On Contractual Necessity and Privacy
A controller can rely on this criterion when it needs to process the personal data of a data subject in order to perform a contract to which the data subject is or will be a party.
It should be noted that the keyword here is ‘necessary’. If the contract can be fulfilled without processing personal data, this criterion cannot be used as a lawful ground.
From IAPP:
The fundamental substance, rationale and purpose of the contract will be tested whether the data processing was necessary for the contract's] performance. Data processing that is useful or referenced in the terms of use does not make it “objectively necessary” for the performance of the contractual service. Another relevant consideration for necessity is whether there are realistic, less intrusive alternatives for the processing. In determining the core of the contractual service, it may be important to consider disclosures beyond the terms of use, e.g., how the service is promoted or advertised to the data subject.
Examples: Processing the buyer’s address to deliver goods or processing the bank details of an employee to provide salary.
NPC considers the relationship between a student and his/her school as grounded in contract. They call it “educational framework.”