In Germany, freedom of contract is protected by constitutional law as part of the general freedom of action pursuant to Art. 2 I GG. It is an expression of private autonomy and includes freedom of conclusion, freedom of content, freedom of form and freedom of cancellation. It is restricted only by mandatory provisions of the applicable law, by statutory prohibitions and by “gute Sitten” (= accepted principles of morality).
When the data subject and the controller enter into a contract that involves the processing of personal data, freedom of contract is also affected. The GDPR contains numerous provisions restricting or specifying contractual freedom:
Articles: 6 I b, 7 IV, 8 III, 9 II h, 13 II e, 20 I a, 22 II a, 26, 28, 40 III, 42 II, 46 III a, 49 I b/c, 57 I j/r, 58 III h, 64 I e and 88 I GDPR.
Recitals: 40, 43 (2), 44, 68 (3)/(4)/(9), 71 (3), 81 (3)/(4), 91 (3), 108 (2), 109, 111 (1), 155 and 168 GDPR.
In the absence of provisions in the GDPR that are adequate for fundamental rights, the principle of proportionality (Art. 52 I CFR) must be applied in order to avoid a disproportionate restriction of the data subject’s and the controller’s contractual freedom (see Practical Concordance, Tile P.04). Cf. furthermore Art. 1 II GDPR and especially Rec. 4 (2) GDPR:
“The right to the protection of personal data is not an absolute right; it must be […] balanced against other fundamental rights, in accordance with the principle of proportionality.” [see also Tile CO.01].