verifying affidavits of Mr. Mark Hughes and Mr. Jeffrey Johnson exhibiting statements of account are incorrect.
25. In an affidavit sworn on 7th February, 2014, the first named defendant conceded that he owed an unascertained amount to EBS at 30th November, 2012. The second named defendant has not repudiated that statement or said anything that would call it into question. In the same affidavit, he says that he paid €63,871.63 to the plaintiff in error in 2012. The plaintiff disputes that this was paid in error but there is sufficient dispute raised between the parties to bring the defendants within the ambit of the Danske Bank v. Durkan New Homes jurisprudence, so I will allow the defendants defend that issue at a plenary hearing. In that affidavit, the first named defendant refers to his accountant, Mr. Gerry Carron, and says that he spoke to him in February 2013, and it was agreed Mr. Carron would seek a refund from the plaintiff. There is no affidavit from Mr. Carron challenging any other sums claimed by the plaintiff from the defendants.
Conclusion
26. It seems to me that in the absence of any credible evidence challenging the sums claimed up to 30th November, 2012, the plaintiff is entitled to summary judgment for whatever sums are due on foot of the facilities up that date including interest under the terms of the facility letters. The sums due are what is shown on the statements of account in respect of the various loans as verified by Mr. Mark Hughes on affidavit.
27. I will allow three issues go to plenary hearing. The first is the extent (if any) to which the defendants are entitled to credits in the sum of €8,000 per month in respect of an alleged employment relationship between the first named defendant and EBS. The second issue is whether the defendants are entitled to credit for a sum of €63,871.63 which the first named defendant claims was paid in error to the plaintiff. And the third is the amount due since the 30th November 2012.
EDPB Guidance
The European Data Protection Board
Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”),
Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 20181,
Having regard to Article 12 and Article 22 of its Rules of Procedure,
Having regard to the Article 29 Working Party Guidelines on consent under Regulation 2016/679, WP259 rev.01,
HAS ADOPTED THE FOLLOWING GUIDELINES
0 PREFACE
On 10 April 2018 the Article 29 Working Party adopted its Guidelines on consent under Regulation 2016/679 (WP259.01), which were endorsed by the European Data Protection Board (hereinafter “EDPB”) at its first Plenary meeting. This document is a slightly updated version of those Guidelines. Any reference to the WP29 Guidelines on consent (WP259 rev.01) should from now on be interpreted as a reference to these guidelines.
The EDPB has noticed that there was a need for further clarifications, specifically regarding two questions:
1 The validity of consent provided by the data subject when interacting with so-called “cookie walls”;
2 The example 16 on scrolling and consent.
The paragraphs concerning these two issues have been revised and updated, while the rest of the document was left unchanged, except for editorial changes. The revision concerns, more specifically:
• Section on Conditionality (paragraphs 38 – 41).
• Section on Unambiguous indication of wishes (paragraph 86)
1 INTRODUCTION
1. These Guidelines provide a thorough analysis of the notion of consent in Regulation 2016/679, the General Data Protection Regulation (hereafter: GDPR). The concept of consent as used in the Data
1 References to “Member States” made throughout this document should be understood as references to “EEA Member States”.
Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon the Article 29 Working Party Opinion 15/2011 on consent. The obligation is on controllers to innovate to find new solutions that operate within the parameters of the law and better support the protection of personal data and the interests of data subjects.
2. Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR.2 When initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing.
3. Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.3
4. The existing Article 29 Working Party (WP29) Opinions on consent4 remain relevant, where consistent with the new legal framework, as the GDPR codifies existing WP29 guidance and general good practice and most of the key elements of consent remain the same under the GDPR. Therefore, in this document, the EDPB expands upon and completes earlier Article 29 Working Party Opinions on specific topics that include reference to consent under Directive 95/46/EC, rather than replacing them.
5. As the WP29 stated in its Opinion 15/2011 on the definition on consent, inviting people to accept a data processing operation should be subject to rigorous requirements, since it concerns the fundamental rights of data subjects and the controller wishes to engage in a processing operation that would be unlawful without the data subject’s consent.5 The crucial role of consent is underlined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Furthermore, obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality. Even if the processing of personal data is based on consent of the data subject, this would not legitimise collection of data, which is not necessary in relation to a specified purpose of processing and be fundamentally unfair.6
2 Article 9 GDPR provides a list of possible exemptions to the ban on processing special categories of data. One of the exemptions listed is the situation where the data subject provides explicit consent to the use of this data.
3 See also Article 29 Working Party Opinion 15/2011 on the definition of consent (WP 187), pp. 6-8, and/or Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP 217), pp. 9, 10, 13 and 14.
4 Most notably, Opinion 15/2011 on the definition of consent (WP 187).
5 Opinion 15/2011, page on the definition of consent (WP 187), p. 8.
6 See also Opinion 15/2011 on the definition of consent (WP 187), and Article 5 GDPR.
6. Meanwhile, the EDPB is aware of the review of the ePrivacy Directive (2002/58/EC). The notion of consent in the draft ePrivacy Regulation remains linked to the notion of consent in the GDPR.7 Organisations are likely to need consent under the ePrivacy instrument for most online marketing messages or marketing calls, and online tracking methods including by the use of cookies or apps or other software. The EDPB has already provided recommendations and guidance to the European legislator on the Proposal for a Regulation on ePrivacy.8
7. With regard to the existing e-Privacy Directive, the EDPB notes that references to the repealed Directive 95/46/EC shall be construed as references to the GDPR.9 This also applies to references to consent in the current Directive 2002/58/EC, as the ePrivacy Regulation will not (yet) be in force from 25 May 2018. According to Article 95 GDPR, additional obligations in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks shall not be imposed insofar the e-Privacy Directive imposes specific obligations with the same objective. The EDPB notes that the requirements for consent under the GDPR are not considered to be an ‘additional obligation’, but rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive.
2 CONSENT IN ARTICLE 4(11) OF THE GDPR
8. Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
9. The basic concept of consent remains similar to that under the Directive 95/46/EC and consent is one of the lawful grounds on which personal data processing has to be based, pursuant to Article 6 of the GDPR.10 Besides the amended definition in Article 4(11), the GDPR provides additional guidance in Article 7 and in recitals 32, 33, 42, and 43 as to how the controller must act to comply with the main elements of the consent requirement.
7 According to Article 9 of the proposed ePrivacy Regulation, the definition of and the conditions for consent provided for in Articles 4(11) and Article 7 of the GDPR apply.
8 See EDPB statement on ePrivacy – 25/05/2018 and EDPB Statement 3/2019 on an ePrivacy regulation.
9 See Article 94 GDPR.
10 Consent was defined in Directive 95/46/EC as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” which must be ‘unambiguously given’ in order to make the processing of personal data legitimate (Article 7(a) of Directive 95/46/EC)). See WP29 Opinion 15/2011 on the definition of consent (WP 187) for examples on the appropriateness of consent as lawful basis. In this Opinion, WP29 has provided guidance to distinguish where consent is an appropriate lawful basis from those where relying on the legitimate interest ground (perhaps with an opportunity to opt out) is sufficient or a contractual relation would be recommended. See also WP29 Opinion 06/2014, paragraph III.1.2, p. 14 and further. Explicit consent is also one of the exemptions to the prohibition on the processing of special categories of data: See Article 9 GDPR.
10. Finally, the inclusion of specific provisions and recitals on the withdrawal of consent confirms that consent should be a reversible decision and that there remains a degree of control on the side of the data subject.
3 ELEMENTS OF VALID CONSENT
11. Article 4(11) of the GDPR stipulates that consent of the data subject means any:
• freely given,
• specific,
• informed and
• unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
12. In the sections below, it is analysed to what extent the wording of Article 4(11) requires controllers to change their consent requests/forms, in order to ensure compliance with the GDPR.11
3.1 Free / freely given12
13. The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.13 If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment.14 The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.
14. When assessing whether consent is freely given, one should also take into account the specific situation of tying consent into contracts or the provision of a service as described in Article 7(4). Article 7(4) has been drafted in a non-exhaustive fashion by the words “inter alia”, meaning that there may be a range of other situations, which are caught by this provision. In general terms, any element of
11 For guidance with regard to ongoing processing activities based on consent in Directive 95/46, see chapter 7 of this document and recital 171 of the GDPR.
12 In several opinions, the Article 29 Working Party has explored the limits of consent in situations where it cannot be freely given. This was notably the case in its Opinion 15/2011 on the definition of consent (WP 187), Working Document on the processing of personal data relating to health in electronic health records (WP 131), Opinion 8/2001 on the processing of personal data in the employment context (WP48), and Second opinion 4/2009 on processing of data by the World Anti-Doping Agency (WADA) (International Standard for the Protection of Privacy and Personal Information, on related provisions of the WADA Code and on other privacy issues in the context of the fight against doping in sport by WADA and (national) anti-doping organizations (WP 162).
13 See Opinion 15/2011 on the definition of consent (WP187), p. 12.
14 See Recitals 42, 43 GDPR and WP29 Opinion 15/2011 on the definition of consent, adopted on 13 July 2011, (WP 187), p. 12.
inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents a data subject from exercising their free will, shall render the consent invalid.
3.1.1 Imbalance of power
16. Recital 4315 clearly indicates that it is unlikely that public authorities can rely on consent for processing as whenever the controller is a public authority, there is often a clear imbalance of power in the relationship between the controller and the data subject. It is also clear in most cases that the data subject will have no realistic alternatives to accepting the processing (terms) of this controller. The EDPB considers that there are other lawful bases that are, in principle, more appropriate to the activity of public authorities.16
17. Without prejudice to these general considerations, the use of consent as a lawful basis for data processing by public authorities is not totally excluded under the legal framework of the GDPR. The following examples show that the use of consent can be appropriate under certain circumstances.
15 Recital 43 GDPR states: “In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. (…)”.
16 See Article 6 GDPR, notably paragraphs (1c) and (1e).
21. An imbalance of power also occurs in the employment context.18 Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent.19 Therefore, the EDPB deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1)(a)) due to the nature of the relationship between employer and employee.20
22. However, this does not mean that employers can never rely on consent as a lawful basis for processing. There may be situations when it is possible for the employer to demonstrate that consent actually is freely given. Given the imbalance of power between an employer and its staff members, employees can only give free consent in exceptional circumstances, when it will have no adverse consequences at all whether or not they give consent.21
24. Imbalances of power are not limited to public authorities and employers, they may also occur in other situations. As highlighted by the WP29 in several Opinions, consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will.
17 For the purposes of this example, a public school means a publically funded school or any educational facility that qualifies as a public authority or body by national law.
