The UK General Data Protection Regulation (UK GDPR) requires a legal basis for processing personal data (Art. 6). One lawful basis is a contract or the preparations for a contract. In this article, we unravel the contractual obligations that one needs to fulfil in order to process data legally.
Legal basis for contracts
A lawful basis for data processing is a contract or a potential contract, like one needing data from the other side of the contract to comply with the obligations of the contract or one needing data in order to comply with a request of a potential contractual partner; think of insurance quotes or an offer by a tradesman.
But: A business has no lawful basis when it processes the data of someone without a contract, when the business collects and reuses the customer’s data for their own business purposes and when a business takes pre-contractual steps on one’s own initiative, to meet other obligations, or at the request of a third party.
Data processing for contracts
For contracts some data processing is necessary but that necessity must be a targeted and proportionate step which is integral to delivering the contractual service or taking the requested action. This lawful basis does not apply if there are other reasonable and less intrusive ways to deliver the contractual service or take the steps requested.
If the processing is instead necessary to maintain your business model more generally or is included in your terms for other business purposes beyond delivering the contractual service, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests.
This does not mean that processing which is not necessary for the contract is automatically unlawful, but rather that you need to look for a different lawful basis.
Other aspects of data processing under a contract
There are several additional aspects to consider when processing different data sets under the legal basis of a contract.
First and foremost, businesses must identify, if special categories of personal data are necessary for their contract or pre-contractual considerations. If so, the prerequisites of Art. 9 UK GDPR need to be fulfilled.
As a business you also should remember that if the contract is with a child under 18, you need to consider whether they have the necessary competence to enter into a contract. In case of doubts about their competence, their parents or guardians must provide the data on the minor’s behalf (see also our guide on how to comply with the Children’s Code).
As with every processing activity and legal basis, you should document your considerations and necessary information in your record of processing activities (ROPA) as set out in Art. 30 UK GDPR. Such documentation is necessary to provide your thoughts and considerations for data subjects and the Information Commissioner’s Office (ICO) in case of an audit or a data subject rights claim.
A contract or a potential contract is a great lawful basis that enables lawful data processing. However, lawful bases come with caveats and cover the most functional and basic conditions, so beyond that one needs a different legal basis.