February 29, 2020

February 28, 2020

Subscribe to Latest Legal News and Analysis

February 27, 2020

Subscribe to Latest Legal News and Analysis

February 26, 2020

Subscribe to Latest Legal News and Analysis

EDPB Seeks Comment On Online Services Guidance

The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being funded through advertising dollars, for example). The EDPB guidance points out that these services typically fall under the provision of GDPR that permits processing of personal information when it is “necessary to perform a contract.” In that regard, the guidance attempts to scope out processing that is necessary in the contractual realm. Information might be processed under one of the other legal basis that exists under GDPR, as the EDPB highlights throughout the guidance, including legitimate interest and consent. This guidance thus provides businesses with ideas about when processing might fall under the “necessary for a contract” basis as opposed to another legal basis.

In the proposed guidance, the EDPB points out that just because a particular use of information is outlined in a contract, this does not make such use “necessary.” Instead, the EDPB looks to the purpose of processing and the context of the contractual relationship. If there are less intrusive ways to process information, then the use is, according to the EDPB, not “necessary.” The EDPB provides examples, including where a user purchases something from an eRetail company by credit card, to be delivered to the user’s home. In this situation processing both the credit card number and getting the home address is “necessary.” But, if the person wanted to pick the product up, then gathering the home address would not be “necessary.” Expanding on the example, if this same eRetailer wants to create a profile of the user’s “tastes and lifestyle choices” it will need to rely on a legal basis outside of the contractual one, according to the guidance. Similarly, using information to understand usage of an online platform would not be use “necessary to perform a contract,” and instead would fall under an alternate legal basis, like (according to the EDPB) legitimate interest or consent.

Putting It Into Practice: Those interested can provide comments by 24 May to EDPV@edpb.europa.eu (comments will be published on the EDPB website). In the meantime, the proposal provides a useful overview of what the EDPB considers processing that is “necessary” for the performance of a contract, and when a company would need to rely on another legal basis.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...