18 See also Article 88 GDPR, where the need for protection of the specific interests of employees is emphasised and a possibility for derogations in Member State law is created. See also Recital 155.
19 See Opinion 15/2011 on the definition of consent (WP 187), pp. 12-14 , Opinion 8/2001 on the processing of personal data in the employment context (WP 48), Chapter 10, Working document on the surveillance of electronic communications in the workplace (WP 55), paragraph 4.2 and Opinion 2/2017 on data processing at work (WP 249), paragraph 6.2.
20 See Opinion 2/2017 on data processing at work, page 6-7.
21 See also Opinion 2/2017 on data processing at work (WP249), paragraph 6.2.
3.1.2 Conditionality
25. To assess whether consent is freely given, Article 7(4) GDPR plays an important role.22
26. Article 7(4) GDPR indicates that, inter alia, the situation of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable. If consent is given in this situation, it is presumed to be not freely given (recital 43). Article 7(4) seeks to ensure that the purpose of personal data processing is not disguised nor bundled with the provision of a contract of a service for which these personal data are not necessary. In doing so, the GDPR ensures that the processing of personal data for which consent is sought cannot become directly or indirectly the counter-performance of a contract. The two lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged and blurred.
27. Compulsion to agree with the use of personal data additional to what is strictly necessary limits data subject’s choices and stands in the way of free consent. As data protection law is aiming at the protection of fundamental rights, an individual’s control over their personal data is essential and there is a strong presumption that consent to the processing of personal data that is unnecessary, cannot be seen as a mandatory consideration in exchange for the performance of a contract or the provision of a service.
28. Hence, whenever a request for consent is tied to the performance of a contract by the controller, a data subject that does not wish to make his/her personal data available for processing by the controller runs the risk to be denied services they have requested.
29. To assess whether such a situation of bundling or tying occurs, it is important to determine what the scope of the contract is and what data would be necessary for the performance of that contract.
30. According to Opinion 06/2014 of WP29, the term “necessary for the performance of a contract” needs to be interpreted strictly. The processing must be necessary to fulfil the contract with each individual data subject. This may include, for example, processing the address of the data subject so that goods purchased online can be delivered, or processing credit card details in order to facilitate payment. In the employment context, this ground may allow, for example, the processing of salary information and bank account details so that wages can be paid.23 There needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract.
31. If a controller seeks to process personal data that are in fact necessary for the performance of a contract, then consent is not the appropriate lawful basis.24
22 Article 7(4) GDPR: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” See also Recital 43 GDPR, that states: “[…] Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent, despite such consent not being necessary for such performance.”
23 For more information and examples, see Opinion 06/2014 on the notion of legitimate interest of the data controller under Article 7 of Directive 95/46/EC, adopted by WP29 on 9 April 2014, p. 16-17. (WP 217).
24 The appropriate lawful basis could then be Article 6(1)(b) (contract).
32. Article 7(4) is only relevant where the requested data are not necessary for the performance of the contract, (including the provision of a service), and the performance of that contract is made conditional on the obtaining of these data on the basis of consent. Conversely, if processing is necessary to perform the contract (including to provide a service), then Article 7(4) does not apply.
34. The choice of the legislator to highlight conditionality, amongst others, as a presumption of a lack of freedom to consent, demonstrates that the occurrence of conditionality must be carefully scrutinized. The term “utmost account” in Article 7(4) suggests that special caution is needed from the controller when a contract (which could include the provision of a service) has a request for consent to process personal data tied to it.
35. As the wording of Article 7(4) is not construed in an absolute manner, there might be very limited space for cases where this conditionality would not render the consent invalid. However, the word “presumed” in Recital 43 clearly indicates that such cases will be highly exceptional.
36. In any event, the burden of proof in Article 7(4) is on the controller.25 This specific rule reflects the general principle of accountability, which runs throughout the GDPR. However, when Article 7(4) applies, it will be more difficult for the controller to prove that consent was given freely by the data subject.26
37. The controller could argue that his organisation offers data subjects genuine choice if they were able to choose between a service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by the same controller that does not involve consenting to data use for additional purposes on the other hand. As long as there is a possibility to have the contract performed or the contracted service delivered by this controller without consenting to the other or additional data use in question, this means there is no longer a conditional service. However, both services need to be genuinely equivalent.
38. The EDPB considers that consent cannot be considered as freely given if a controller argues that a choice exists between its service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller on the other hand. In such a case, the freedom of choice would be made dependent on what other market players do and whether an individual data subject would find the other controller’s services genuinely
25 See also Article 7(1) GDPR, which states that the controller needs to demonstrate that the data subject’s agreement was freely given.
26 To some extent, the introduction of this paragraph is a codification of existing WP29 guidance. As described in Opinion 15/2011, when a data subject is in a situation of dependence on the data controller – due to the nature of the relationship or to special circumstances – there may be a strong presumption that freedom to consent is limited in such contexts (e.g. in an employment relationship or if the collection of data is performed by a public authority). With Article 7(4) in force, it will be more difficult for the controller to prove that consent was given freely by the data subject. See: Article 29 Working Party Opinion 15/2011 on the definition of consent (WP 187),
pp. 12-17.
equivalent. It would furthermore imply an obligation for controllers to monitor market developments to ensure the continued validity of consent for their data processing activities, as a competitor may alter its service at a later stage. Hence, using this argument means a consent relying on an alternative option offered by a third party fails to comply with the GDPR, meaning that a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent.
39. In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)27.
3.1.3 Granularity
42. A service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes. In a given case, several consents may be warranted to start offering a service, pursuant to the GDPR.
43. Recital 43 clarifies that consent is presumed not to be freely given if the process/procedure for obtaining consent does not allow data subjects to give separate consent for personal data processing operations respectively (e.g. only for some processing operations and not for others) despite it being appropriate in the individual case. Recital 32 states, “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them”.
44. If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom. This granularity is closely related to the need of consent to be specific, as discussed in section 3.2 further below. When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.
27 As clarified above, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive.
3.1.4 Detriment
46. The controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment (recital 42). For example, the controller needs to prove that withdrawing consent does not lead to any costs for the data subject and thus no clear disadvantage for those withdrawing consent.
47. Other examples of detriment are deception, intimidation, coercion or significant negative consequences if a data subject does not consent. The controller should be able to prove that the data subject had a free or genuine choice about whether to consent and that it was possible to withdraw consent without detriment.
48. If a controller is able to show that a service includes the possibility to withdraw consent without any negative consequences e.g. without the performance of the service being downgraded to the detriment of the user, this may serve to show that the consent was given freely. The GDPR does not preclude all incentives but the onus would be on the controller to demonstrate that consent was still freely given in all the circumstances.
49. Example 8: When downloading a lifestyle mobile app, the app asks for consent to access the phone’s accelerometer. This is not necessary for the app to work, but it is useful for the controller who wishes to learn more about the movements and activity levels of its users. When the user later revokes that consent, she finds out that the app now only works to a limited extent. This is an example of detriment as meant in Recital 42, which means that consent was never validly obtained (and thus, the controller needs to delete all personal data about users’ movements collected this way).
50. Example 9: A data subject subscribes to a fashion retailer’s newsletter with general discounts. The retailer asks the data subject for consent to collect more data on shopping preferences to tailor the offers to his or her preferences based on shopping history or a questionnaire that is voluntary to fill out. When the data subject later revokes consent, he or she will receive non-personalised fashion discounts again. This does not amount to detriment as only the permissible incentive was lost.
51. Example 10: A fashion magazine offers readers access to buy new make-up products before the official launch.
52. The products will shortly be made available for sale, but readers of this magazine are offered an exclusive preview of these products. In order to enjoy this benefit, people must give their postal address and agree to subscription on the mailing list of the magazine. The postal address is necessary for shipping and the mailing list is used for sending commercial offers for products such as cosmetics or t-shirts year round.
53. The company explains that the data on the mailing list will only be used for sending merchandise and paper advertising by the magazine itself and is not to be shared with any other organisation.
54. In case the reader does not want to disclose their address for this reason, there is no detriment, as the products will be available to them anyway.
3.2 Specific
55. Article 6(1)(a) confirms that the consent of the data subject must be given in relation to “one or more specific” purposes and that a data subject has a choice in relation to each of them.28 The requirement
28 Further guidance on the determination of ‘purposes’ can be found in Opinion 3/2013 on purpose limitation (WP 203).
that consent must be ‘specific’ aims to ensure a degree of user control and transparency for the data subject. This requirement has not been changed by the GDPR and remains closely linked to the requirement of ‘informed’ consent. At the same time, it must be interpreted in line with the requirement for ‘granularity’ to obtain ‘free’ consent.29 In sum, to comply with the element of ‘specific’ the controller must apply:
i Purpose specification as a safeguard against function creep,
ii Granularity in consent requests, and
iii Clear separation of information related to obtaining consent for data processing activities from information about other matters.
56. Ad. (i): Pursuant to Article 5(1)(b) GDPR, obtaining valid consent is always preceded by the determination of a specific, explicit and legitimate purpose for the intended processing activity.30 The need for specific consent in combination with the notion of purpose limitation in Article 5(1)(b) functions as a safeguard against the gradual widening or blurring of purposes for which data is processed, after a data subject has agreed to the initial collection of the data. This phenomenon, also known as function creep, is a risk for data subjects, as it may result in unanticipated use of personal data by the controller or by third parties and in loss of data subject control.
57. If the controller is relying on Article 6(1)(a), data subjects must always give consent for a specific processing purpose.31 In line with the concept of purpose limitation, Article 5(1)(b) and recital 32, consent may cover different operations, as long as these operations serve the same purpose. It goes without saying that specific consent can only be obtained when data subjects are specifically informed about the intended purposes of data use concerning them.
58. Notwithstanding the provisions on compatibility of purposes, consent must be specific to the purpose. Data subjects will give their consent with the understanding that they are in control and their data will only be processed for those specified purposes. If a controller processes data based on consent and wishes to process the data for another purpose, too, that controller needs to seek additional consent for this other purpose unless there is another lawful basis, which better reflects the situation.
59. Example 11: A cable TV network collects subscribers’ personal data, based on their consent, to present them with personal suggestions for new movies they might be interested in based on their viewing habits. After a while, the TV network decides it would like to enable third parties to send (or display) targeted advertising on the basis of the subscriber’s viewing habits. Given this new purpose, new
consent is needed.
60. Ad. (ii): Consent mechanisms must not only be granular to meet the requirement of ‘free’, but also to meet the element of ‘specific’. This means, a controller that seeks consent for various different
29 Recital 43 GDPR states that separate consent for different processing operations will be needed wherever appropriate.
Granular consent options should be provided to allow data subjects to consent separately to separate purposes.
