You can rely on the lawful basis of Contract if you need to process someone’s personal information:
- to deliver a contractual service to them; or
- because they have asked you to do something before entering into a contract (eg provide a quote)
- if the processing is necessary
- if you document your decision to rely on this lawful basis and ensure that you can justify your reasoning
The processing must be necessary. If you could reasonably do what they want by processing less data, or using their data in a less intrusive way, this basis will not apply.
You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.
"Mark runs a Carpentry frim. He stores the phone numbers, emails and addresses of the customers he has contracts with so that he can deliver his services effectively. This is covered in their terms of service. What legal basis would be assigned to this processing?"
Here the Legal Basis would be contracted. Mark needs to store his customer's information to give them the service he is contracted to them for. As this processing is;
- necessary to delivery his service and
- is declared in his privacy information,
he is able to store (process) their information for the legal basis of contract.
What the regulator says
Article 6(1)(b) gives you a lawful basis for processing where:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
When is the lawful basis for contracts likely to apply?
You have a lawful basis for processing if:
- you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract.
- you have a contract with the individual and you need to process their personal data so that they can comply with specific counter-obligations under the contract (eg you are processing payment details).
- you haven’t yet got a contract with the individual, but they have asked you to do something as a first step (eg provide a quote) and you need to process their personal data to do what they ask. This applies even if they don’t actually go on to enter into a contract with you, as long as the processing was in the context of a potential contract with that individual.