The coupling prohibition is regulated in Art. 7 (4) GDPR and states:

“In assessing whether consent has been freely given, the greatest possible account must be taken of the fact whether, inter alia, the performance of a contract, including the provision of a service, is dependent on consent to the processing of personal data which is not necessary for the performance of the contract.”

According to the GDPR, personal data may only be processed if the data subject, i.e. the data subject, has given his or her voluntary consent for the data processing. According to Art. 7 para. 4 GDPR, the voluntary nature of consent is not given if it is linked to the conclusion of a contract. However, it can be concluded from the wording of the law that there is no absolute prohibition of tying, since tying is not prohibited in principle, but “the circumstance must be taken into account to the greatest possible extent”.

In principle, there is a prohibition of tying in that customer data may only be processed if it is necessary for the execution of the contract, i.e. the use of the software or participation in a competition. If the data subject was not informed about a further use of the personal data, and thus did not give consent for this, there is a violation of the prohibition of tying within the meaning of Art. 7 (4) GDPR.

Application of the coupling prohibition

In assessing whether consent qualifies as “freely given”, the specific situation of tying consent to contracts or the provision of a service must be considered. As a general rule, any circumstance that exerts undue pressure or is deemed to exert undue influence on the data subject (which can be expressed in many different ways) and thus prevents the data subject from exercising his or her free will invalidates consent.

The compulsion to consent to the use of personal data in addition to what is strictly necessary limits the choice of the data subject and stands in the way of free consent. Consent to the processing of personal data that is not necessary for the performance of the contract must not be provided as a compulsory consideration for the conclusion of a contract or the provision of a service. For this reason, consent must also be qualified as involuntary and thus ineffective if the data subject does not have the possibility to give his or her consent to the various processing operations of personal data separately. The same applies if the performance of the contract or the service is made dependent on consent, although this is not mandatory.

In order to assess whether such a situation of tying exists, it is important to determine what the scope of the contract is and what data are necessary for the performance of that contract. According to WP Opinion 06/201429 , the notion of “necessary for the performance of a contract” must be interpreted narrowly. The processing must be necessary for the performance of the contract with each data subject. This may include, for example, the processing of the data subject’s address in order to deliver goods purchased online or the processing of credit card data in order to facilitate payment. There must be a direct and objective link between the processing of the data and the purpose of performing the contract.

It should be noted that Art. 7(4) GDPR is only relevant if the data requested is not for the provision of a service, and the performance of that contract, and the personal data is obtained on the basis of consent. Conversely, if the data processing is necessary for the performance of the contract, then Art. 7(4) does not apply.

 

Data protection-compliant offering of register goods and raffles

In the ruling of 27 June 2019 of the Higher Regional Court (OLG) Frankfurt (ruling of 27.06.2019 Ref: 6 U 6/19), it was decided that “data against performance” may generally be demanded if and to the extent that the user agrees to it. The user is thus responsible for his or her own actions. However, from the perspective of data protection law, consent may not be structured in such a way that it is made dependent on a service, i.e. it is mandatory for the receipt of that service or benefit. Rather, it must be given voluntarily and without coercion by the user. Thus, even after the application of the GDPR, an impermissible tying can only be seen in the sense of Art. 7(4) GDPR if the user had no real or free choice for the benefit, especially if pressure is exerted on the user to disclose his or her data.

The Supreme Court in Austria (OGH) ruled differently in its judgment on the tying prohibition of the GDPR (judgment of 31.08.2018, ref: 6Ob140/18h). It stated that.

“[…] consent shall not be deemed to be freely given if consent cannot be given separately to different processing operations of personal data, although this is appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on consent, although such consent is not necessary for performance.”

The Bavarian State Office for Data Protection Supervision has also commented on this issue in an opinion and has set out clear rules for compliance with the prohibition of tying under the GDPR. The decisive point is that the user must be informed that the use of registerware is a matter of “performance against data”. That is, that there is an exchange of personal data such as the email address of the data subject for a (then free) product.

 

Conclusion

One option is to offer a payment option as an alternative to the free download of the software. This leaves the customer with the option of choosing to use the Registerware and thus giving voluntary consent to the processing of personal data, or choosing not to and having to pay for the use of the software.

The data controller must demonstrate that data subjects were offered a real choice if they could choose between a service that includes consent to the use of personal data for additional purposes, on the one hand, and an equivalent service that does not include consent to the use of the data for additional purposes, on the other. As long as it is possible to perform the contract or use the contracted service without consenting to the other or additional data processing in question, the prohibition of tying within the meaning of Art. 7(4) GDPR does not apply.

 

Sources