30 See WP 29 Opinion 3/2013 on purpose limitation (WP 203), p. 16, : “For these reasons, a purpose that is vague or general, such as for instance ‘improving users’ experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of being ‘specific’.”
31 This is consistent with WP29 Opinion 15/2011 on the definition of consent (WP 187), for example on p. 17.
purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.
61. Ad. (iii): Lastly, controllers should provide specific information with each separate consent request about the data that are processed for each purpose, in order to make data subjects aware of the impact of the different choices they have. Thus, data subjects are enabled to give specific consent. This issue overlaps with the requirement that controllers must provide clear information, as discussed in paragraph 3.3. below.
3.3 Informed
62. The GDPR reinforces the requirement that consent must be informed. Based on Article 5 of the GDPR, the requirement for transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. Providing information to data subjects prior to obtaining their consent is essential in order to enable them to make informed decisions, understand what they are agreeing to, and for example exercise their right to withdraw their consent. If the controller does not provide accessible information, user control becomes illusory and consent will be an invalid basis for processing.
63. The consequence of not complying with the requirements for informed consent is that consent will be invalid and the controller may be in breach of Article 6 of the GDPR.
3.3.1 Minimum content requirements for consent to be ‘informed’
64. For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice. Therefore, the EDPB is of the opinion that at least the following information is required for obtaining valid consent:
i. the controller’s identity, 32
ii. the purpose of each of the processing operations for which consent is sought,33
iii. what (type of) data will be collected and used, 34
iv. the existence of the right to withdraw consent,35
v. information about the use of the data for automated decision-making in accordance with Article 22 (2)(c)36 where relevant, and
32 See also Recital 42 GDPR: “ […]For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.[…].”
33 Again, see Recital 42 GDPR.
34 See also WP29 Opinion 15/2011 on the definition of consent (WP 187) pp.19-20.
35 See Article 7(3) GDPR.
36 See also WP29 Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251), paragraph IV.B, p. 20 onwards.
vi. on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.37
65. With regard to item (i) and (iii), the EDPB notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named. Processors do not need to be named as part of the consent requirements, although to comply with Articles 13 and 14 of the GDPR, controllers will need to provide a full list of recipients or categories of recipients including processors. To conclude, the EDPB notes that depending on the circumstances and context of a case, more information may be needed to allow the data subject to genuinely understand the processing operations at hand.
3.3.2 How to provide information
66. The GDPR does not prescribe the form or shape in which information must be provided in order to fulfil the requirement of informed consent. This means valid information may be presented in various ways, such as written or oral statements, or audio or video messages. However, the GDPR puts several requirements for informed consent in place, predominantly in Article 7(2) and Recital 32. This leads to a higher standard for the clarity and accessibility of the information.
67. When seeking consent, controllers should ensure that they use clear and plain language in all cases. This means a message should be easily understandable for the average person and not only for lawyers. Controllers cannot use long privacy policies that are difficult to understand or statements full of legal jargon. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form. This requirement essentially means that information relevant for making informed decisions on whether or not to consent may not be hidden in general terms and conditions.38
68. A controller must ensure that consent is provided on the basis of information that allows the data subjects to easily identify who the controller is and to understand what they are agreeing to. The controller must clearly describe the purpose for data processing for which consent is requested.39
69. Other specific guidance on the accessibility has been provided in the WP29 guidelines on transparency. If consent is to be given by electronic means, the request must be clear and concise. Layered and granular information can be an appropriate way to deal with the two-fold obligation of being precise and complete on the one hand and understandable on the other hand.
70. A controller must assess what kind of audience it is that provides personal data to their organisation. For example, in case the targeted audience includes data subjects that are underage, the controller is expected to make sure information is understandable for minors.40 After identifying their audience,
37 Pursuant to Article 49 (1)(a), specific information is required about the absence of safeguards described in Article 46, when explicit consent is sought. See also WP29 Opinion 15/2011 on the definition of consent (WP 187)p. 19.
38 The declaration of consent must be named as such. Drafting, such as “I know that…” does not meet the requirement of clear language.
39 See Articles 4(11) and 7(2) GDPR.
40 See also Recital 58 regarding information understandable for children.
controllers must determine what information they should provide and, subsequently how they will present the information to data subjects.
71. Article 7(2) addresses pre-formulated written declarations of consent, which also concern other matters. When consent is requested as part of a (paper) contract, the request for consent should be clearly distinguishable from the other matters. If the paper contract includes many aspects that are unrelated to the question of consent to the use of personal data, the issue of consent should be dealt with in a way that clearly stands out, or in a separate document. Likewise, if consent is requested by electronic means, the consent request has to be separate and distinct, it cannot simply be a paragraph within terms and conditions, pursuant to Recital 32.41 To accommodate for small screens or situations with restricted room for information, a layered way of presenting information can be considered, where appropriate, to avoid excessive disturbance of user experience or product design.
72. A controller that relies on consent of the data subject must also deal with the separate information duties laid down in Articles 13 and 14 in order to be compliant with the GDPR. In practice, compliance with the information duties and compliance with the requirement of informed consent may lead to an integrated approach in many cases. However, this section is written in the understanding that valid “informed” consent can exist, even when not all elements of Articles 13 and/or 14 are mentioned in the process of obtaining consent (these points should of course be mentioned in other places, such as the privacy notice of a company). WP29 has issued separate guidelines on the requirement of transparency.
41 See also Recital 42 and Directive 93/13/EC, notably Article 5 (plain intelligible language and in case of doubt, the interpretation will be in favour of consumer) and Article 6 (invalidity of unfair terms, contract continues to exist without these terms only if still sensible, otherwise the whole contract is invalid).
42 Note that when the identity of the controller or the purpose of the processing is not apparent from the first information layer of the layered privacy notice (and are located in further sub-layers), it will be difficult for the data controller to demonstrate that the data subject has given informed consent, unless the data controller can show that the data subject in question accessed that information prior to giving consent.
3.4 Unambiguous indication of wishes
75. The GDPR is clear that consent requires a statement from the data subject or a clear affirmative act, which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular processing.
76. Article 2(h) of Directive 95/46/EC described consent as an “indication of wishes by which the data subject signifies his agreement to personal data relating to him being processed”. Article 4(11) GDPR builds on this definition, by clarifying that valid consent requires an unambiguous indication by means of a statement or by a clear affirmative action, in line with previous guidance issued by the WP29.
77. A “clear affirmative act” means that the data subject must have taken a deliberate action to consent to the particular processing.43 Recital 32 sets out additional guidance on this. Consent can be collected through a written or (a recorded) oral statement, including by electronic means.
78. Perhaps the most literal way to fulfil the criterion of a “written statement” is to make sure a data subject writes in a letter or types an email to the controller explaining what exactly he/she agrees to. However, this is often not realistic. Written statements can come in many shapes and sizes that could be compliant with the GDPR.
79. Without prejudice to existing (national) contract law, consent can be obtained through a recorded oral statement, although due note must be taken of the information available to the data subject, prior to the indication of consent. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice.
81. A controller must also beware that consent cannot be obtained through the same motion as agreeing to a contract or accepting general terms and conditions of a service. Blanket acceptance of general terms and conditions cannot be seen as a clear affirmative action to consent to the use of personal
43 See Commission Staff Working Paper, Impact Assessment, Annex 2, p. 20 and also pp. 105-106: “As also pointed out in the opinion adopted by WP29 on consent, it seems essential to clarify that valid consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent, while making clear that – in the context of the on-line environment – the use of default options which the data subject is required to modify in order to reject the processing (‘consent based on silence’) does not in itself constitute unambiguous consent. This would give individuals more control over their own data, whenever processing is based on his/her consent. As regards impact on data controllers, this would not have a major impact as it solely clarifies and better spells out the implications of the current Directive in relation to the conditions for a valid and meaningful consent from the data subject. In particular, to the extent that ‘explicit’ consent would clarify – by replacing “unambiguous” – the modalities and quality of consent and that it is not intended to extend the cases and situations where (explicit) consent should be used as a ground for processing, the impact of this measure on data controllers is not expected to be major.”
data. The GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions that require an intervention from the data subject to prevent agreement (for example ‘opt-out boxes’).44
82. When consent is to be given following a request by electronic means, the request for consent should not be unnecessarily disruptive to the use of the service for which the consent is provided.45 An active affirmative motion by which the data subject indicates consent can be necessary when a less infringing or disturbing modus would result in ambiguity. Thus, it may be necessary that a consent request interrupts the use experience to some extent to make that request effective.
83. However, within the requirements of the GDPR, controllers have the liberty to develop a consent flow that suits their organisation. In this regard, physical motions can be qualified as a clear affirmative action in compliance with the GDPR.
84. Controllers should design consent mechanisms in ways that are clear to data subjects. Controllers must avoid ambiguity and must ensure that the action by which consent is given can be distinguished from other actions. Therefore, merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation.
87. In the digital context, many services need personal data to function, hence, data subjects receive multiple consent requests that need answers through clicks and swipes every day. This may result in a certain degree of click fatigue: when encountered too many times, the actual warning effect of consent mechanisms is diminishing.
88. This results in a situation where consent questions are no longer read. This is a particular risk to data subjects, as, typically, consent is asked for actions that are in principle unlawful without their consent. The GDPR places upon controllers the obligation to develop ways to tackle this issue.
89. An often-mentioned example to do this in the online context is to obtain consent of Internet users via their browser settings. Such settings should be developed in line with the conditions for valid consent
44 See Article 7(2). See also Working Document 02/2013 on obtaining consent for cookies (WP 208), pp. 3-6.
45 See Recital 32 GDPR.
in the GDPR, as for instance that the consent shall be granular for each of the envisaged purposes and that the information to be provided, should name the controllers.
90. In any event, consent must always be obtained before the controller starts processing personal data for which consent is needed. WP29 has consistently held in its opinions that consent should be given prior to the processing activity.46 Although the GDPR does not literally prescribe in Article 4(11) that consent must be given prior to the processing activity, this is clearly implied. The heading of Article 6(1) and the wording “has given” in Article 6(1)(a) support this interpretation. It follows logically from Article 6 and Recital 40 that a valid lawful basis must be present before starting a data processing. Therefore, consent should be given prior to the processing activity. In principle, it can be sufficient to ask for a data subject’s consent once. However, controllers do need to obtain a new and specific consent if purposes for data processing change after consent was obtained or if an additional purpose is envisaged.
