Version last updated: December 2019
23
related services offered by, or accessible via, those networks and systems – including
preventing unauthorised access to systems and stopping ‘denial of service’ attacks.
Necessity and Legitimate Interests
Once a legitimate interest has been identified, a controller must be able to show that the
processing of personal data is actually necessary for the purpose of that interest. The
necessity test requires controllers to demonstrate that the processing is a reasonable
and proportionate way of achieving their purpose. If a controller can reasonably
pursue these interests in another, less intrusive way, legitimate interests will not
provide a legal basis for processing.
Therefore, when assessing whether processing is necessary for the purpose of pursuing
a legitimate interest, controllers should consider whether the processing actually helps
to further the identified interest, whether it is a reasonable and proportionate way to do
so, and whether there are any less intrusive ways to achieve the same result.
In line with the principle of data minimisation, even where processing may seem
necessary, controllers should ensure that the amount of data processed and extent of
that processing is the minimum amount needed to achieve the stated purpose.
As is the case of other legal bases which involve the concept of necessity, the extent of
what precisely is ‘necessary’ for the purposes of any legitimate interest will ultimately
depend on the circumstances of each case, and will also be relevant to the
consideration of the balancing of interests, as discussed below.
The Balancing Test
As mentioned above, a key component of this legal basis is that it may only be relied upon
where the legitimate interests which are pursued by the controller or third party are not
overridden by the interests, rights, and or fundamental freedoms of the data subject.
As such, controllers need to undertake a balancing exercise when assessing whether
the processing of personal data should take place under this legal basis. This exercise
should, as noted in Recital 47 GDPR, take into consideration the ‘reasonable
expectations’ of data subjects, in the context of their relationship with the controller.
In particular, controllers should pay special attention and afford extra protection to the
interests or fundamental rights and freedoms of the data subject where the data
subject is a child, as specifically required in the wording of Article 6(1)(f) itself. The GDPR
more broadly requires heightened levels of protection of children’s data protection rights,
which should be kept in mind by controllers when balancing these interests. Recital 38
GDPR, for example, notes that “[c]hildren merit specific protection with regard to their
personal data, as they may be less aware of the risks, consequences and safeguards concerned
and their rights in relation to the processing of personal data”, and suggests this is
particularly the case where marketing or profiling are concerned.
A large part of the balancing test undertaken by controllers should also be based on
common sense and the expectations of the data subject: If a data subject would not
reasonably expect this type of processing of their personal data, or if it would cause
unjustified harm to their interests, rights, or freedoms, their interests are likely to
override the legitimate interests upon which the controller is seeking to rely. Similarly,