Global menu

Our global pages


Shining a light on what “necessity” means for GDPR & tightening up “contract” as a lawful processing ground in the context of “online services”

  • United Kingdom
  • Privacy, data protection and cybersecurity


The European Data Protection Board (EDPB) has published a set of guidelines (in draft) for public consultation. These will be absolutely key to providers of online services, such as social media, e-commerce, internet search engines, communication and travel services. The guidelines specifically mention online behavioural advertising and personalisation of content (amongst others). They also, by extrapolation, provide insight to other businesses on just how narrowly the application of this lawful basis is likely to be applied in other contexts.

In addition, they will be useful to controllers who operate outside of ‘online services’. The guidelines shed light on the interpretation of ‘contract’ as a lawful basis for processing in other contexts, not just in the online environment (eg processing for employment contracts) and more widely about how strictly “necessity” is being construed. Read on if you’ve ever grappled with whether you really do pass the “necessity” test relevant to other lawful reasons for processing under Article 6 GDPR eg. if you rely on your processing being “necessary” for legitimate interests or “necessary” for compliance with legal obligations. Similarly, processing of special category data under Article 9 GDPR for employment reasons or to establish, exercise or defend legal claims will only be lawful where “necessary”. There are many other GDPR rules which have this concept at their heart and these guidelines will be relevant there too.

The consultation ends on 24 May 2019. Anyone can participate. Now is your chance to have your say, particularly if the provision of ‘online services’ to data subjects is key to your business. There could well be a significant response to the consultation, given how business critical this topic is to many providers of online services and how embedded are their models. Some providers may need to look to alternative lawful bases and revisit fairness and transparency and the other GDPR principles (including data minimisation and purpose limitation) in relation to their online services.

The consultation will lead to final guidelines. After the UK exits the EU, the guidelines will remain relevant in the UK. The ICO will not have a seat on the EDPB but it will in all likelihood take account of EDPB guidelines.

What are the (draft) guidelines about?

Article 6(1)(b) GDPR, specifically processing of personal data for the provision of ‘online services’ to data subjects. Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

As mentioned, they include particular commentary about “necessity" which will be useful in many other contexts and the guidelines will have a wider impact than for contracts for online services.

What are ‘online services’?

GDPR uses the term ‘information society services’. This means ‘any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.’ This extends to services not paid for directly by the recipient consumer, such as online services funded through advertising allowing for targeting of data subjects. As mentioned, examples include providers of social media, e-commerce, internet search engines, communication and travel services.

The guidelines (once finalised) are expected to apply irrespective of whether online services are financed by the consumer, by advertising, or otherwise.

Why does the EDPB comment on this?

There is a concern that providers of ‘online services’ have sought to justify all of their processing of personal data as being necessary for the contract with the data subject. For example, tracking of user behaviour for advertising purposes (which in some cases, though not all, finances the online service) is often carried out in ways the user is not aware of and in many cases this (and other processing) simply is not objectively necessary to perform the contract. The EDPB is looking to tighten up how the ground is interpreted.

Can we have some examples for context?

The EDPB gives useful examples. We have paraphrased these (see the guidelines for more detail) and added commentary.

Online retailer: Building profiles of a user’s tastes based on their visits to the website, even if specifically mentioned in the contract, is not necessary to perform that contract. The retailer should look to alternative processing grounds.

Lead up to contract: When a data subject provides his post code to check a provider operates in his area, that post code must necessarily be processed to take steps at his request prior to the contract. Whereas a financial institution having to do identity verification on new customers pursuant to national laws before entering into a contract should rely on Article 6(1)(c) (necessary for a legal obligation) rather than 6(1)(b) (necessary prior to entering into the contract).

Processing ‘for service improvement’ is not necessary to actually provide the existing service – which could be delivered without seeing how users of it engage with it. At that moment the user wants the existing service, not the (future) improved service. The provider might consider legitimate interests or consent instead.

Processing ‘for fraud prevention’ often involves monitoring and profiling of customers. The EDPB considers this beyond what is objectively necessary to perform the contract. It may well still be lawful based on legal obligation or legitimate interests.

Online behavioural advertising and associated profiling is seldom a necessary element of online services. The contract could be performed without behavioural ads. Advertisers might not finance the service without this activity but the EDPB is expressly clear that in itself is not relevant to Article 6(1)(b). Finance supports the delivery of the service but it is separate from the objective purpose of the contract with the data subject. Moreover, under current eprivacy law, controllers need a data subject’s consent to place cookies for behavioural advertising.

Processing ‘for personalisation of content’ may be an essential element of online services in some cases but not others. Personalisation might well enhance user experience and stimulate engagement, but it is not usually objectively necessary to provide the service. It depends on the nature of the service and the expectations of the average data subject user. A provider of a service involving personal aggregation of news to users might strictly need to create a profile of the individual user’s interests to perform the contract. An online hotel search engine which monitors and creates a profile of a user’s typical spend on hotels, to recommend hotels to the user when returning search results, need not strictly do that to perform the contract. The service (of returning hotels available for the user’s specified dates in a specified area/country) could be provided without it. Similarly, an online market place which displays personalised ads to the user does not objectively need to do that to perform the contract.

Will these guidelines be useful?

Yes. The (draft) guidelines shed considerable light on this fundamentally important processing ground. It is useful to understand how the ICO will interpret the ground. However, several parts might be difficult to swallow, particularly for providers who have thus far been stretching this ground too far, to the detriment of data subjects. Revisions of online terms, and new assessments of alternative lawful processing grounds may well be a priority for some.

The guidelines do not mean that tracking of user behaviour for advertising purposes (including by cookies) cannot happen in the context of an online service. It can. The point is that ‘contract’ (Article 6(1)(b)) is not always the real reason for this and data subjects should not be misled.

What are they key points to digest from the (draft) guidelines?

The guidelines run to 14 pages. Click here for an eight point summary by Eversheds Sutherland of some of the key themes.

What “necessity” means for GDPR – our eight point summary 

How can a controller participate in the consultation?

To see the guidelines and for more information click here.