GDPR and legal basis: Understanding everything about the execution of a contract
Under the GDPR, the execution of a contract or pre-contractual measures can serve as a legal basis for the processing of personal data. However, there are several conditions to be met to apply this legal basis to the processing.
So sit comfortably with tea and we'll explain everything to you in 5 minutes! ☕
The response to the survey: As part of an online purchase, does asking for the customer's postal address demonstrate execution of the sales contract? "
To introduce the subject, we offered you a survey, on March 22 on our LinkedIn page, asking you if asking for the customer's postal address in the context of a purchase demonstrates the execution of a contract of sale.
Well done! Out of 95 voters, 74% of you answered "No". Indeed, to execute a sales contract, the seller can request more information from the buyer, if this is necessary for the execution of the contract.
The 6 legal bases provided for by the GDPR
The execution of a contract or pre-contractual measures is one of the 6 legal bases provided for in Article 6 of the GDPR:
- Consent, which we dealt with last week,
- The contract, which we are discussing today,
- Legal obligation,
- The public interest mission,
- Safeguarding vital interests,
- Legitimate interest.
Choosing your legal basis is mandatory for the processing to be lawful. This also determines the rights that the persons concerned will be able to avail themselves of for the processing in question. The rights will not be the same depending on the base chosen. To learn more, check out our previous articles and follow us on LinkedIn to be notified as soon as our next articles are published! 👩💻
The legal basis "contract": what is it?
Processing may be based on a contract. However, it must be objectively necessary for the performance of the contractual obligation. This legal basis applies when the processing of data is essential for the performance of a contract between the data subject and the data controller.
To better understand what this means, let's take an example. A professional sells pairs of glasses on his website. When selling a pair, the buyer and seller are bound by a sales contract. In return for payment to the buyer, the seller must deliver the pair of glasses. To do this, he needs at least his first and last name, postal address and banking information to make the online payment. On the other hand, collecting the person's sex, family situation and nationality does not seem necessary to issue the pair of glasses.
The seller therefore collects the data necessary to fulfill its obligation to deliver the goods to the person. The legal basis for its processing will then be the execution of the contract concluded with its client. Collecting the data strictly necessary for processing makes it possible to meet the obligation of minimization. To understand everything about this principle, find our article.
In what cases can the execution of a contract serve as a legal basis?
To summarize, the performance of contractual or pre-contractual obligations may be the legal basis for the processing if:
- There is a contractual or pre-contractual relationship between the data controller and the data subject.
- The data controller must prove that he is engaged in a relationship of this nature with the data subject. This legal basis can be chosen whether the contract exists or does not yet exist. In the event that the processing is based on pre-contractual measures, it is not obligatory that the contract is finally concluded.
- To illustrate, let us now take the example of processing necessary for the execution of pre-contractual measures. This is the case when the person wants to check if the glasses seller can deliver the goods to their home. The processing of this data by the data controller may still be based on the execution of pre-contractual measures. Here, the data controller plans for the contract to be concluded, he can still choose this legal basis.
- The contract is lawful under applicable law. To be lawful, the contract must meet the requirements of French law. Generally speaking, contract law is applicable. For certain contracts, specific constraints must be respected. This is for example the case when the contract is concluded with a consumer, consumer law then applies.
- The processing is necessary for the execution of the contract or pre-contractual measures. The processing that is carried out must only be used to execute the contract. That is to say, it cannot serve any other purpose than to provide the good or service to the person concerned. For example, the collection of data for sending the pair of glasses cannot be used to send a newsletter. In this case, the data controller carries out new processing which cannot be based on the legal basis of the contract. This is in line with the principle of limitation of purposes, consult our article on the subject to find out more!
- On the other hand, the data controller must consider the reasonable expectations of his co-contractor. The data controller ensures, before implementing the processing, that it is the only possible means of executing the contract.
What are the consequences of choosing this legal basis?
Consequences at the end of the contract
As soon as the contract ends, even in the event of contractual termination, data processing must cease. This principle nevertheless remains accompanied by an exception for processing operations inextricably linked to the execution of the contract.
To return to the example of the glasses seller, once the buyer has received their pair, their data must in principle be deleted. But if the person requests the application of the legal guarantee of conformity, the seller must necessarily process the person's data to respond to their request. In this case, since this new processing is directly linked to the execution of the contract, the same legal basis applies.
Consequences for the parties to the contract
For the data controller, the choice of this legal basis implies that the processing is subject to the one-stop shop cooperation mechanism. But it only concerns companies that carry out cross-border processing. That is to say, the treatment is carried out:
- Either by a company present in several states of the European Union,
- Either by a company established in a single State which processes the data of people present in other Member States.
In this case, a "lead" authority is identified. The one that must be chosen is that of the member country in which the company's head office is established. For more information regarding the single market mechanism, you can consult the CNIL website.
With regard to the persons concerned, their rights are impacted by the choice of the legal basis of the contract. They will not be able to object to the processing. On the other hand, they will be able to exercise their right to portability. We will soon publish a new series of articles about people's rights.
Data Comply One (formerly Mission RGPD) and the legal basis "contract"
Are you having trouble knowing which legal basis to choose? You don't have the time you need to devote to managing your compliance?
✅ With Data Comply One (formerly Mission RGPD) don't panic, in our processing models we offer you an applicable legal basis.
In addition, in each of the processing sheets, to respect the principle of accountability, you can attach the contract model concerned.
This way, you centralize all the necessary documents in one place!
