Today I would like to write about a question concerning the EU General Data Protection Regulation (GDPR) and which is discussed by data privacy experts:
„What connection do Art. 6 (1) a) and Art. 6 (1) b) GDPR have to each other considering the probhibition of consent bundling?“
Experts know that Article 6 (1) a) GDPR stipulate data processing based on consent whereas Article 6 (1) b) GDPR covers data processing based necessary to enter into or perform a contract. If either is given data processing is legal.
„Article 6 Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;(…)”
One core element of data protection is not explicitly mentioned in this article but defined in others: autonomy and freedom of the data subject. And Article 7 (4) GDPR describes that requirement as follows:
„Article 7 Conditions of consent
(…) 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
At a first glace, it simply looks like a prohibition of combining contracts with consent („prohibition of consent bundling“). At second glance, it seems to blend the requirements of legal bases:
Data processing based on consent could only be legitimate if it is necessary to perform a contract. But that is exactly what Article 6 (1) b) GDPR sets forth. The result of this interpretation of Article 7 (4) GDPR was that a separate consent doesn’t exist and Article 6 (1) a) and b) GDPR need to be fulfilled cumulatively. In my opinion that wasn’t intended by the legislator nor needed to secure data subject’s autonomy:
Article 6 (1) GDPR doesn’t contain any hierarchy of legal bases but states that „at least“ one needs to be given. Consequently, these bases don’t have to be fulfilled cumulatively nor are they mutually exclusive. Moreover, Article 6 GDPR shows that it is possible that several legal bases may justify data processing at the same time. Recitals (43) and (44) underline this:
„(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.“
To set a practical example:
An online shop accepts an online order and demands address and payment data. Without these data the shop owner can’t fulfil his contractual obligations (Article 6 (1) b)) and he is also obliged to safe this information for accounting and tax reasons. Continuing with this example: As soon the contract is fulfilled “contract” as legal basis doesn’t apply anymore. Now, the statutory obligations to stored specific information for documentary purposes comes into play. In the end, we have an overlap of the legal bases as either of them justify data processing at the same time without influencing each other. Only one of it is sufficient to legitimate data processing in this case.
That means concerning the relationship between consent and contract:
You don’t need to obtain consumers’ consent as long as data processing is needed to perform a contract, i.e. is legal under Article 6 (1) b) GDPR. Data subjects can exercise their right of autonomy because they are free to enter into the agreement. Contractual autonomy corresponds to the right to self-determined data processing. Demanding an additional consent is obsolete and moreover increase the risk of invalid consent and therewith legal actions or fines.
Consequently, Article 7 (4) GDPR and the prohibition of consent bundling apply only in cases in which data processing isn’t covered by the contractual purpose and these contractual data processing is combined with processing of additional “contractually irrelevant” data or purposes. By an argumentum e contrario, consent is valid although the respective data processing is not necessary for an agreement as long it is not a condition to enter into it.
Companies need to consider thoroughly 1. what is the subject of the contract and their obligation and which data is necessary to perform the contract, and 2. if they want to process additional data or use data for other “non-contractual” purposes.
GDPR in English