Contractual Necessity

A lawful basis for processing personal data under GDPR Article 6(1)(b), applicable when processing is necessary to perform a contract with the data subject or to take pre-contractual steps at the data subject's request. This basis allows processing data needed to deliver services or goods that someone has purchased or signed up for. For example, processing shipping addresses to deliver orders, payment information to complete transactions, or account credentials to provide online services. The key word is 'necessary'—the processing must be objectively required to fulfill the contract, not just helpful or customary. You can't artificially expand contractual necessity by including unnecessary processing in contract terms. This basis doesn't cover processing for purposes beyond contract performance, like marketing or analytics, which require different legal bases. Contractual necessity is often appropriate for core service delivery but shouldn't be used as a catch-all justification.