Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default

Paragraph 2.1.3  Elements to be taken into account

17. Article 25 lists elements that the controller has to take into account when determining the measures of a specific processing operation. In the following, we will provide guidance on how to apply these elements in the design process.

“state of the art”

18. The concept of “state of the art” is present in various EU acquis, e.g. environmental protection and product safety. In the GDPR, reference to the “state of the art” is made not only in Article 32, for security measures, but also in Article 25, thus extending this benchmark to all technical and organisational measures embedded in the processing.

19. In the context of Article 25, the reference to “state of the art” imposes an obligation on controllers, when determining the appropriate technical and organisational measures, to take account of the current progress in technology that is available in the market. This means that controllers must have knowledge of and stay up to date on technological advances, how echnology can present data protection risks to the processing operation, and how to implement the measures and safeguards that secure effective implementation of the principles and rights of data subjects in face of the technological landscape.

20. The “state of the art” is a dynamic concept that cannot be statically defined at a fixed  point in time, but must be assessed continuously in the context of technological progress. In the face of technological advancements, a controller could find that a measure that once provided an adequate level of protection no longer does. Neglecting to keep up to date with technological changes could therefo reresult in a lack of compliance with Article 25.

21.The “state of the art” criterion does not only apply to technological measures, but also to organisational ones. Lack of adequate organisational measures can lower or even completely undermine the effectiveness of a chosen technology.

22. Existing standards and certifications may play a role in indicating the current “state of the art” within a field. Where such standards exist, controllers should take these into account in the design and implementation of data protection measures.

“cost of implementation”

23. When taking into account the cost of implementation, cost is not only meant in terms of money or economic advantage. Cost, in this context, refers to resources in general, including time and human resources. The EDPB reminds the reader that the cost of implementing data protection into the processing is a part of the business costs, and it is the former that is addressed in Article 25. Implementation and maintenance of the “state of the art” may also be of significance when considering the cost of implementation.

24. Keeping in mind the goal of effective implementation of the principles into the processing, the controller must take into account the cost of such implementation under the design process. This means that the controller shall plan for and expend the costs necessary for the effective implementation of all of the principles. In doing so, the controller may assess the risks to the rights and freedoms of data subjects that the processing entails and estimate the cost of implementing the appropriate measures into the processing to mitigate such risks to a level where the principles are effectively implemented. The controller must manage the costs to be able to effectively implement all of the principles. Incapacity to bear the costsis no excuse for non-compliance with the GDPR. At the same time, effective implementation of principles must not necessarily lead to higher costs. Spending more on technology does not necessarily lead to more effective implementation of the principles. In some instances there may be simple low-cost solutions that can be just as or even more effective than their costly counterparts.

“nature, scope, context and purpose of processing“

25. Controllers must take into consideration factors such as the nature, scope, context and purpose of processing when determining the appropriate technical and organisational measures that effectively implement the principles into the processing.

26. The concept of these factors reflect the understanding of these terms as they appear in other provisions of the GDPR, such as Articles 24, 32 and 35. The difference in the context of Article 25 is that these factors must be taken into account when designing and integrating technical and organisational measures into the processing operations so that they effectively implement principles that meet GDPR obligations and protect the rights of data subjects.

27. In short, the concept of nature can be understood as the inherent characteristics of the processing. The scope refers to the size and range of the processing. The context relates to the circumstances of the processing, which may influence the expectations of the data subject, while the purpose pertains tothe aims of the processing.

“risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing”

28. The GDPR adopts a coherent risk based approach throughout its provisions, in Articles 24, 25, 32 and 35 with a view to identify appropriate technical and organisational measures to protect individuals, their personal data and comply with the requirements of the GDPR. The risk and the assessment criteria are the same: the assets to protect are always the same (the individuals, via the protection of their personal data), against the same risks (to individuals’ rights and freedoms), taking into account the same conditions (nature, scope, context and purposes of processing).

29. When performing the risk analysis for compliance with Articles 24 and 25 the controller has to identify the risks and determine their likelihood and severity.

30. The “EDPB Guidelines on Data Protection Impact Assessment (DPIA)”, which focus on determining whether a processing operation is likely to result in a high risk or not, also provide guidance on how to assess data protection risks and how to carry out a data protectionrisk assessment. These Guidelines may also be useful during the risk assessment in all the Articles mentioned above, including Article 25.

31. The risk based approach does not exclude the use of baselines, best practices and standards. These might provide a useful toolbox for controllers to tackle similar risks in similar situations (nature, scope, context and purpose of processing). Nevertheless, the obligation in Article 25 (as well as Articles 24, 32 and 35(7)(c) GDPR) to take into account “risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing” remains. Therefore, controllers, although supported by such tools, must always carry out an assessment of data protection risks for the processing activity at hand and verify the effectiveness of the measures and safeguards proposed.