EDPB Finalizes Guidelines on Data Protection by Design and by Default
Publication: ZRVP
The guidelines showcase how to effectively implement the principles relating to processing of personal data set out in Art. 5 GDPR, setting out key design and default elements, alongside practical examples, and that controllers must be able to demonstrate effectiveness of the measures implemented. The guidelines also provide recommendations on how controllers, processors and third parties can cooperate to achieve Data Protection by Design and by Default (DPbDD).
Whenever deciding on the appropriate data protection compliance measures to adopt, different interpretations of the General Data Protection Regulation ((EU) 2016/679) (GDPR) and, thus, different implementation mechanisms could be adopted by controllers. In such conditions, in practice, GDPR compliance forces entities for which it is intended to adopt case by case approaches, allowing room for different perceptions and even unpredictability.
In this context, the guidelines explore and provide general guidance on the requirements on the obligation regarding DPbDD set forth in Article 25 in the GDPR, which is an obligation for all controllers, irrespective of size and varying complexity of processing.
To be able to thoroughly implement the requirements of DPbDD, it is crucial that all controllers understand the data protection principles set by Article 25 that makes controllers responsible for effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default.
As a quick reminder, the obligation to adhere to DPbDD states that controllers must show they have:
- Built in compliance measures, including appropriate technical and organizational measures, from the outset, which are continually monitored and updated during their processing of personal data (by design); and
- Given consideration to their processing activities so that only personal data, which is necessary for a specific purpose is processed (by default).
Data protection by design
Article 25(1) of the GDPR places two key obligations on data controllers when designing products and services, namely to:
- implement appropriate technical and organizational measures that are designed to implement the data protection principles (as set out in Article 5 of the GDPR); and
- integrate necessary safeguards into the processing to meet the requirements of the GDPR and protect the rights of data subjects (as set out in Articles 12 -22 of the GDPR).
It is safe to say that even if both conditions come as a support to ensure protection for the rights of data subjects throughout processing, they can be understood in a broad sense. To narrow the applicability, one should understand the requirement of appropriateness as being closely related to the requirement of effectiveness, which is the main point of the concept of data protection by design. In this case, the adopted measures should produce the intended results as they should be specific to the context of data processing and its certain elements. On a more practical basis, the controller may determine appropriate key performance indicators (KPI) to demonstrate the effectiveness of their chosen measures and safeguards.
In this respect, the guidelines further emphasize some indicators that could enable controllers to find the best fit solution that should follow under GDPR requirements.
Data protection by default
Article 25(2) requires that controllers implement data protection by default. This means that only personal data which is necessary for each specific purpose of the processing is processed. The decisions made by the controller on the basic configuration of the processing should be made with data protection considerations in mind.
The controller should pay attention to three basic limits:
- collection of more data than it is necessary is forbidden (material restriction);
- they shall not process the data collected more than it is necessary for their purposes (purpose restriction);
- they shall not store the data for any longer time than necessary (time restriction).
The guidelines also draw some practical examples and provide recommendations on how controllers, processors and third parties can cooperate to achieve DPbDD that come to emphasize that the measures must be implemented in an effective and focused manner, case in which generic measures may not be sufficient.