What is the commonly used legitimate processing criterion when a customer purchases a good or service?

When a customer purchases a good or service, the legitimate processing criterion that is most commonly applied is the contractual basis. This involves the processing of personal data as necessary for the performance of a contract to which the individual is a party or to take steps at the request of the individual prior to entering into a contract.

In a purchase transaction, the act of buying creates an agreement between the seller and the buyer, and personal data processing is integral to fulfilling that agreement, such as processing payment information, delivering the goods or services, and managing customer relations. This contractual necessity allows businesses to operate efficiently while complying with data protection laws like the General Data Protection Regulation (GDPR).

While consent is an important criterion, it is more often associated with situations where individuals need to agree explicitly to data processing outside of a contractual obligation. Vital interests generally pertain to situations where processing is necessary to protect someone's life, and legitimate interests involve balancing a business's interests against the individual's privacy rights, which is not typically the primary reason in a standard purchasing scenario.