4 OBTAINING EXPLICIT CONSENT
91. Explicit consent is required in certain situations where serious data protection risk emerge, hence, where a high level of individual control over personal data is deemed appropriate. Under the GDPR, explicit consent plays a role in Article 9 on the processing of special categories of data, the provisions on data transfers to third countries or international organisations in the absence of adequate safeguards in Article 4947, and in Article 22 on automated individual decision-making, including profiling.48
92. The GDPR prescribes that a “statement or clear affirmative action” is a prerequisite for ‘regular’ consent. As the ‘regular’ consent requirement in the GDPR is already raised to a higher standard compared to the consent requirement in Directive 95/46/EC, it needs to be clarified what extra efforts a controller should undertake in order to obtain the explicit consent of a data subject in line with the GDPR.
93. The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could
46 WP29 has consistently held this position since Opinion 15/2011 on the definition of consent (WP 187), pp. 30- 31.
47 According to Article 49 (1)(a) GDPR, explicit consent can lift the ban on data transfers to countries without adequate levels of data protection law. Also note Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995 (WP 114), p. 11, where WP29 has indicated that consent for data transfers that occur periodically or on an on-going basis is inappropriate.
48 In Article 22, the GDPR introduces provisions to protect data subjects against decision-making based solely on automated processing, including profiling. Decisions made on this basis are allowed under certain legal conditions. Consent plays a key role in this protection mechanism, as Article 22(2)(c) GDPR makes clear that a controller may proceed with automated decision making, including profiling, that may significantly affect the individual, with the data subject’s explicit consent. WP29 have produced separate guidelines on this issue: WP29 Guidelines on Automated decision-making and Profiling for the purposes of Regulation 2016/679, 3 October 2017 (WP 251).
make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.49
94. However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent, however, it may be difficult to prove for the controller that all conditions for valid explicit consent were met when the statement was recorded.
95. An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).
98. Two stage verification of consent can also be a way to make sure explicit consent is valid. For example, a data subject receives an email notifying them of the controller’s intent to process a record containing medical data. The controller explains in the email that he asks for consent for the use of a specific set of information for a specific purpose. If the data subjects agrees to the use of this data, the controller asks him or her for an email reply containing the statement ‘I agree’. After the reply is sent, the data subject receives a verification link that must be clicked, or an SMS message with a verification code, to confirm agreement.
99. Article 9(2) does not recognize “necessary for the performance of a contract” as an exception to the general prohibition to process special categories of data. Therefore, controllers and Member States that deal with this situation should explore the specific exceptions in Article 9(2) subparagraphs (b) to
(j). Should none of the exceptions (b) to (j) apply, obtaining explicit consent in accordance with the conditions for valid consent in the GDPR remains the only possible lawful exception to process such data.
49 See also WP29 Opinion 15/2011, on the definition of consent (WP 187), p. 25.
50 This example is without prejudice to EU Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.
102. In order to be able to provide its customised products to customers who are short-sighted, this controller requests consent for the use of information on customers’ eye condition. Customers provide the necessary health data, such as their prescription data online when they place their order. Without this, it is not possible to provide the requested customized eyewear. The company also offers series of goggles with standardized correctional values. Customers that do not wish to share health data could opt for the standard versions. Therefore, an explicit consent under Article 9 is required and consent can be considered to be freely given.
5 ADDITIONAL CONDITIONS FOR OBTAINING VALID CONSENT
103. The GDPR introduces requirements for controllers to make additional arrangements to ensure they obtain, and maintain and are able to demonstrate, valid consent. Article 7 of the GDPR sets out these additional conditions for valid consent, with specific provisions on keeping records of consent and the right to easily withdraw consent. Article 7 also applies to consent referred to in other articles of GDPR,
e.g. Articles 8 and 9. Guidance on the additional requirement to demonstrate valid consent and on withdrawal of consent is provided below.
5.1 Demonstrate consent
104. In Article 7(1), the GDPR clearly outlines the explicit obligation of the controller to demonstrate a data subject’s consent. The burden of proof will be on the controller, according to Article 7(1).
105. Recital 42 states: “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
106. Controllers are free to develop methods to comply with this provision in a way that is fitting in their daily operations. At the same time, the duty to demonstrate that valid consent has been obtained by a controller, should not in itself lead to excessive amounts of additional data processing. This means that controllers should have enough data to show a link to the processing (to show consent was obtained) but they shouldn’t be collecting any more information than necessary.
107. It is up to the controller to prove that valid consent was obtained from the data subject. The GDPR does not prescribe exactly how this must be done. However, the controller must be able to prove that a data subject in a given case has consented. As long as a data processing activity in question lasts, the
obligation to demonstrate consent exists. After the processing activity ends, proof of consent should be kept no longer then strictly necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims, in accordance with Article 17(3)(b) and (e).
108. For instance, the controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to show that the data subject was informed and the controller´s workflow met all relevant criteria for a valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable with regard to obtaining valid consent from data subjects and the consent mechanisms they have put in place. For example, in an online context, a controller could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time. It would not be sufficient to merely refer to a correct configuration of the respective website.
110. There is no specific time limit in the GDPR for how long consent will last. How long consent lasts will depend on the context, the scope of the original consent and the expectations of the data subject. If the processing operations change or evolve considerably then the original consent is no longer valid. If this is the case, then new consent needs to be obtained.
111. The EDPB recommends as a best practice that consent should be refreshed at appropriate intervals. Providing all the information again helps to ensure the data subject remains well informed about how their data is being used and how to exercise their rights.51
5.2 Withdrawal of consent
112. Withdrawal of consent is given a prominent place in the GDPR. The provisions and recitals on withdrawal of consent in the GDPR can be regarded as codification of the existing interpretation of this matter in WP29 Opinions.52
113. Article 7(3) of the GDPR prescribes that the controller must ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time. The GDPR does not say that giving and withdrawing consent must always be done through the same action.
114. However, when consent is obtained via electronic means through only one mouse-click, swipe, or keystroke, data subjects must, in practice, be able to withdraw that consent equally as easily. Where
51 See Article 29 Working Party guidelines on transparency under Regulation 2016/679 WP260 rev.01 – endorsed by the EDPB.
52 WP29 has discussed this subject in their Opinion on consent (see Opinion 15/2011 on the definition of consent (WP 187), pp. 9, 13, 20, 27 and 32-33) and, inter alia, their Opinion on the use of location data. (see Opinion 5/2005 on the use of location data with a view to providing value-added services (WP 115), p. 7).
consent is obtained through use of a service-specific user interface (for example, via a website, an app, a log-on account, the interface of an IoT device or by e-mail), there is no doubt a data subject must be able to withdraw consent via the same electronic interface, as switching to another interface for the sole reason of withdrawing consent would require undue effort. Furthermore, the data subject should be able to withdraw his/her consent without detriment. This means, inter alia, that a controller must make withdrawal of consent possible free of charge or without lowering service levels.53
116. The requirement of an easy withdrawal is described as a necessary aspect of valid consent in the GDPR. If the withdrawal right does not meet the GDPR requirements, then the consent mechanism of the controller does not comply with the GDPR. As mentioned in section 3.1 on the condition of informed consent, the controller must inform the data subject of the right to withdraw consent prior to actually giving consent, pursuant to Article 7(3) of the GDPR. Additionally, the controller must as part of the transparency obligation inform the data subjects on how to exercise their rights.54
117. As a general rule, if consent is withdrawn, all data processing operations that were based on consent and took place before the withdrawal of consent – and in accordance with the GDPR – remain lawful, however, the controller must stop the processing actions concerned. If there is no other lawful basis justifying the processing (e.g. further storage) of the data, they should be deleted by the controller.55
118. As mentioned earlier in these guidelines, it is very important that controllers assess the purposes for which data is actually processed and the lawful grounds on which it is based prior to collecting the data. Often companies need personal data for several purposes, and the processing is based on more than one lawful basis, e.g. customer data may be based on contract and consent. Hence, a withdrawal of consent does not mean a controller must erase data that are processed for a purpose that is based on the performance of the contract with the data subject. Controllers should therefore be clear from the outset about which purpose applies to each element of data and which lawful basis is being relied upon.
53 See also opinion WP29 Opinion 4/2010 on the European code of conduct of FEDMA for the use of personal data in direct marketing (WP 174) and the Opinion on the use of location data with a view to providing value- added services (WP 115).
54 Recital 39 GDPR, which refers to Articles 13 and 14 of that Regulation, states that “natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.
55 See Article 17(1)(b) and (3) GDPR.
119. Controllers have an obligation to delete data that was processed on the basis of consent once that consent is withdrawn, assuming that there is no other purpose justifying the continued retention.56 Besides this situation, covered in Article 17 (1)(b), an individual data subject may request erasure of other data concerning him that is processed on another lawful basis, e.g. on the basis of Article 6(1)(b).57 Controllers are obliged to assess whether continued processing of the data in question is appropriate, even in the absence of an erasure request by the data subject.58
120. In cases where the data subject withdraws his/her consent and the controller wishes to continue to process the personal data on another lawful basis, they cannot silently migrate from consent (which is withdrawn) to this other lawful basis. Any change in the lawful basis for processing must be notified to a data subject in accordance with the information requirements in Articles 13 and 14 and under the general principle of transparency.
6 INTERACTION BETWEEN CONSENT AND OTHER LAWFUL GROUNDS IN ARTICLE 6 GDPR
121. Article 6 sets the conditions for a lawful personal data processing and describes six lawful bases on which a controller can rely. The application of one of these six bases must be established prior to the processing activity and in relation to a specific purpose.59
122. It is important to note here that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent. Sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals.
123. In other words, the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent. Because of the requirement to disclose the lawful basis, which the controller is relying upon at the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful basis is.
7 SPECIFIC AREAS OF CONCERN IN THE GDPR
7.1 Children (Article 8)
124. Compared to the current directive, the GDPR creates an additional layer of protection where personal data of vulnerable natural persons, especially children, are processed. Article 8 introduces additional obligations to ensure an enhanced level of data protection of children in relation to information society services. The reasons for the enhanced protection are specified in Recital 38: “ […] they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the
56 In that case, the other purpose justifying the processing must have its own separate legal basis. This does not mean the controller can swap from consent to another lawful basis, see section 6 below.
57 See Article 17, including exceptions that may apply, and Recital 65 GDPR.
58 See also Article 5 (1)(e) GDPR.
59 Pursuant to Articles 13 (1)(c) and/or 14(1)(c), the controller must inform the data subject thereof.
processing of personal data […]” Recital 38 also states that “Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.” The words ‘in particular’ indicate that the specific protection is not confined to marketing or profiling but includes the wider ‘collection of personal data with regard to children’.
125. Article 8(1) states that where consent applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.60 Regarding the age limit of valid consent the GDPR provides flexibility, Member States can provide by law a lower age, but this age cannot be below 13 years.
