The contract serves as the fundamental legal instrument regulating relationships between various entities. Even if it is entered into between legal entities, personal data of individuals who sign it are utilized for its conclusion. This means that if the contract is not entered into for the private needs of a specific person, the entities signing it are processing personal data, and they have the status of a Data Controller. Therefore, when entering into a contract, should we obtain consent for the processing of data from the person signing it? Absolutely not!
Grounds for the Legality of Personal Data Processing
Under the GDPR in Article 6(1), six legal grounds for personal data processing are outlined, such as: a) consent, b) necessity for the performance of a contract with the data subject, c) legal obligation, d) task carried out in the public interest or in the exercise of official authority, e) protection of vital interests of the data subject, and f) legitimate interests pursued by the data controller or a third party. If these grounds are met, then it is considered that the Data Controller is authorized to process personal data.
Independence of Grounds
One of the key principles of the GDPR is the independence of individual legal grounds from one another. This means that each of them is autonomous and constitutes a separate basis for considering that the processing of personal data is lawful. In practice, this gives administrators flexibility in choosing the appropriate legal basis, depending on the context of data processing. How does this relate to entering into contracts? If we identify that when entering into a contract, we fulfill one of the legal grounds justifying processing other than consent, then obtaining consent as an additional basis is not only unnecessary but redundant and violates the principle of data minimization.
Legal Basis for Data Processing when Entering into a Contract
Choosing the right legal basis seems simple: after all, we have the basis from Article 6(1)(b) of the GDPR, i.e., “necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.” However, there is a complication regarding the status of the entity with which we are entering into a contract. This criterion applies to natural persons who are parties to the contract – but we can also enter into contracts with legal entities, such as corporate entities. In this case, the legal basis for processing the data of the individual representing the legal entity will be another criterion, namely Article 6(1)(f) of the GDPR, i.e., legitimate interests pursued by the data controller. In this case, the interest is in entering into a contract with the entity that our data subject represents!
Consent as an Auxiliary Criterion
In every case of entering into a contract, we therefore have an independent criterion for processing personal data of individuals signing under this contract. Collecting statements from these individuals that they consent to the processing of personal data for the purpose of fulfilling the contract is an improper action! Consent can, however, be obtained for actions other than signing the contract, such as receiving commercial information. Nevertheless, if we have a legal ground other than consent that we could use, we should rely on it.