popi_compliance_monitoring

Overview

  • You can rely on this lawful basis if you need to process a data subject's personal information:
    • to deliver a contractual service to them; or
    • because they have asked you to do something before entering into a contract (e.g. provide a quote).
  • The processing must be necessary. If you could reasonably do what they want by processing less data, or using their data in a less intrusive way, this basis will not apply.
  • You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.

Briefly

What does the POPIA say?

Section 11(1)(b) gives you a lawful basis for processing where:

“processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;”

When is the lawful basis for contracts likely to apply?

You have a lawful basis for processing if: 

  • you have a contract with the data subject and you need to process their personal information to comply with your obligations under the contract.
  • you have a contract with the data subject and you need to process their personal information so that they can comply with specific counter-obligations under the contract (e.g. you are processing payment details).
  • you haven’t yet got a contract with the data subject, but they have asked you to do something as a first step (eg provide a quote) and you need to process their personal data to do what they ask. This applies even if they don’t actually go on to enter into a contract with you, as long as the processing was in the context of a potential contract with that data subject. 

Example

A data subject shopping around for car insurance requests a quotation. The insurer needs to process certain data in order to prepare the quotation, such as the make and age of the car.

It does not apply if you need to process one data subject’s details but the contract is with someone else. 

It does not apply if you collect and reuse your customer’s data for your own business purposes, even if this is permitted under your standard contractual terms and is part of your funding model. 

It does not apply if you take pre-contractual steps on your own initiative, to meet other obligations, or at the request of a third party. 

Note that, in this context, a contract does not have to be a formal signed document, or even written down, as long as there is an agreement which meets the requirements of contract law. Broadly speaking, this means that the terms have been offered and accepted, you both intend them to be legally binding, and there is an element of exchange (usually an exchange of goods or services for money, but this can be anything of value). However, this is not a full explanation of contract law, and if in doubt you should seek your own legal advice. 

When is processing ‘necessary’ for a contract?

‘Necessary’ does not mean that the processing must be absolutely essential or ‘the only way’ to perform the contract or take relevant pre-contractual steps. However, it must be more than just useful, and more than just part of your standard terms. It must be a targeted and proportionate step which is integral to delivering the contractual service or taking the requested action. This lawful basis does not apply if there are other reasonable and less intrusive ways to deliver the contractual service or take the steps requested.

The processing must be necessary to perform the contract with this particular person. If the processing is instead necessary to maintain your business model more generally, or is included in your terms for other business purposes beyond delivering the contractual service, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests.

Example 

When a data subject makes an online purchase, a controller processes the address of the data subject in order to deliver the goods. This is necessary in order to perform the contract.

However, the profiling of an data subject’s interests and preferences based on items purchased is not necessary for the performance of the contract and the responsible party cannot rely on Section 11(1)(b) as the lawful basis for this processing. Even if this type of targeted advertising is a useful part of your customer relationship and is a necessary part of your business model, it is not necessary to perform the contract itself.

This does not mean that processing which is not necessary for the contract is automatically unlawful, but rather that you need to look for a different lawful basis (and other safeguards such as the right to object may come into play).

What else should we consider?

If the processing is necessary for a contract with the data subject, processing is lawful on this basis and you do not need to get separate consent. 

If processing of special category information is necessary for the contract, you also need to identify a separate condition for processing this information. 

If the contract is with a child under 18, you need to consider whether they have the necessary competence to enter into a contract. If you have doubts about their competence, you may wish to consider an alternative basis such as legitimate interests, which can help you to demonstrate that the child’s rights and interests are properly considered and protected.

If the processing is not necessary for the contract, you need to consider another lawful basis such as legitimate interests or consent. Note that if you want to rely on consent you will not generally be able to make the processing a condition of the contract.  

If you are processing on the basis of contract, the data subject’s right to object and right not to be subject to a decision based solely on automated processing will not apply.   

Remember to document your decision that processing is necessary for the contract, and include information about your purposes and lawful basis in your privacy notice.