126. As mentioned in section 3.1. on informed consent, the information shall be understandable to the audience addressed by the controller, paying particular attention to the position of children. In order to obtain “informed consent” from a child, the controller must explain in language that is clear and plain for children how it intends to process the data it collects.61 If it is the parent that is supposed to consent, then a set of information may be required that allows adults to make an informed decision.
127. It is clear from the foregoing that Article 8 shall only apply when the following conditions are met:
• The processing is related to the offer of information society services directly to a child.62, 63
• The processing is based on consent.
7.1.1 Information society service
128. To determine the scope of the term ‘information society service” in the GDPR, reference is made in Article 4(25) GDPR to Directive 2015/1535.
60 Without prejudice to the possibility of Member State law to derogate from the age limit, see Article 8(1).
61 Recital 58 GDPR re-affirms this obligation, in stating that, where appropriate, a controller should make sure the information provided is understandable for children.
62 According to Article 4(25) GDPR an information society service means a service as defined in point (b) of Article 1(1) of Directive 2015/1535: “(b) ‘service’ means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. For the purposes of this definition: (i) ‘at a distance’ means that the service is provided without the parties being simultaneously present; (ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means; (iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.” An indicative list of services not covered by this definition is set out in Annex I of the said Directive. See also Recital 18 of Directive 2000/31.
63 According to the UN Convention on the Protection of the Child, Article 1, “[…] a child means every human being below the age of eighteen years unless under the law applicable to the child, majority is attained earlier,” see United Nations, General Assembly Resolution 44/25 of 20 November 1989 (Convention on the Rights of the Child).
129. While assessing the scope of this definition, the EDPB also refers to case law of the ECJ.64 The ECJ held that information society services cover contracts and other services that are concluded or transmitted on-line. Where a service has two economically independent components, one being the online component, such as the offer and the acceptance of an offer in the context of the conclusion of a contract or the information relating to products or services, including marketing activities, this component is defined as an information society service, the other component being the physical delivery or distribution of goods is not covered by the notion of an information society service. The online delivery of a service would fall within the scope of the term information society service in Article 8 GDPR.
7.1.2 Offered directly to a child
130. The inclusion of the wording ‘offered directly to a child’ indicates that Article 8 is intended to apply to some, not all information society services. In this respect, if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over, and this is not undermined by other evidence (such as the content of the site or marketing plans) then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.
7.1.3 Age
131. The GDPR specifies that “Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.” The controller must be aware of those different national laws, by taking into account the public targeted by its services. In particular, it should be noted that a controller providing a cross-border service cannot always rely on complying with only the law of the Member State in which it has its main establishment but may need to comply with the respective national laws of each Member State in which it offers the information society service(s). This depends on whether a Member State chooses to use the place of main establishment of the controller as a point of reference in its national law, or the residence of the data subject. First of all the Member States shall consider the best interests of the child during making their choice. The Working Group encourages the Member States to search for a harmonized solution in this matter.
132. When providing information society services to children on the basis of consent, controllers will be expected to make reasonable efforts to verify that the user is over the age of digital consent, and these measures should be proportionate to the nature and risks of the processing activities.
133. If the users state that they are over the age of digital consent then the controller can carry out appropriate checks to verify that this statement is true. Although the need to undertake reasonable efforts to verify age is not explicit in the GDPR it is implicitly required, for if a child gives consent while not old enough to provide valid consent on their own behalf, then this will render the processing of data unlawful.
134. If the user states that he/she is below the age of digital consent then the controller can accept this statement without further checks, but will need to go on to obtain parental authorisation and verify that the person providing that consent is a holder of parental responsibility.
64 See European Court of Justice, 2 December 2010 Case C-108/09, (Ker-Optika), paragraphs 22 and 28. In relation to ‘composite services’, the EDPB also refers to Case C-434/15 (Asociacion Profesional Elite Taxi v Uber Systems Spain SL), para 40, which states that an information society service forming an integral part of an overall service whose main component is not an information society service (in this case a transport service), must not be qualified as ‘an information society service’.
135. Age verification should not lead to excessive data processing. The mechanism chosen to verify the age of a data subject should involve an assessment of the risk of the proposed processing. In some low-risk situations, it may be appropriate to require a new subscriber to a service to disclose their year of birth or to fill out a form stating they are (not) a minor.65 If doubts arise, the controller should review their age verification mechanisms in a given case and consider whether alternative checks are required.66
7.1.4 Children’s consent and parental responsibility
136. Regarding the authorisation of a holder of parental responsibility, the GDPR does not specify practical ways to gather the parent’s consent or to establish that someone is entitled to perform this action.67 Therefore, the EDPB recommends the adoption of a proportionate approach, in line with Article 8(2) GDPR and Article 5(1)(c) GDPR (data minimisation). A proportionate approach may be to focus on obtaining a limited amount of information, such as contact details of a parent or guardian.
137. What is reasonable, both in terms of verifying that a user is old enough to provide their own consent, and in terms of verifying that a person providing consent on behalf of a child is a holder of parental responsibility, may depend upon the risks inherent in the processing as well as the available technology. In low-risk cases, verification of parental responsibility via email may be sufficient. Conversely, in high-risk cases, it may be appropriate to ask for more proof, so that the controller is able to verify and retain the information pursuant to Article 7(1) GDPR.68 Trusted third party verification services may offer solutions, which minimise the amount of personal data the controller has to process itself.
65 Although this may not be a watertight solution in all cases, it is an example to deal with this provision
66 See WP29 Opinion 5/2009 on social networking services (WP 163).
67 WP 29 notes that it not always the case that the holder of parental responsibility is the natural parent of the child and that parental responsibility can be held by multiple parties which may include legal as well as natural persons.
68 For example, a parent or guardian could be asked to make a payment of €0,01 to the controller via a bank transaction, including a brief confirmation in the description line of the transaction that the bank account holder is a holder of parental responsibility over the user. Where appropriate, an alternative method of verification should be provided to prevent undue discriminatory treatment of persons that do not have a bank account.
144. The example shows that the controller can put itself in a position to show that reasonable efforts have been made to ensure that valid consent has been obtained, in relation to the services provided to a child. Article 8(2) particularly adds that “The controller shall make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.”
145. It is up to the controller to determine what measures are appropriate in a specific case. As a general rule, controllers should avoid verification solutions which themselves involve excessive collection of personal data.
146. The EDPB acknowledges that there may be cases where verification is challenging (for example where children providing their own consent have not yet established an ‘identity footprint’, or where parental responsibility is not easily checked. This can be taken into account when deciding what efforts are reasonable, but controllers will also be expected to keep their processes and the available technology under constant review.
147. With regard to the data subject’s autonomy to consent to the processing of their personal data and have full control over the processing, consent by a holder of parental responsibility or authorized by a holder of parental responsibility for the processing of personal data of children can be confirmed, modified or withdrawn, once the data subject reaches the age of digital consent.
148. In practice, this means that if the child does not take any action, consent given by a holder of parental responsibility or authorized by a holder of parental responsibility for the processing of personal data given prior to the age of digital consent, will remain a valid ground for processing.
149. After reaching the age of digital consent, the child will have the possibility to withdraw the consent himself, in line with Article 7(3). In accordance with the principles of fairness and accountability, the controller must inform the child about this possibility.69
150. It is important to point out that in accordance with Recital 38, consent by a parent or guardian is not required in the context of preventive or counselling services offered directly to a child. For example the provision of child protection services offered online to a child by means of an online chat service do not require prior parental authorisation.
151. Finally, the GDPR states that the rules concerning parental authorization requirements vis-à-vis minors shall not interfere with “the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child”. Therefore, the requirements for valid consent for the use of data about children are part of a legal framework that must be regarded as separate from national contract law. Therefore, this guidance paper does not deal with the question whether it is lawful for a minor to conclude online contracts. Both legal regimes may apply simultaneously, and, the scope of the GDPR does not include harmonization of national provisions of contract law.
69 Also, data subjects should be aware of the right to be forgotten as laid down in Article 17, which is in particular relevant for consent given when the data subject was still a child, see recital 63.
152.
7.2 Scientific research
153. The definition of scientific research purposes has substantial ramifications for the range of data processing activities a controller may undertake. The term ‘scientific research’ is not defined in the GDPR. Recital 159 states “(…) For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner. (…)”, however the EDPB considers the notion may not be stretched beyond its common meaning and understands that ‘scientific research’ in this context means a research project set up in accordance with relevant sector- related methodological and ethical standards, in conformity with good practice.
154. When consent is the legal basis for conducting research in accordance with the GDPR, this consent for the use of personal data should be distinguished from other consent requirements that serve as an ethical standard or procedural obligation. An example of such a procedural obligation, where the processing is based not on consent but on another legal basis, is to be found in the Clinical Trials Regulation. In the context of data protection law, the latter form of consent could be considered as an additional safeguard.70 At the same time, the GDPR does not restrict the application of Article 6 to consent alone, with regard to processing data for research purposes. As long as appropriate safeguards are in place, such as the requirements under Article 89(1), and the processing is fair, lawful, transparent and accords with data minimisation standards and individual rights, other lawful bases such as Article 6(1)(e) or (f) may be available.71 This also applies to special categories of data pursuant to the derogation of Article 9(2)(j).72
155. Recital 33 seems to bring some flexibility to the degree of specification and granularity of consent in the context of scientific research. Recital 33 states: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”
156. First, it should be noted that Recital 33 does not disapply the obligations with regard to the requirement of specific consent. This means that, in principle, scientific research projects can only include personal data on the basis of consent if they have a well-described purpose. For the cases where purposes for data processing within a scientific research project cannot be specified at the outset, Recital 33 allows as an exception that the purpose may be described at a more general level.
157. Considering the strict conditions stated by Article 9 GDPR regarding the processing of special categories of data, the EDPB notes that when special categories of data are processed on the basis of explicit
70 See also Recital 161 of the GDPR.
71 Article 6(1)(c) may also be applicable for parts of the processing operations specifically required by law, such as gathering reliable and robust data following the protocol as approved by the Member State under the Clinical Trial Regulation.
72 Specific testing of medicinal products may take place on the basis of an EU or national law pursuant to Article 9(2)(i).
consent, applying the flexible approach of Recital 33 will be subject to a stricter interpretation and requires a high degree of scrutiny.
158. When regarded as a whole, the GDPR cannot be interpreted to allow for a controller to navigate around the key principle of specifying purposes for which consent of the data subject is asked.
159. When research purposes cannot be fully specified, a controller must seek other ways to ensure the essence of the consent requirements are served best, for example, to allow data subjects to consent for a research purpose in more general terms and for specific stages of a research project that are already known to take place at the outset. As the research advances, consent for subsequent steps in the project can be obtained before that next stage begins. Yet, such a consent should still be in line with the applicable ethical standards for scientific research.
