The EDPS quick-guide to necessity and proportionality

Processing of personal data - be it collection, storage, use or disclosure - constitutes a limitation on the right to the protection of personal data and must comply with EU law. This requires ensuring that it is both necessary and proportional.

The 8 steps outlined below will help you assess the compatibility of measures impacting the fundamental rights to privacy and to the protection of personal data with the EU Charter of Fundamental Rights. (@EDPS)

They are based on the EDPS Necessity Toolkit and Guidelines on Proportionality. Easier to adapt:

Assessing necessity:

  1. Factual description of the measure.

  2. Identify fundamental rights and freedoms limited by data processing. Is there a limitation of the rights to privacy and to the protection of personal data, and possibly also of other rights? (*) In any case, the measure must respect the essence of the rights.

  3. Define the objectives of the measure. These may include an objective of general interest recognised by the Union or the need to protect the rights and freedoms of others.

  4. Choose the option that is effective and least intrusive. The measure should be genuinely effective and the least intrusive for the rights at stake.

Assessing proportionality:

  • Assess the importance of the objective and whether the measure meets the objective.

  • Assess the scope, the extent and the intensity of the interference.

    • SCOPE: how many persons would be affected?
    • EXTENT: what type of data would be processed? for how long?
    • INTENSITY: would the measure allow precise conclusions to be drawn about private lives of individuals?
  • Proceed to the ‘fair balance’ evaluation of the measure.

  • If the measure:
    1. is not proportionate,
    2. identify and
    3. introduce safeguards (such as:
      1. reduce the scope or extent of personal data processing;
      2. introduce a sunset clause or an expiry term;
      3. provide for:
        1. specific oversight
        2. governance arrangements, etc..
  • In case of questions, please contact the EDPS Policy and Consultation Unit: POLICY-CONSULT@edps.europa.eu www.edps.europa.eu @EU_EDPS EDPS European Data Protection Supervisor

    "Vulnerabilità, exploit e zero-days. Si chiama così perché hai zero giorni per correre ai ripari. Per capirci meglio: mentre tu stai leggendo queste righe, io sono già entrato." - Ryan Marek, Hacker, Antivirus Intelligence Group, Tel Aviv

    dal 2004 diritto e informatica