30 GDPR provisions stipulate that the controller must carry out necessity assessments. This means that he must check whether his data processing is necessary for certain purposes:
Art. 5 I c: “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.“
Art. 5 I d: “Personal data shall be accurate and, where necessary, kept up to date.”
Art. 6 I b: “Processing shall be lawful if the processing is necessary for the performance of a contract […].”
Art. 6 I c: “Processing shall be lawful if the processing is necessary for compliance with a legal obligation to which the controller is subject.”
Art. 6 I d: “Processing shall be lawful if the processing is necessary in order to protect the vital interests of the data subject or of another natural person.”
Art. 6 I e: “Processing shall be lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
Art. 6 I f: “Processing shall be lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party […].”
Art. 7 IV: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Art. 9 II b: Processing sensible data is not prohibited “if the processing is necessary […] in the field of employment and social security and social protection law […].”
Art. 9 II c: Processing sensible data is not prohibited “if the processing is necessary to protect the vital interests of the data subject or of another natural person […].”
Art. 9 II f: Processing sensible data is not prohibited “if the processing is necessary for […] legal claims or whenever courts are acting in their judicial capacity.”
Art. 9 II g: Processing sensible data is not prohibited “if the processing is necessary for reasons of substantial public interest […].”
Art. 9 II h: Processing sensible data is not prohibited “if the processing is necessary for the purposes […] medicine, for […] health or social care […];
Art. 9 II i: Processing sensible data is not prohibited “if the processing is necessary for reasons of public interest in the area of public health […].”
Art. 9 II j: Processing sensible data is not prohibited “if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes […].”
Art. 11 I: “If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged […].”
Art. 13 II: “In addition to the information referred to in paragraph 1, the controller shall […] provide the data subject with the following further information necessary to ensure fair and transparent processing:”
Art. 14 II: “In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:”
Art. 17 I a: “The data subject shall have the right to […] erasure […] where […] the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.”
Art. 17 III: “Paragraphs 1 and 2 [right to erasure] shall not apply to the extent that processing is necessary […].”
Art. 21 VI: “Where personal data are processed for scientific or historical research purposes or statistical purposes […], the data subject […] shall have the right to object to processing […] unless the processing is necessary for the performance of a task carried out for reasons of public interest.”
Art. 22 II a: “Paragraph 1 [prohibition of automated decision-making] shall not apply if the decision is necessary for entering into, or performance of, a contract […].”
Art. 25 II 1: “The controller shall implement […] measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
Art. 34 III a: “The communication to the data subject referred to in paragraph 1 shall not be required if […] the controller has implemented appropriate […] measures […].”
Art. 49 I 1 b: “In the absence of an adequacy decision […] or of appropriate safeguards […] a transfer […] of personal data to a third country or an international organisation shall take place only […] if the transfer is necessary for the performance of a contract […] or the implementation of pre-contractual measures takenath the data subject’s request.”
Art. 49 I 1 c: “In the absence of an adequacy decision […] or of appropriate safeguards […] a transfer […] of personal data to a third country or an international organisation shall take place only […] if the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.”
Art. 49 I 1 d: “In the absence of an adequacy decision […] or of appropriate safeguards […] a transfer […] of personal data to a third country or an international organisation shall take place only […] if the transfer is necessary for important reasons of public interest.”
Art. 49 I 1 e: “In the absence of an adequacy decision […] or of appropriate safeguards […] a transfer […] of personal data to a third country or an international organisation shall take place only […] if the transfer is necessary for […] legal claims.”
Art. 49 I 1 f: “In the absence of an adequacy decision […] or of appropriate safeguards […] a transfer […] of personal data to a third country or an international organisation shall take place only […] ifthe transfer is necessary in order to protect the vital interests of the data subject or of other persons […].”
Art. 49 I 2: “Where a transfer could not be based on a provision in Article 45 or 46 including […] a transfer to a third country or an international organisation may take place only if the transfer […] is necessary for the purposes of compelling legitimate interests pursued by the controller […].”
The term “necessary” is also used in 47 Recitals: 8, 13, 17, 19, 29, 31, 38, 39, 43, 44, 45, 46, 47, 49, 50, 52, 53, 54, 60, 61, 62, 65, 68, 69, 71, 73, 86, 89, 93, 95, 97, 101, 111, 112, 115, 120, 126, 129, 141, 143, 152, 153, 154, 162, 164, 170 and 171 GDPR.