Home: Explore the site
GDPR Article 6(1)(b) – Performance of a Contract
Advanced Practitioner Analysis: The definitive guide to lawful processing under contractual necessity — scope, limits, controls, and operationalisation.
Core Legal Basis
What Article 6(1)(b) Permits
Processing is necessary for the performance of a contract to which the data subject is a party; or processing is necessary to take steps at the request of the data subject prior to entering into a contract.
The legal basis is fundamentally grounded in:
  • Necessity
  • Objective contractual purpose
  • Direct relationship between processing and contractual delivery
Narrow Interpretation
Article 6(1)(b) is not a general authorisation to process any data associated with a customer relationship. The processing must be objectively required.
The legal basis is interpreted narrowly by:
  • The European Data Protection Board (EDPB)
  • National supervisory authorities
  • Court decisions emphasising strict necessity rather than commercial convenience
Contractual Promise
What is the contractual promise made to the individual?
Indispensable Processing
What processing is indispensable to fulfil that promise?
Without This Processing?
Could the service be provided without this processing?
Less Intrusive Method?
Is a less intrusive method available to achieve the same outcome?
What Constitutes "Necessary"?
✔ Necessary MEANS
Integral to Delivery
Essential to delivering the service requested by the individual.
Objectively Linked
Objectively linked to contract fulfilment and performing contractual obligations.
✘ Necessary does NOT mean
Useful or Beneficial
Revenue-enhancing, operationally convenient, or preferred by the organisation.
Commercially Desirable
Processing that improves business outcomes but is not required to deliver the contracted service.
Sector Examples: Where Article 6(1)(b) Is Appropriate
Retail E-Commerce
  • Receiving customer order
  • Payment processing
  • Shipping goods
  • Managing returns
  • Delivery notifications
Activities are essential to fulfil the purchase contract.
Banking
  • Opening account requested by customer
  • Processing transactions
  • Providing account statements
  • Executing payment instructions
  • Administering loans
Core contractual obligations.
Insurance
  • Issuing policy
  • Processing premium payments
  • Handling claims
  • Administering policy lifecycle
Necessary to perform the insurance contract.
Further Appropriate Use Cases
Telecommunications
  • Provisioning mobile service
  • Billing usage
  • Network authentication
  • Managing customer account
Service cannot be delivered without processing.
SaaS Platforms
  • User authentication
  • Subscription management
  • Service access control
  • Technical support requested by user
  • Service performance monitoring
Directly supports service delivery.
Pre-Contractual Activities
  • Quote generation
  • Loan application assessment
  • Reservation processing
  • Service feasibility assessments
Steps requested by the data subject before contract formation.
Where Article 6(1)(b) Is Usually Not Appropriate
Behavioural Advertising
  • Cross-site tracking
  • Ad targeting
  • Marketing profiling
Reason: Advertising rarely forms the essence of the contract.
Alternative basis: Consent; Legitimate interests (where permissible).
Service Improvement Analytics
  • Product development analytics
  • Strategic usage analysis
  • Market research
Reason: Helpful but not essential to perform the contract.
Alternative basis: Legitimate interests; Consent.
Customer Profiling
  • Marketing segmentation
  • Predictive purchasing models
  • Propensity scoring
Reason: Usually unrelated to contractual necessity.
Further Inappropriate Use Cases
Data Sharing Across Group Companies
  • Centralised marketing databases
  • Cross-selling initiatives
  • Corporate intelligence programmes
Reason: Not required to perform the contract with the individual.
Optional Features
  • Loyalty schemes
  • Personalisation engines
  • Recommendation services beyond contractual necessity
Reason: Often separable from the core service.
Controllers must rigorously distinguish between processing that is required to deliver the contracted service and processing that is simply associated with the customer relationship.
Where Article 6(1)(b) does not apply, an alternative lawful basis must be identified, documented, and communicated to data subjects in the privacy notice.
Contractual Necessity Test
Controllers must formally document their necessity assessment. The following elements should be captured for every processing activity relying on Article 6(1)(b).
GDPR Articles Intersecting with Article 6(1)(b)
Article 6(1)(b) never operates in isolation. Lawful basis alone does not make processing compliant. Controllers must simultaneously satisfy transparency, security, minimisation, accountability, individual rights, retention obligations, and international transfer requirements.
Legal Basis Interplay
A single processing activity may rely on multiple legal bases simultaneously:
  • Art. 6(1)(b) — Service delivery
  • Art. 6(1)(c) — Regulatory retention
  • Art. 6(1)(f) — Fraud prevention
  • Art. 6(1)(a) — Marketing
Legal basis mapping is therefore a critical control.
01
Articles 5 & 6
Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, accountability.
02
Articles 7, 9 & 12–14
Distinguishing contractual necessity from consent; special category data (Art. 6(1)(b) alone insufficient); transparency and privacy notices.
03
Articles 15–22
Access, rectification, erasure, restriction, portability (particularly relevant for contract-based processing), objection, and automated decision-making.
04
Articles 24–35 & 44–49
Controller accountability, privacy by design, processor requirements, RoPA, security, breach notification, DPIAs, and international transfers.
Twenty Cross-Cutting Technical Controls
Organisations must implement a comprehensive control framework to operationalise Article 6(1)(b) compliance across all processing activities.
1
Legal Basis Inventory
Central register of lawful basis assignments. Version-controlled.
