Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default

SECTION 1  SCOPE

1. The Guidelines focus on controllers’ implementation of Data Protection by Design and Default (hereinafter “DPbDD”) based on the obligation in Article 25 of the GDPR. Other actors, such as processors and technology providers, who are not directly addressed in Article 25, may also find these Guidelines useful in creating GDPR-compliant products and services that enable controllers to fulfil their data protection obligations. Recital 78 of the GDPR points out that DPbDD should be taken into consideration in the context of public tenders. Despite all controllers having the duty to integrate DPbDD in to their processing activities, this provision fosters the adoption of the principles, where public administrations should lead by example.

2. The requirement is for controllers to have data protection designed into and as a default setting in the processing of personal data. The core of the provision is to ensure effective data protection both by design and by default, which means that controllers must be able to demonstrate that they have in place the appropriate measures and safeguards in the processing to ensure that the data protection principles and the rights and freedoms of data subjects  are effective.

3. Chapter two of the Guidelines focuses on an interpretation of the requirements set forth by Article 25 and explores the legal obligations introduced by the provision. Operational examples on how to apply DPbDD in the context of specific data protection principles are provided in Chapter three.

4. The Guidelines also address the possibility to establish a certification mechanism to demonstrate compliance with Article 25 in Chapter four, as well as how the Article may be enforced by supervisory authorities in Chapter five. Finally (Chapter six), the Guidelines provide stakeholders with recommendations on how to successfully implement DPbDD.