Did you know that if you need to process data to deliver products or services, you don't have to get your customer's permission? Many online businesses request permission from their customers to process their data, even though the General Data Protection Regulation (GDPR) or any other data protection law does not require it. 

This article will explain how to use contracts as a legal basis for data processing without legally requesting consent from users. We'll look at the following topics: 

• The legal basis for data processing
• How to rely on contracts for data processing
  

What Are the Legal Bases of Data Processing?

When you follow a law that says you need permission to process data, you need a legal reason to collect and use data.

The European Union’s GDPR is the world’s most thorough data privacy law. It has six legal bases for processing:

• User’s consent. In most cases, you must ask your users to consent to the data collection and processing.
• Execution of a contract. Sometimes you need to process user data to deliver products or services, and that’s where you can rely on this legal basis.
• Legitimate interests. Where your business interests override the rights and freedoms of data subjects, you can process their data without consent. This includes very few cases, such as fraud protection, cybersecurity, etc.
• Public interests. If the processing is required to fulfill a public interest that overrides the rights and freedoms of individuals, the processing is allowed. This basis has little impact on private companies but significantly impacts most public bodies.
• Person’s vital interests. You can process someone’s data to protect their health or life.
• Compliance with the laws. Some laws, such as employment or tax, require personal data processing.
  

Execution of a Contract as a Legal Basis for Data Processing

When you deliver goods or services to a customer, you must process their data. This could include their name, home address, phone number, email address, age, payment information, or any other type of personal information. This information is required in order to deliver the product to the correct person, contact them for customer support, and so on. 

If the nature of the services necessitates the processing of personal data, this would also be included in the contract. A fitness tracking app, for example, must process health data, sometimes geolocation data, and so on.

You would not have been able to deliver products to your home address if you had not processed user data. 

Read our Definitive Guide for Data Processing Agreements.

Requirements to be met

You can only use this legal reason if all three of the following are true:

• There is an existing contract between you and the user, or one is about to be formed, and you require their data to complete the contract. The contract could be a Purchase Agreement, Licensing Agreement, Terms of Service, Terms and Conditions, or something similar that is common for online businesses;
• The contract is valid under the applicable law (i.e., the laws of Germany, the United States, or any other country); and
• You collect and process only the information that is necessary for the execution of the contract. The data minimization principle is in effect, which says you can only process the least amount of data needed to carry out the contract.

The same rules apply if the company needs to process data in the pre-contractual stage, even if the parties never enter into a contract later.

Data Minimization

As previously stated, you should not collect more personal information than is required to carry out the contract. 

If you run an e-commerce store and all you need is the customer's name, home address, and contact information, you must not collect their birthday because it is not required for contract execution. 

Purpose Limitation

After you've collected and processed the bare minimum of personal information required to deliver the goods or services, you can only use it for that purpose. 

For example, if you processed their phone number and email address for customer support, you can only use that information for that purpose. You must not use it to send them marketing materials because that was not the purpose of collecting the data. You must obtain consent to use the email for marketing purposes. 

Examples of Contract Execution as a Legal Basis for Data Processing

These are the principles for relying on the execution of contracts.  Let's look at some examples to see how it works in practice. 

SaaS

Assume you sell B2B software that necessitates the creation of a user account. In that case, you may request that the user provide their personal name, company name, email address, and any other information required to confirm that you are selling to a business. You should also process similar IP addresses to ensure that no one is abusing the subscription. 

E-Commerce Store

Your agreement with the buyer calls for you to deliver a physical product to their home address. You may need to contact them for customer service. 

Based on their purchase agreement, you can process their personal name and home address. You can also use their email address or phone number, whichever they prefer, to contact them for customer support. Their payment information will be processed on your behalf by a third-party payment processor. 

Digital Product Store

It is determined by the type of digital product you sell. An email address or username will suffice for membership websites. However, you may want to process their IP address to prevent multiple people from logging in from multiple devices. 

Assume you sell ebooks and collect email addresses from your customers. In that case, the only personal data you need to process are the email address and possibly the personal name in order to carry out the contract with the customer.