160. Moreover, the controller may apply further safeguards in such cases. Article 89(1), for example, highlights the need for safeguards in data processing activities for scientific or historical or statistical purposes. These purposes “shall be subject to appropriate safeguards, in accordance with this regulation, for the rights and freedoms of data subject.” Data minimization, anonymisation and data security are mentioned as possible safeguards.73 Anonymisation is the preferred solution as soon as the purpose of the research can be achieved without the processing of personal data.
161. Transparency is an additional safeguard when the circumstances of the research do not allow for a specific consent. A lack of purpose specification may be offset by information on the development of the purpose being provided regularly by controllers as the research project progresses so that, over time, the consent will be as specific as possible. When doing so, the data subject has at least a basic understanding of the state of play, allowing him/her to assess whether or not to use, for example, the right to withdraw consent pursuant to Article 7(3).74
162. Also, having a comprehensive research plan available for data subjects to take note of, before they consent could help to compensate a lack of purpose specification.75 This research plan should specify the research questions and working methods envisaged as clearly as possible. The research plan could also contribute to compliance with Article 7(1), as controllers need to show what information was
73 See for example Recital 156. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials, see Recital 156, mentioning Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use. See also WP29 Opinion 15/2011 on the definition of consent (WP 187), p. 7: “Moreover, obtaining consent does not negate the controller’s obligations under Article 6 with regard to fairness, necessity and proportionality, as well as data quality. For instance, even if the processing of personal data is based on the consent of the user, this would not legitimise the collection of data which is excessive in relation to a particular purpose.” […] As a principle, consent should not be seen as an exemption from the other data protection principles, but as a safeguard. It is primarily a ground for lawfulness, and it does not waive the application of other principles.”
74 Other transparency measures may also be relevant. When controllers engage in data processing for scientific purposes, while full information cannot be provided at the outset, they could designate a specific contact person for data subjects to address with questions.
75 Such a possibility can be found in Article 14(1) of the current Personal Data Act of Finland (Henkilötietolaki, 523/1999).
available to data subjects at the time of consent in order to be able to demonstrate that consent is valid.
163. It is important to recall that where consent is being used as the lawful basis for processing there must be a possibility for a data subject to withdraw that consent. The EDPB notes that withdrawal of consent could undermine types scientific research that require data that can be linked to individuals, however the GDPR is clear that consent can be withdrawn and controllers must act upon this – there is no exemption to this requirement for scientific research. If a controller receives a withdrawal request, it must in principle delete the personal data straight away if it wishes to continue to use the data for the purposes of the research.76
7.3 Data subject’s rights
164. If a data processing activity is based on a data subject’s consent, this will affect that individual’s rights. Data subjects may have the right to data portability (Article 20) when processing is based on consent. At the same time, the right to object (Article 21) does not apply when processing is based on consent, although the right to withdraw consent at any time may provide a similar outcome.
165. Articles 16 to 20 of the GDPR indicate that (when data processing is based on consent), data subjects have the right to erasure when consent has been withdrawn and the rights to restriction, rectification and access.77
8 CONSENT OBTAINED UNDER DIRECTIVE 95/46/EC
166. Controllers that currently process data on the basis of consent in compliance with national data protection law are not automatically required to completely refresh all existing consent relations with data subjects in preparation for the GDPR. Consent, which has been obtained, to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR.
167. It is important for controllers to review current work processes and records in detail, before 25 May 2018, to be sure existing consents meet the GDPR standard (see Recital 171 of the GDPR78). In practice, the GDPR raises the bar with regard to implementing consent mechanisms and introduces several new
76 See also WP29 Opinion 05/2014 on “Anonymisation Techniques” (WP216).
77 In cases where certain data processing activities are restricted in accordance with Article 18, GDPR, consent of the data subject may be needed to lift restrictions.
78 Recital 171 GDPR states: “Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.”
requirements that require controllers to alter consent mechanisms, rather than rewriting privacy policies alone.79
168. For example, as the GDPR requires that a controller must be able to demonstrate that valid consent was obtained, all presumed consents of which no references are kept will automatically be below the consent standard of the GDPR and will need to be renewed. Likewise as the GDPR requires a “statement or a clear affirmative action”, all presumed consents that were based on a more implied form of action by the data subject (e.g. a pre-ticked opt-in box) will also not be apt to the GDPR standard of consent.
169. Furthermore, to be able to demonstrate that consent was obtained or to allow for more granular indications of the data subject’s wishes, operations and IT systems may need revision. Also, mechanisms for data subjects to withdraw their consent easily must be available and information about how to withdraw consent must be provided. If existing procedures for obtaining and managing consent do not meet the GDPR’s standards, controllers will need to obtain fresh GDPR compliant consent.
170. On the other hand, as not all elements named in Articles 13 and 14 must always be present as a condition for informed consent, the extended information obligations under the GDPR do not necessarily oppose the continuity of consent, which has been granted before the GDPR enters into force (see page 15 above). Under Directive 95/46/EC, there was no requirement to inform data subjects of the basis upon which the processing was being conducted.
171. If a controller finds that the consent previously obtained under the old legislation will not meet the standard of GDPR consent, then controllers must undertake action to comply with these standards, for example by refreshing consent in a GDPR-compliant way. Under the GDPR, it is not possible to swap between one lawful basis and another. If a controller is unable to renew consent in a compliant way and is also unable –as a one off situation- to make the transition to GDPR compliance by basing data processing on a different lawful basis while ensuring that continued processing is fair and accounted for, the processing activities must be stopped. In any event, the controller needs to observe the principles of lawful, fair and transparent processing.
79 As indicated in the introduction, the GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. Many of the new requirements build upon Opinion 15/2011 on consent.
EDPB Contractual Necessity
Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
Version 2.0
8 October 2019
Version history
Version 2.0 8 October 2019 Adoption of the Guidelines after public consultation
Version 1.0 9 April 2019 Adoption of the Guidelines for publication consultation
1 Part 1 – Introduction 4
1.1 Background 4
1.2 Scope of these guidelines 5
2 Part 2 – Analysis of Article 6(1)(b) 5
2.1 General observations 5
2.2 Interaction of Article 6(1)(b) with other lawful bases for processing 7
2.3 Scope of Article 6(1)(b) 8
2.4 Necessity 8
2.5 Necessary for performance of a contract with the data subject 9
2.6 Termination of contract 12
2.7 Necessary for taking steps prior to entering into a contract 13
3 Part 3 – Applicability of Article 6(1)(b) in specific situations 14
3.1 Processing for ‘service improvement’ 14
3.2 Processing for ‘fraud prevention’ 14
3.3 Processing for online behavioural advertising 14
3.4 Processing for personalisation of content 15
The European Data Protection Board
Having regard to Article 70(1)e of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC,
HAS ADOPTED THE FOLLOWING GUIDELINES
1 PART 1 – INTRODUCTION
1.1 Background
1. Pursuant to Article 8 of the Charter of Fundamental Rights of the European Union, personal data must be processed fairly for specified purposes and on the basis of a legitimate basis laid down by law. In this regard, Article 6(1) of the General Data Protection Regulation1 (GDPR) specifies that processing shall be lawful only on the basis of one of six specified conditions set out in Article 6(1)(a) to (f). Identifying the appropriate legal basis that corresponds to the objective and essence of the processing is of essential importance. Controllers must, inter alia, take into account the impact on data subjects’ rights when identifying the appropriate lawful basis in order to respect the principle of fairness.
2. Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.2 This supports the freedom to conduct a business, which is guaranteed by Article 16 of the Charter, and reflects the fact that sometimes the contractual obligations towards the data subject cannot be performed without the data subject providing certain personal data. If the specific processing is part and parcel of delivery of the requested service, it is in the interests of both parties to process that data, as otherwise the service could not be provided and the contract could not be performed. However, the ability to rely on this or one of the other legal bases mentioned in Article 6(1) does not exempt the controller from compliance with the other requirements of the GDPR.
3. Articles 56 and 57 of the Treaty on the Functioning of the European Union define and regulate the freedom to provide services within the European Union. Specific EU legislative measures have been adopted in respect of ‘information society services’.3 These services are defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” This definition extends to services that are not paid for directly by the persons who receive them,4 such as online services funded through advertising. ‘Online services’ as used in these guidelines refers to ‘information society services’.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2 See also recital 44.
3 See for example Directive (EU) 2015/1535 of the European Parliament and of the Council, and Article 8 GDPR.
4 See Recital 18 of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market.
4. The development of EU law reflects the central importance of online services in modern society. The proliferation of always-on mobile internet and the widespread availability of connected devices have enabled the development of online services in fields such as social media, e-commerce, internet search, communication, and travel. While some of these services are funded by user payments, others are provided without monetary payment by the consumer, instead financed by the sale of online advertising services allowing for targeting of data subjects. Tracking of user behaviour for the purposes of such advertising is often carried out in ways the user is often not aware of,5 and it may not be immediately obvious from the nature of the service provided, which makes it almost impossible in practice for the data subject to exercise an informed choice over the use of their data.
5. Against this background, the European Data Protection Board6 (EDPB) considers it appropriate to provide guidance on the applicability of Article 6(1)(b) to processing of personal data in the context of online services, in order to ensure that this lawful basis is only relied upon where appropriate.
6. The Article 29 Working Party (WP29) has previously expressed views on the contractual necessity basis under Directive 95/46/EC in its opinion on the notion of legitimate interests of the data controller.7 Generally, that guidance remains relevant to Article 6(1)(b) and the GDPR.
1.2 Scope of these guidelines
7. These guidelines are concerned with the applicability of Article 6(1)(b) to processing of personal data in the context of contracts for online services, irrespective of how the services are financed. The guidelines will outline the elements of lawful processing under Article 6(1)(b) GDPR and consider the concept of ‘necessity’ as it applies to ’necessary for the performance of a contract’.
8. Data protection rules govern important aspects of how online services interact with their users, however, other rules apply as well. Regulation of online services involves cross-functional responsibilities in the fields of, inter alia, consumer protection law, and competition law. Considerations regarding these fields of law are beyond the scope of these guidelines.
9. Although Article 6(1)(b) can only apply in a contractual context, these guidelines do not express a view on the validity of contracts for online services generally, as this is outside the competence of the EDPB. Nonetheless, contracts and contractual terms must comply with the requirements of contract laws and, as the case may be for consumer contracts, consumer protection laws in order for processing based on those terms to be considered fair and lawful.
10. Some general observations on data protection principles are included below, but not all data protection issues that may arise when processing under Article 6(1)(b) will be elaborated on. Controllers must always ensure that they comply with the data protection principles set out in Article 5 and all other requirements of the GDPR and, where applicable, the ePrivacy legislation.
