For reasons I found myself browsing the privacy notices on the websites of some data protection consultancies this morning. In a large number of cases, where they address the situation of a potential client (which is highly likely to be a corporate entity) instructing them, they say/imply that they will process the personal data of people working for that potential client under the lawful basis of “contract”.
As well as this being, er, wrong, it concerns me for a couple of reasons.
First, why it’s wrong.
Article 5(1)(a) of the UK GDPR obliges a controller to process personal data lawfully. Article 6(1) provides a list of bases of which at least one must be met for processing to be lawful. The basis at Article 6(1)(b) is “processing is necessary for the performance of a contract…”.
I fear that many people stop there (in fact, I fear more that they don’t look at the actual law, and merely refer to some template or notes that were wrong in the first place). But there’s a reason I put an ellipsis: the full lawful basis is “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
A service contract with a corporate entity does not constitute the sort of contract which is dealt with by Article 6(1)(b).
The reason this really concerns me is that if these consultancies can’t get this fundamental point right in their own documentation, they are presumably advising clients along similar lines.
Such advice might well be negligent. Assuming the consultancies have professional indemnity insurance, it might be affected by matters like this. And there might be notification obligations arising if they become aware of the fact that they’ve given incorrect, and possibly negligent, advice.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 