Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default

Paragraph 2.1.1  Controller’s obligation to implement appropriate technical and organisational measures and necessary safeguards into the processing

7. The controller shall (1) implement appropriate technical and organisational measures which are designed to implement the dataprotection principles and (2) integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. Both appropriate measures and necessary safeguards are meant to serve the same purpose of protecting the rights of data subjects and ensuring that the protection of their personal data is built into the processing.

8. The term measures can be understood in a broad sense as any method or means that a controller may employ in the processing. These measures must be appropriate, meaning that they must be suited to achieve the intended purpose, i.e. they must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects. The requirement to appropriateness is thus closely related to the requirement of effectiveness.

9. A technical or organisational measure can be anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customer data. There is no requirement to the sophistication of a measure as long as it is appropriate for implementing the data protection principles effectively.

10. Safeguards act as a second tier to secure data subjects’ rights and freedoms in the processing. Having implemented the data protection principles effectively means that the controller has integrated the safeguards that are necessary to ensure their effectiveness throughout the life-cycle of the personal data being processed. Enabling data subjects to intervene in the processing, providing automatic and repeated information about what personal data is being stored, or having a retention reminder in a data repository may be examples of necessary safeguards. Another may be implementation of a malware detection system on a computer network or storage system in addition to training employees about phishing and basic “cyber hygiene”.

11. An example of a technical measure or safeguard is pseudonymization of personal data. Such a measure may be used to implement a number of principles, such as the integrity and confidentiality and data minimisation.