The European Data Protection Board (EDPB) recently published draft guidelines (Guidelines), impacting online service provider’s ability to process personal data. The Guidelines are open for consultation until 24 May 2019.
The Guidelines are significant because the legal basis a service provider relies on determines and impacts the type and scope of its processing activities. We consider the Guidelines and some of the key examples.
To process personal data lawfully, an organization must identify one or more of the six legal bases specified in the GPDR. Traditionally, consent was a famous legal basis, but changes under the GDPR have meant a greater focus on the legal grounds of contractual necessity (CN) and legitimate interests.
CN, in essence, permits an organization to process personal data necessary to perform a contract with the individual. The Guidelines seek to clarify the regulators’ position on executing a warrant in various circumstances.
Online services only
The Guidelines are concerned only with the application of CN to the processing of personal data in the context of online services. Online services, or ‘information society services’, cover any service “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” This also includes services not paid for directly by the recipient, such as services funded through advertising.
The Guidelines do not answer questions that businesses in offline industries may have.
Avoid unfair terms in contracts.
EU law is prescriptive on the types of terms that cannot be included in contracts with consumers. The Unfair Contract Terms Directive, which is implemented in each Member State’s national laws, aims to ensure balanced and transparent terms in consumer cont