2 PART 2 – ANALYSIS OF ARTICLE 6(1)(B)
2.1 General observations
5 In this regard, controllers need to fulfil the transparency obligations set out in the GDPR.
6 Established under Article 68 GDPR.
7 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP217). See in particular pages 11, 16, 17, 18 and 55.
11. The lawful basis for processing on the basis of Article 6(1)(b) needs to be considered in the context of the GDPR as a whole, the objectives set out in Article 1, and alongside controllers’ duty to process personal data in compliance with the data protection principles pursuant to Article 5. This includes processing personal data in a fair and transparent manner and in line with the purpose limitation and data minimisation obligations.
12. Article 5(1)(a) GDPR provides that personal data must be processed lawfully, fairly and transparently in relation to the data subject. The principle of fairness includes, inter alia, recognising the reasonable expectations8 of the data subjects, considering possible adverse consequences processing may have on them, and having regard to the relationship and potential effects of imbalance between them and the controller.
13. As mentioned, as a matter of lawfulness, contracts for online services must be valid under the applicable contract law. An example of a relevant factor is whether the data subject is a child. In such a case (and aside from complying with the requirements of the GDPR, including the ‘specific protections’ which apply to children),9 the controller must ensure that it complies with the relevant national laws on the capacity of children to enter into contracts. Furthermore, to ensure compliance with the fairness and lawfulness principles, the controller needs to satisfy other legal requirements. For example, for consumer contracts, Directive 93/13/EEC on unfair terms in consumer contracts (the “Unfair Contract Terms Directive”) may be applicable.10 Article 6(1)(b) is not limited to contracts governed by the law of an EEA member state.11
14. Article 5(1)(b) of the GDPR provides for the purpose limitation principle, which requires that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
15. Article 5(1)(c) provides for data minimisation as a principle, i.e. processing as little data as possible in order to achieve the purpose. This assessment complements the necessity assessments pursuant to Article 6(1)(b) to (f).
16. Both purpose limitation and data minimisation principles are particularly relevant in contracts for online services, which typically are not negotiated on an individual basis. Technological advancements make it possible for controllers to easily collect and process more personal data than ever before. As a result, there is an acute risk that data controllers may seek to include general processing terms in contracts in order to maximise the possible collection and uses of data, without adequately specifying those purposes or considering data minimisation obligations. WP29 has previously stated:
The purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is not included within the specified purpose, and to allow that compliance with the law can be assessed and data protection safeguards
8 Some personal data are expected to be private or only processed in certain ways, and data processing should not be surprising to the data subject. In the GDPR, the concept of ‘reasonable expectations’ is specifically referenced in recitals 47 and 50 in relation to Article 6(1)(f) and (4).
9 See Recital 38, which refers to children meriting specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
10 A contractual term that has not been individually negotiated is unfair under the Unfair Contract Terms Directive “if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer”. Like the transparency obligation in the GDPR, the Unfair Contract Terms Directive mandates the use of plain, intelligible language. Processing of personal data that is based on what is deemed to be an unfair term under the Unfair Contract Terms Directive, will generally not be consistent with the requirement under Article 5(1)(a) GDPR that processing is lawful and fair.
11 The GDPR applies to certain controllers outside the EEA; see Article 3 GDPR.
applied. For these reasons, a purpose that is vague or general, such as for instance ‘improving users’ experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of being ‘specific’. 12
2.2 Interaction of Article 6(1)(b) with other lawful bases for processing
17. Where processing is not considered ‘necessary for the performance of a contract’, i.e. when a requested service can be provided without the specific processing taking place, the EDPB recognises that another lawful basis may be applicable, provided the relevant conditions are met. In particular, in some circumstances it may be more appropriate to rely on freely given consent under Article 6(1)(a). In other instances, Article 6(1)(f) may provide a more appropriate lawful basis for processing. The legal basis must be identified at the outset of processing, and information given to data subjects in line with Articles 13 and 14 must specify the legal basis.
18. It is possible that another lawful basis than Article 6(1)(b) may better match the objective and context of the processing operation in question. The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation.13
19. The WP29 guidelines on consent also clarify that where “a controller seeks to process personal data that are in fact necessary for the performance of a contract, then consent is not the appropriate lawful basis”. Conversely, the EDPB considers that where processing is not in fact necessary for the performance of a contract, such processing can take place only if it relies on another appropriate legal basis.14
20. In line with their transparency obligations, controllers should make sure to avoid any confusion as to what the applicable legal basis is. This is particularly relevant where the appropriate legal basis is Article 6(1)(b) and a contract regarding online services is entered into by data subjects. Depending on the circumstances, data subjects may erroneously get the impression that they are giving their consent in line with Article 6(1)(a) when signing a contract or accepting terms of service. At the same time, a controller might erroneously assume that the signature of a contract corresponds to a consent in the sense of article 6(1)(a). These are entirely different concepts. It is important to distinguish between accepting terms of service to conclude a contract and giving consent within the meaning of Article 6(1)(a), as these concepts have different requirements and legal consequences.
21. In relation to the processing of special categories of personal data, in the guidelines on consent, WP29 has also observed that:
Article 9(2) does not recognize ‘necessary for the performance of a contract’ as an exception to the general prohibition to process special categories of data. Therefore controllers and Member States that deal with this situation should explore the specific exceptions in Article 9(2) subparagraphs (b) to (j). Should none of the exceptions (b) to (j) apply, obtaining explicit
12 Article 29 Working Party Opinion 03/2013 on purpose limitation (WP203), page 15–16.
13 When controllers set out to identify the appropriate legal basis in line with the fairness principle, this will be difficult to achieve if they have not first clearly identified the purposes of processing, or if processing personal data goes beyond what is necessary for the specified purposes.
14 For more information on implications in relation to Article 9, see Article 29 Working Party Guidelines on consent under Regulation 2016/679 (WP259), endorsed by the EDPB, pages 19–20.
consent in accordance with the conditions for valid consent in the GDPR remains the only possible lawful exception to process such data.15
2.3 Scope of Article 6(1)(b)
22. Article 6(1)(b) applies where either of two conditions are met: the processing in question must be objectively necessary for the performance of a contract with a data subject, or the processing must be objectively necessary in order to take pre-contractual steps at the request of a data subject.
2.4 Necessity
23. Necessity of processing is a prerequisite for both parts of Article 6(1)(b). At the outset, it is important to note that the concept of what is ‘necessary for the performance of a contract’ is not simply an assessment of what is permitted by or written into the terms of a contract. The concept of necessity has an independent meaning in European Union law, which must reflect the objectives of data protection law.16 Therefore, it also involves consideration of the fundamental right to privacy and protection of personal data,17 as well as the requirements of data protection principles including, notably, the fairness principle.
24. The starting point is to identify the purpose for the processing, and in the context of a contractual relationship, there may be a variety of purposes for processing. Those purposes must be clearly specified and communicated to the data subject, in line with the controller’s purpose limitation and transparency obligations.
25. Assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”.18 If there are realistic, less intrusive alternatives, the processing is not ‘necessary’.19 Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes.
15 Article 29 Working Party Guidelines on consent under Regulation 2016/679 (WP259), endorsed by the EDPB, page 19.
16 The CJEU stated in Huber that “what is at issue is a concept [necessity] which has its own independent meaning in Community law and which must be interpreted in a manner which fully reflects the objective of that Directive, [Directive 95/46], as laid down in Article 1(1) thereof”. CJEU, Case C‑524/06, Heinz Huber v Bundesrepublik Deutschland, 18 December 2008, para. 52.
17 See Articles 7 and 8 of the Charter of Fundamental Rights of the European Union
18 See EDPS Toolkit: Assessing the Necessity of Measures that limit the fundamental right to the protection of personal data, page 5.
19 In Schecke, the CJEU held that, when examining the necessity of processing personal data, the legislature needed to take into account alternative, less intrusive measures. CJEU, Joined Cases C‑92/09 and C‑93/09, Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen, 9. November 2010. This was repeated by the CJEU in the Rīgas case where it held that “As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”. CJEU, Case C‑13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, para. 30. A strict necessary test is required for any limitations on the exercise of the rights to privacy and to personal data protection with regard to the processing of personal data, see EDPS Toolkit: Assessing the Necessity of Measures that limit the fundamental right to the protection of personal data, page 7.
2.5 Necessary for performance of a contract with the data subject
26. A controller can rely on the first option of Article 6(1)(b) to process personal data when it can, in line with its accountability obligations under Article 5(2), establish both that the processing takes place in the context of a valid contract with the data subject and that processing is necessary in order that the particular contract with the data subject can be performed. Where controllers cannot demonstrate that (a) a contract exists, (b) the contract is valid pursuant to applicable national contract laws, and (c) that the processing is objectively necessary for the performance of the contract, the controller should consider another legal basis for processing.
27. Merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6(1)(b). On the other hand, processing may be objectively necessary even if not specifically mentioned in the contract. In any case, the controller must meet its transparency obligations. Where a controller seeks to establish that the processing is based on the performance of a contract with the data subject, it is important to assess what is objectively necessary to perform the contract. ‘Necessary for performance’ clearly requires something more than a contractual clause. This is also clear in light of Article 7(4). Albeit this provision only regards validity of consent, it illustratively makes a distinction between processing activities necessary for the performance of a contract, and clauses making the service conditional on certain processing activities that are not in fact necessary for the performance of the contract.
28. In this regard, the EDPB endorses the guidance previously adopted by WP29 on the equivalent provision under the previous Directive that ‘necessary for the performance of a contract with the data subject’:
… must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller. Also the fact that some processing is covered by a contract does not automatically mean that the processing is necessary for its performance. […] Even if these processing activities are specifically mentioned in the small print of the contract, this fact alone does not make them ‘necessary’ for the performance of the contract.20
29. The EDPB also recalls the same WP29 guidance stating:
There is a clear connection here between the assessment of necessity and compliance with the purpose limitation principle. It is important to determine the exact rationale of the contract,
i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance.21
30. When assessing whether Article 6(1)(b) is an appropriate legal basis for processing in the context of an online contractual service, regard should be given to the particular aim, purpose, or objective of the service. For applicability of Article 6(1)(b), it is required that the processing is objectively necessary for a purpose that is integral to the delivery of that contractual service to the data subject. Not excluded is processing of payment details for the purpose of charging for the service. The controller should be able to demonstrate how the main subject-matter of the specific contract with the data subject cannot, as a matter of fact, be performed if the specific processing of the personal data in question does not
20 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP217), page 16–17.