2
Necessity Assessment
Formal necessity evaluation workflow for every processing activity.
3
Data Element Justification
Every data field mapped to a specific contractual purpose.
4
Data Minimisation
Mandatory minimisation reviews at design and change stages.
5
Privacy Notice Sync
Automated alignment between RoPA and published privacy notices.
1
Lawful Basis Change Mgmt
Reassessment triggered after every service change.
2
RoPA Control
Comprehensive Article 30 records maintained and reviewed.
3
Purpose Mapping
Processing linked to explicit contractual obligation in all records.
4
Data Retention
Automated retention enforcement aligned to contractual lifecycle.
5
Access Management
Role-based access control limiting data access to contractual need.
1
Segregation of Duties
Separation of operational and marketing processing activities.
2
Processor Governance
Processor contract reviews aligned to Article 28 requirements.
3
Transfer Governance
SCC and transfer mechanism monitoring for international flows.
4
Audit Trail
Immutable logging of processing activities and access events.
5
Data Subject Rights
Rights fulfilment workflows covering access, portability, erasure.
1
DPIA Trigger
Automated risk thresholds triggering Data Protection Impact Assessments.
2
Security Monitoring
Continuous monitoring of processing environments and access patterns.
3
Data Quality
Validation and correction mechanisms ensuring accuracy.
4
Privacy-by-Design
SDLC integration embedding privacy controls at development stage.
5
Compliance Monitoring
Continuous control testing and assurance reporting.
How Large Organisations Operationalise Article 6(1)(b)
A structured ten-phase programme ensures that contractual necessity is assessed, documented, and maintained throughout the full service lifecycle.
1
Phase 1 – Service Design
Define business service, contractual obligations, service outcomes, customer journey, and required processing activities.
2
Phase 2 – Data Discovery
Identify data inputs, processing activities, outputs, recipients, and systems. Produce data inventories and flow diagrams.
3
Phase 3 – Necessity Assessment
Legal, privacy, business, and security review. Is processing objectively required? Is there a less intrusive method?
4
Phase 4 – Legal Basis Assignment
Assign lawful basis and supplementary bases where needed. Document rationale in lawful basis and processing registers.
1
Phase 5 – Contract Mapping
Link each processing activity to a contract clause, service requirement, or customer request. Produce contract-to-processing matrix.
2
Phase 6 – Control Implementation
Deploy access controls, logging, retention rules, encryption, and monitoring. Produce security standards and control matrices.
3
Phase 7 – Deployment
Production approval, compliance sign-off, and legal sign-off. Release approvals and compliance attestations documented.
4
Phase 8 – Ongoing Monitoring
Transaction monitoring, compliance testing, data quality reviews, and retention reviews. KPI dashboards maintained.
Phases 9 & 10: Rights Management and Continuous Improvement
Phase 9 – Rights Management
Organisations must maintain robust workflows to fulfil data subject rights arising from contract-based processing:
  • Access requests (Article 15)
  • Rectification (Article 16)
  • Portability (Article 20 — particularly relevant)
  • Erasure assessment (Article 17)
Artefacts: Rights request logs, fulfilment records, response timelines.
Phase 10 – Continuous Improvement
Article 6(1)(b) compliance is not a one-time exercise. Organisations must embed a cycle of continuous improvement driven by:
  • Audit findings
  • Regulatory updates and guidance
  • Incident lessons learned
Artefacts: Improvement plans, remediation records, updated necessity assessments.
This cycle ensures that as services evolve, contractual necessity assessments remain current, accurate, and defensible before supervisory authorities.
End-to-End Process Map
The complete lifecycle of contract-based processing — from initial customer request through to deletion and audit assurance.
Key Artefacts Supporting Article 6(1)(b)
Contractual
  • Contract documents
  • Terms and conditions
  • Service agreements
  • Customer requests
  • Order forms
  • Account opening forms
  • Service specifications
Compliance
  • Data flow diagrams
  • Processing inventories
  • RoPA entries
  • DPIAs
  • Transfer assessments
  • Necessity assessments
  • Lawful basis assessments
  • Retention schedules
Operational
  • Audit logs
  • Access logs
  • Incident records
  • Compliance attestations
  • Monitoring dashboards
  • Training records
  • Control testing results
  • Processor agreements
Automation Opportunities & Key Metrics
Automation Opportunities
Classification & Discovery
Automated lawful basis classification, AI-assisted contract analysis, data discovery tooling, metadata harvesting, and data lineage mapping.
Records & Governance
Automated RoPA generation, policy-as-code enforcement, automated retention triggers, rights request orchestration, and workflow-based approvals.
Monitoring & Engineering
Continuous control monitoring, real-time compliance dashboards, automated transfer assessments, data minimisation validation, contract clause extraction using NLP, and privacy engineering controls embedded in CI/CD.
Key Metrics for Monitoring
Coverage Metrics
  • % processing activities mapped to lawful basis
  • % Article 6(1)(b) activities with necessity assessments
  • % systems with complete data lineage
  • Contract-to-processing mapping coverage
Quality Metrics
  • RoPA completeness score
  • Data minimisation compliance rate
  • Retention compliance rate
  • Processor compliance rate
  • DPIA completion rate
Risk Metrics
  • Number of undocumented processing activities
  • Privacy incident frequency
  • Unauthorised access events
  • Regulatory issue recurrence rate
  • Overall Article 6(1)(b) compliance maturity index