Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default

Paragraph 2.1.2  Designed to implement the dataprotection principles in an effective manner and protecting data subjects’ rights and freedoms

12. The data protection principles are in Article 5 GDPR (hereinafter “the principles”), the data subjects’ rights are found in Articles 12 to 22, the data subjects’ freedoms are found in Recitals 4 and in the EU Charter of Fundamental Rights (hereinafter “the rights”). It is essential for the controller to have an understanding of the meaning of the principles and the rights.

13. When implementing the appropriate technical and organisational measures, it is with respect to the effective implementation of each of the aforementioned principles, rights and freedoms that the measures and safeguards shall be designed.

Addressing effectiveness

14. Effectiveness is at the heart of the concept of data protection by design. The requirement to implement the principles in an effective manner means that controllers must be able to demonstrate that they have implemented dedicated measures to protect these principles, and that they have integrated specific safeguards that are necessary to secure the rights and freedoms of data subjects. It is therefore not enough to implement generic measures solely to document DPbDD-compliance; each implemented measure must have an actual effect. This observation has two consequences.

15. First, it means that Article 25 does not oblige controllers to implement any prescribed technical and organizational measures or safeguards, as long as the chosen measures and safeguards are in fact appropriate at implementing data protection into the processing. It should be noted that the measures and safeguards should be designed to be robust and be able to be scaled up in accordance with any increase in risk of non-compliance with the principles. Whether or not measures are DPbDD-compliant will therefore depend on the contexts of the particular processing in question and an assessment of the Article-25 elements that must be taken into account when determining the means of processing. The aforementioned elements are addressed below in pt. 2.1.3.

16. Second, controllers must be able to demonstrate that they have implemented measures and safeguards to achieve the desired effect in terms of data protection. To do so, the controller may determine appropriate key performance indicators to demonstrate compliance. Key performance indicators may include metrics to demonstrate the effectiveness of the measures in question. Metrics may be quantitative, such as level of risk, reduction of complaints, reduction of response time when data subjects exercise their rights; or qualitative, such as evaluations of performance, use of grading scales, or expert assessments. Alternatively, controllers may provide the rationale behind their assessment of the effectiveness of the chosen measures and safeguards.