21 Ibid., page 17.
occur. The important issue here is the nexus between the personal data and processing operations concerned, and the performance or non-performance of the service provided under the contract.
31. Contracts for digital services may incorporate express terms that impose additional conditions about advertising, payments or cookies, amongst other things. A contract cannot artificially expand the categories of personal data or types of processing operation that the controller needs to carry out for the performance of the contract within the meaning of Article 6(1)(b).
32. The controller should be able to justify the necessity of its processing by reference to the fundamental and mutually understood contractual purpose. This depends not just on the controller’s perspective, but also a reasonable data subject’s perspective when entering into the contract, and whether the contract can still be considered to be ‘performed’ without the processing in question. Although the controller may consider that the processing is necessary for the contractual purpose, it is important that they examine carefully the perspective of an average data subject in order to ensure that there is a genuine mutual understanding on the contractual purpose.
33. In order to carry out the assessment of whether Article 6(1)(b) is applicable, the following questions can be of guidance:
• What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
• What is the exact rationale of the contract (i.e. its substance and fundamental object)?
• What are the essential elements of the contract?
• What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
34. If the assessment of what is ‘necessary for the performance of a contract’, which must be conducted prior to the commencement of processing, shows that the intended processing goes beyond what is objectively necessary for the performance of a contract, this does not render such future processing unlawful per se. As already mentioned, Article 6 makes clear that other lawful bases are potentially available prior to the initiation of the processing.22
35. If, over the lifespan of a service, new technology is introduced that changes how personal data are processed, or the service otherwise evolves, the criteria above need to be assessed anew to determine if any new or altered processing operations can be based on Article 6(1)(b).
22 See Article 29 Working Party Guidelines on consent under Regulation 2016/679 (WP259), endorsed by the EDPB, page 31, in which it is stated that: “Under the GDPR, it is not possible to swap between one lawful basis and another.”
36. Within the boundaries of contractual law, and if applicable, consumer law, controllers are free to design their business, services and contracts. In some cases, a controller may wish to bundle several separate services or elements of a service with different fundamental purposes, features or rationale into one contract. This may create a ‘take it or leave it’ situation for data subjects who may only be interested in one of the services.
37. As a matter of data protection law, controllers need to take into account that the processing activities foreseen must have an appropriate legal basis. Where the contract consists of several separate services or elements of a service that can in fact reasonably be performed independently of one another, the question arises to which extent Article 6(1)(b) can serve as a legal basis. The applicability of Article 6(1)(b) should be assessed in the context of each of those services separately, looking at what is objectively necessary to perform each of the individual services which the data subject has actively requested or signed up for. This assessment may reveal that certain processing activities are not necessary for the individual services requested by the data subject, but rather necessary for the controller’s wider business model. In that case, Article 6(1)(b) will not be a legal basis for those activities. However, other legal bases may be available for that processing, such as Article 6(1)(a) or (f), provided that the relevant criteria are met. Therefore, the assessment of the applicability of Article 6(1)(b) does not affect the legality of the contract or the bundling of services as such.
38. As WP29 has previously observed, the legal basis only applies to what is necessary for the performance of a contract.23 As such, it does not automatically apply to all further actions triggered by non- compliance or to all other incidents in the execution of a contract. However, certain actions can be reasonably foreseen and necessary within a normal contractual relationship, such as sending formal reminders about outstanding payments or correcting errors or delays in the performance of the contract. Article 6(1)(b) may cover processing of personal data which is necessary in relation to such actions.
23 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP217) page 17–18.
39. Contractual warranty may be part of performing a contract, and thus storing certain data for a specified retention time after exchange of goods/services/payment has been finalised for the purpose of warranties may be necessary for the performance of a contract.
2.6 Termination of contract
40. A controller needs to identify the appropriate legal basis for the envisaged processing operations before the processing commences. Where Article 6(1)(b) is the basis for some or all processing activities, the controller should anticipate what happens if that contract is terminated.24
41. Where the processing of personal data is based on Article 6(1)(b) and the contract is terminated in full, then as a general rule, the processing of that data will no longer be necessary for the performance of that contract and thus the controller will need to stop processing. The data subject might have provided their personal data in the context of a contractual relationship trusting that the data would only be processed as a necessary part of that relationship. Hence, it is generally unfair to swap to a new legal basis when the original basis ceases to exist.
42. When a contract is terminated, this may entail some administration, such as returning goods or payment. The associated processing may be based on Article 6(1)(b).
43. Article 17(1)(a) provides that personal data shall be erased when they are no longer necessary in relation to the purposes for which they were collected. Nonetheless, this does not apply if processing is necessary for certain specific purposes, including compliance with a legal obligation pursuant to Article 17(3)(b), or the establishment, exercise or defence of legal claims, pursuant to Article 17(3)(e). In practice, if controllers see a general need to keep records for legal purposes, they need to identify a legal basis for this at the outset of processing, and they need to communicate clearly from the start for how long they plan to retain records for these legal purposes after the termination of a contract. If they do so, they do not need to delete the data upon the termination of the contract.
44. In any case, it may be that several processing operations with separate purposes and legal bases were identified at the outset of processing. As long as those other processing operations remain lawful and the controller communicated clearly about those operations at the commencement of processing in line with the transparency obligations of the GDPR, it will still be possible to process personal data about the data subject for those separate purposes after the contract has been terminated.
24 If a contract is subsequently invalidated, it will impact the lawfulness (as understood in Article 5(1)(a)) of continued processing. However, it does not automatically imply that the choice of Article 6(1)(b) as the legal basis was incorrect.
2.7 Necessary for taking steps prior to entering into a contract
45. The second option of Article 6(1)(b) applies where processing is necessary in order to take steps at the request of the data subject prior to entering into a contract. This provision reflects the fact that preliminary processing of personal data may be necessary before entering into a contract in order to facilitate the actual entering into that contract.
46. At the time of processing, it may not be clear whether a contract will actually be entered into. The second option of Article 6(1)(b) may nonetheless apply as long as the data subject makes the request in the context of potentially entering into a contract and the processing in question is necessary to take the steps requested. In line with this, where a data subject contacts the controller to enquire about the details of the controller’s service offerings, the processing of the data subject’s personal data for the purpose of responding to the enquiry can be based on Article 6(1)(b).
47. In any case, this provision would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party.
3 PART 3 – APPLICABILITY OF ARTICLE 6(1)(B) IN SPECIFIC SITUATIONS
3.1 Processing for ‘service improvement’25
48. Online services often collect detailed information on how users engage with their service. In most cases, collection of organisational metrics relating to a service or details of user engagement, cannot be regarded as necessary for the provision of the service as the service could be delivered in the absence of processing such personal data. Nevertheless, a service provider may be able to rely on alternative lawful bases for this processing, such as legitimate interest or consent.
49. The EDPB does not consider that Article 6(1)(b) would generally be an appropriate lawful basis for processing for the purposes of improving a service or developing new functions within an existing service. In most cases, a user enters into a contract to avail of an existing service. While the possibility of improvements and modifications to a service may routinely be included in contractual terms, such processing usually cannot be regarded as being objectively necessary for the performance of the contract with the user.
3.2 Processing for ‘fraud prevention’
50. As WP29 has previously noted,26 processing for fraud prevention purposes may involve monitoring and profiling customers. In the view of the EDPB, such processing is likely to go beyond what is objectively necessary for the performance of a contract with a data subject. However, the processing of personal data strictly necessary for the purposes of preventing fraud may constitute a legitimate interest of the data controller27 and could thus be considered lawful, if the specific requirements of Article 6(1)(f)(legitimate interests) are met by the data controller. In addition Article 6(1)(c) (legal obligation) could also provide a lawful basis for such processing of data.
3.3 Processing for online behavioural advertising
51. Online behavioural advertising, and associated tracking and profiling of data subjects, is often used to finance online services. WP29 has previously stated its view on such processing, stating:
[contractual necessity] is not a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his clickstream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services, for example.28
52. As a general rule, processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services. Normally, it would be hard to argue that the contract
25 Online services may also need to take into account Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 22.05.2019, p. 1), which will apply as from 1 January 2022.
26 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP217), page 17.
27 See Recital 47, sixth sentence.
28 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP217), page 17.
had not been performed because there were no behavioural ads. This is all the more supported by the fact that data subjects have the absolute right under Article 21 to object to processing of their data for direct marketing purposes.
53. Further to this, Article 6(1)(b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract at issue. The controller would need to consider the factors outlined in paragraph 33.
54. Considering that data protection is a fundamental right guaranteed by Article 8 of the Charter of Fundamental Rights, and taking into account that one of the main purposes of the GDPR is to provide data subjects with control over information relating to them, personal data cannot be considered as a tradeable commodity. Even if the data subject can agree to the processing of personal data,29 they cannot trade away their fundamental rights through this agreement.30
55. The EDPB also notes that, in line with ePrivacy requirements and the existing WP29 opinion on behavioural advertising,31 and Working Document 02/2013 providing guidance on obtaining consent for cookies,32 controllers must obtain data subjects’ prior consent to place the cookies necessary to engage in behavioural advertising.
56. The EDPB also notes that tracking and profiling of users may be carried out for the purpose of identifying groups of individuals with similar characteristics, to enable targeting advertising to similar audiences. Such processing cannot be carried out on the basis of Article 6(1)(b), as it cannot be said to be objectively necessary for the performance of the contract with the user to track and compare users’ characteristics and behaviour for purposes which relate to advertising to other individuals.33
3.4 Processing for personalisation of content34
57. The EDPB acknowledges that personalisation of content may (but does not always) constitute an intrinsic and expected element of certain online services, and therefore may be regarded as necessary for the performance of the contract with the service user in some cases. Whether such processing can be regarded as an intrinsic aspect of an online service, will depend on the nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalisation. Where personalisation of content is not objectively necessary for the purpose of the underlying contract, for example where personalised content delivery is intended to increase user
29 See Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services.
30 Besides the fact that the use of personal data is regulated by the GDPR, there are additional reasons why processing of personal data is conceptually different from monetary payments. For example, money is countable, meaning that prices can be compared in a competitive market, and monetary payments can normally only be made with the data subject’s involvement. Furthermore, personal data can be exploited by several services at the same time. Once control over one’s personal data has been lost, that control may not necessarily be regained.
31 Article 29 Working Party Opinion 2/2010 on online behavioural advertising (WP171).
32 Article 29 Working Party Working Document 02/2013 providing guidance on obtaining consent for cookies (WP208).
33 See also Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251rev.01), endorsed by the EDPB, page 13.
34 Online services may also need to take into account Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 22.05.2019, p. 1), which will apply as from 1 January 2022.
engagement with a service but is not an integral part of using the service, data controllers should consider an alternative lawful basis where applicable.