Use of personal data is necessary for the performance of a contract, and/or for the performance of a public task when used in a proportionate, effective and as integrity friendly way as practically possible. Reading time: 1,5 minutes.
Proportionality assessment
To be able to determine whether a processing activity is necessary for the fulfilment of its purpose, an assessment of proportionality must be made. This means that your processing does not need to be the only way to achieve your purpose. At the same time, it does not mean that the meaning of the term “necessary” is the same as “the most effective way”. Instead, you need to fall somewhere in the middle.
As an example, let’s look at how to assess whether processing of personal data is necessary for the performance of a contract. In this case, the processing does not have to be absolutely essential for the fulfilment of the contract. Instead, the processing should constitute a proportionate and effective way of meeting a contractual obligation.
If you find that you could achieve the intended purposes with less intrusive use of personal data, you should consider that alternative. However, the GDPR does not always require you to use the least intrusive way of processing if the alternative entails unreasonable amount of work or investment.
Separate purposes; separate lawful basis
Remember to always keep the GDPR principles in mind. If an individual makes a purchase from your online store, you will need to process their address to deliver products. This processing is necessary for the performance of the contract. However, if you later use that address to send targeted advertising, you have gone beyond the original purpose. The additional processing, advertising to a customer, is not necessary for the original contract. Therefore, you will not be able to use the lawful basis ‘performance of a contract’ for your advertising activities.
Looking for a practical guide to the DPO role?
The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.
Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)
The above does not mean that you are not allowed to send targeted advertising to the customer’s address. It simply means that a different lawful basis will be applicable, the usage of which you will need to justify.
In conclusion
The meaning of the term “necessary” according to the GDPR does not equal the most effective way of achieving a purpose. Nor does it mean the only possible way to meet your obligations. Necessary means personal data is used in a proportionate, effective and as integrity friendly way as practically possible.