Lawful Basis GDPR

Many businesses rely on the lawful basis of “contract” when processing personal data relating to contact persons at customer companies. This is often incorrect. Here, we explain why.

Relying on Article 6(1)(b) GDPR — the so-called “contractual basis” — requires the data subject to be a party to the contract. This means that the basis is only applicable where the contract is entered into with a natural person, such as a consumer or a sole trader. Where the contract is between two legal persons, such as two companies, Article 6(1)(b) cannot be relied on to process data relating to the individuals who represent or work for the company.

This is a common misconception, particularly in B2B operations where personal data relating to contact persons, such as names, telephone numbers and email addresses, is often processed as part of the customer relationship. However, under GDPR, “contract” as a legal basis only applies to the processing of data relating to the natural persons who are party to the contract. A legal person — meaning the company entering into the contract — is, as a starting point, separate from the individuals representing it. This means that if the natural person is not a party to the contract, Article 6(1)(b) cannot be used to establish a legal basis for processing that representative’s personal data.

This is also confirmed by the European Data Protection Board’s (EDPB) Guidelines 2/2019, paragraph 26. The guidance states that “contract” as a legal basis only applies where the processing is “objectively necessary” for the performance of a contract to which the data subject is a party. It is not enough that a person is involved in the contract or mentioned in it.

Legitimate interest as the lawful basis under GDPR for contact persons

When a company processes data relating to a contact person at a customer or supplier, where the contract is between two companies, legitimate interest under Article 6(1)(f) is generally the lawful basis under GDPR that may be used. This basis requires the controller to carry out a balancing test, assessing its legitimate need to process the data against the contact person’s right to privacy.

Such situations are very common and include, for example:

• Communications with contact persons in connection with requests for quotations and supply agreements.
• Invoicing and administration.
• Invitations to customer meetings or industry seminars.

Relying on legitimate interest as the legal basis means, in practice, that businesses must carefully document their balancing test and be prepared to justify why legitimate interest is a reasonable basis in the specific circumstances — or use another basis if that assessment does not hold.

When can contract be the right lawful basis under GDPR?

There are, of course, situations where contract is the correct lawful basis under GDPR:

• Where you sell a service to a consumer.
• Where a natural person, such as a sole trader, is the customer in their own right.
• Where an employment contract is entered into with an individual.

In these cases, it is fully possible to process personal data that is necessary for the performance of the contract, such as contact details, payment information and delivery details. However, this applies only where the data subject personally is a party to the contract.

A brief note on legal obligation

In addition to contract and legitimate interest, legal obligation may also be relevant as a basis under Article 6(1)(c), for example to comply with accounting obligations or to disclose information to authorities. However, this basis also requires a clear and specific legal requirement under national or EU law.

GDPR advisory services from experienced GDPR lawyers

Morling Consulting helps businesses ensure the correct legal basis for personal data processing in commercial relationships across Europe. Our GDPR lawyer team provides practical gdpr advisory services, including support with balancing tests, documentation and guidance on the practical application of the General Data Protection Regulation.

Our gdpr advisory services are designed for businesses that need legally robust, commercially workable decisions on customer, supplier and contact person data. A GDPR lawyer can help assess whether contract, legitimate interest or another legal basis is appropriate in the specific processing context.