Data processing has become an integral part of numerous business operations. Organizations often collect and process personal data as necessary for the performance of contractual obligations, creating a relationship between data protection and contract law. The contractual basis for processing data is one of the lawful grounds under data protection regulations that allows organizations to process personal data. This basis recognizes the importance of data processing for the execution and fulfillment of contractual agreements while emphasizing the need for privacy and data protection. Understanding the role of contracts as a basis for processing data is crucial for both businesses and individuals to ensure that personal information is handled responsibly, securely, and within the legal framework of contract and data protection laws.
What is Personal Data?
‘Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’.
Examples of personal data includes but are not limited to names, addresses, email address, bank details, posts on social networking websites, medical information, Media Access Control (MAC) address, Internet Protocol (IP) address, International Mobile Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI) number and others.
Legality of Data Processing
There are various principles that advance the concept of data privacy and among them is the principle of Lawfulness, Fairness and Transparency.
Organizations are tasked to ensure their data collection practices are law compliant and they are clear and transparent in all their dealings with data subjects. It must be stated in the data privacy policy, the type of data that is being collected and the reason for such necessary collection . Upon collection of personal data, what can the data collector do with the data, for what purpose is the data controller allowed to process personal data? The answer is in the affirmative.
However, the processing of personal data must have a legal basis.
Section 5(1) (a) of the Nigerian Data Protection Regulation provides that data must be collected and processed according to the specific and legitimate purpose of which it was collected and consented. According to Article 6 of the European Union General Data Protection Regulation, there are six recognised bases for processing data. They are: 5
- Consent of the data subject given
- Performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract
- Necessary for the data controller in compliance with a legal obligation
- Necessary to protect the vital interests of a data subject
- Necessary to the performance of a task
- Necessary in the legitimate interest of a company or organization and such interest should not override the interest or rights and freedom of the data subject.
Necessity of a Contract
A contract is an agreement enforceable by the law, between two or more persons to do or abstain from doing some act or acts, their intention being to create legal relations and not merely to exchange mutual promises, both having given something, or having promised to give something of value as consideration for any benefit derived from the agreement.
A contract is necessary because it highlights the obligations of parties involved, the roles, duties and responsibilities and in a situation where a party breaches a condition or warranty in the contract, such party bears the liability, if any
There are some essential elements which are necessary for the formation of a valid and enforceable contract. These conditions are:
- Offer and acceptance, which is in effect the agreement;
- There must be an intention to create legal relations;
- There is a requirement of written formalities in some cases;
- Consideration (unless the agreement is under seal);
- Capacity to contract.
Terms and Clauses of a Personal Data Processing Contract
Basically, a contract involving processing of personal data should have the following:
- Subject matter of the processing
- Duration of the processing
- Nature and purpose of the processing
- Type of personal data involved
- Rights of data subject
- Data controller’s obligations and rights
A good example is to state that the data processor must ensure that those who would encounter the data maintain the highest degree of confidentiality in handling data. A personal data processing contract is expected to be meaningful, timely and effective with the consent of the data subject.
It is bad faith for a controller of personal data to include a term in any contract that excludes them of liability for personal data in their care. Also, the data processor must take appropriate measures to ensure the data security of personal data collected and processed.
Conclusion
In every circumstance, personal data information required should have legal basis and great adherence to data processing laws to ensure proper stewardship of the data. A contract becomes necessary to adequately inform the data subject of clear details involved in processing of his/her personal data and to consent to it. A contract is to protect the interest of all parties particularly those of the data subjects whilst ensuring accountability.
Contributors:
Chisom Ogbunando and Uduakobong Okon.
References: 1Section 4 Nigerian Data Protection Regulation 2Luke Irwin, ‘The GDPR: Understanding the 6 data protection principles’ IT Governance (9 December 2021) <https://www/itgovernance.eu/blog/en/the-gdpr-understanding-the-6-data-protection-principles> accessed 23 June 2022. 3Smith and Keenan, English Law, 17th Ed., p.171 4https://www.dataprocessing.ie.en/organisations/know-your-obligations/lawful-processing accessed 22 June 2022. 5Ibid (4) 6Contracts, https://lco.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts accessed 22 June 2022. 7Ibid 7
image source: www.vecteezy.com
