Guidelines on data protection by design and by default

The EDPB published its Guidelines 4/2019  on Article 25 - Data Protection by Design and by Default  (“DPbDD”) as adopted on 13 November 2019 (the “Guidelines”). The Guidelines give an in-depth analysis of the DPbDD requirements by reviewing one by one each condition provided by Article 25. They also focus on the controllers’ accountability to demonstrate that appropriate measures and safeguards have been implemented to ensure that the data protection principles (transparency, lawfulness, fairness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality) are effective in practice and protect the rights and freedoms of data subjects.  

The EDPB reminds practitioners that DPbDD is a requirement for all controllers, independent of their size, including small local associations and multinational companies alike. However, the Guidelines may be useful to processors and technology providers who are interested in creating GDPR-compliant products and services for controllers, which can turn into a competitive advantage in the market. On the other hand, controllers are discouraged from using providers whose technology is not compliant with DPbDD because accountability for lack of implementation thereof is on the controllers.

The Guidelines also state that DPbDD must be taken into account from the initial stages of a planned processing operation to allow controllers to correctly implement the data protection principles and provide illustration and key DPbDD elements for each data protection principle. 

It is also stated that certification mechanisms may be used as an element to demonstrate compliance with the DPbDD requirements and be used by both controllers and processors to enhance trust in the processing of personal data.

The Guidelines are subject to public consultation until 16/01/2020 where the EDPB welcomes any comment from any interested person.

This may also interest you :