EDPB, Guidelines 4/2019 on Art. 25 GDPR, 13 November 2019
EDPB Consultation on Guidelines for Data Protection By Design and By Default
On 13 November 2019, the European Data Protection Board (EDPB) has adopted Guidelines on Data Protection by Design & Default. The Guidelines focus on the obligation of Data Protection by Design and by Default (DPbDD) as set forth in Art. 25 GDPR and are submitted for public consultation until 16 January 2020.
Content
The Guidelines give general guidance on the obligation of Data Protection by Design and by Default (henceforth “DPbDD”) set forth in Art 25 GDPR, where the core obligation is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This requires that controllers implement appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects. Controllers must be able to demonstrate the effectiveness of the implemented measures.
Criteria for Data Protection by Design
The Guidelines cover elements that controllers must take into account when designing the processing:
- "State of the art":
The criterion of “state of the art” requires controllers to stay up to date on technological progress in order to secure continued effective implementation of the data protection principles.
- "Cost of implementation":
The criterion “cost of implementation” requires the controller to take into account the cost and resources required for the effective implementation and continued maintenance of all of the data protection principles throughout the processing operation.
- Other criteria:
Other elements controllers must take into account are the nature, scope, context and purpose of the processing, and the risk of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
Criteria for Data Protection by Default
Furthermore, Article 25 requires data protection by default, meaning that by default, only personal data which are necessary for each specific purpose of the processing is processed. Thus, the default settings must be designed with data protection in mind. Default settings include both parameters that can be set by controllers and data subjects.
Guidance & Recommendations
The Guidelines also contain practical guidance on how to effectively implement the data protection principles in Art. 5(1) GDPR, listing key design and default elements as well as practical cases for illustration. The possibilities of certification in accordance with Article 42 and supervisory authorities’ enforcement of Article 25 are also addressed.
In closing, the EDPB provides recommendations on how controllers, processors and technology providers can cooperation to achieve DPbDD and how DPbDD can be used as a competitive advantage.
