Contract (GDPR)

Here we explain the contract legal basis and how it operates when processing personal data under the GDPR.

Explained – what does the contract legal basis mean?

The contract legal basis means an organisation may process personal data where the processing is necessary to perform a contract with the data subject, or to take steps at the data subject’s request before entering into a contract. This follows from Article 6(1)(b) GDPR.

The basis is common in customer relationships, employment relationships and supplier contracts where certain processing of personal data is a direct prerequisite for fulfilling the contract.

When does the question of using the contract legal basis arise?

The question arises when the controller needs to process personal data in order to meet its obligations under the contract. This can apply both during the term of the contract and, in some cases, to preparatory steps.

Examples include a company processing a customer’s address details to deliver a product, or an employer handling employees’ bank details for payroll.

Business handshake over a signed legal contract with scales of justice icon, illustrating GDPR compliance, data processing agreement, and secure business partnership.

Points to consider when relying on the contract legal basis

To use the contract legal basis correctly, an organisation should consider the following:

  • The processing must be necessary to perform the contract – not merely desirable.
  • Only personal data that is relevant and proportionate may be processed.
  • If processing continues after the contract has ended, a different legal basis is required.
  • Pre-contract measures may only cover processing carried out at the data subject’s own request.
  • Information for the data subject must be provided in line with the GDPR’s transparency requirements, see the GDPR.
  • The contract legal basis must not be used as a pretext to collect more data than necessary.

A careful necessity assessment ensures that the “contract” basis is used appropriately and in accordance with the GDPR’s principles.

Contract (GDPR)

Why is the contract legal basis important?

The contract legal basis is central because it enables processing of personal data that is directly linked to the data subject’s requests and rights within the contractual framework. Without this basis, many day-to-day business and employment processes would not be lawful under the GDPR.

At the same time, the basis requires that processing is strictly necessary and does not go beyond what the contract demands. Incorrect reliance on the basis can render processing unlawful and lead to sanctions from the Data Protection Authority.

From a business perspective, correct application supports smooth processes, satisfied customers and employees, and strengthens trust in an organisation’s data protection practices.

Frequently asked questions on the contract legal basis

It means personal data may be processed where necessary to perform a contract with the data subject, or to take steps at the data subject’s request before a contract is concluded.

When the processing is directly linked to meeting the contract’s terms and is necessary for performance of the contract.

Common examples when an individual receives:

  • Delivery of ordered goods or services.
  • An invoice sent to them.
  • Salary payments in an employment context.

Normally not, as marketing is rarely necessary to perform a contract. Consent or legitimate interests are often required instead.

After termination, any further processing must rely on a different legal basis, such as legal obligation or legitimate interests.

The organisation should:

  • Identify which processing activities are necessary for the contract.
  • Limit collection to relevant data.
  • Inform the data subject and retain documentation of the processing.

Read more about our services

GDPR Lawyer

Engage Morling Consulting’s privacy counsel when personal data issues need to be addressed in a business-focused manner with clear control of risk. We provide support with governance, contracts, transparency and processor arrangements, ensuring the organisation remains consistent towards data subjects and the Data Protection Authority (IMY).

DPIA

We prepare Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk and require a documented basis for decision-making. We carry out the assessment, identify risks, and put in place mitigations and documentation so the DPIA is auditable, traceable, and ready for review.

Breach management

Morling Consulting supports incident management when a personal data breach must be handled swiftly and correctly. We lead the assessment, remediation plan and documentation, including materials for notification and communications, so the organisation acts in a coordinated way and reduces consequential harm.

Contact

Porträtt av Felix Morling, jurist och legal consultant, kontakta oss för rådgivning.
Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields