Article 25 GDPR: Difference between revisions
(→Commentary on Article 25: Changed intro, moved part from paragraph 1 and implemented it in the intro) |
|||
Line 199: | Line 199: | ||
However, these concepts were not new: privacy by design -and default was originally conceptualized in the 1990s by the Canadian Information and Privacy Commissioner of Ontario.<ref>''Nolte, Werkmeister'', in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 1 (Beck 2018, 2nd ed.) (accessed 19 August 2021).</ref> They held that, in order to be effective, data protection must be implemented ''ex ante''. Hence, the controller must define the privacy requirements that need to be taken into account while engineering, and determine the default settings of the final product. Now, because of the differences between privacy and data protection, the GDPR speaks of data protection by design –and default, rather than privacy by design- and default.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 25, para 1 (C.H.Beck 2020).</ref> | However, these concepts were not new: privacy by design -and default was originally conceptualized in the 1990s by the Canadian Information and Privacy Commissioner of Ontario.<ref>''Nolte, Werkmeister'', in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 1 (Beck 2018, 2nd ed.) (accessed 19 August 2021).</ref> They held that, in order to be effective, data protection must be implemented ''ex ante''. Hence, the controller must define the privacy requirements that need to be taken into account while engineering, and determine the default settings of the final product. Now, because of the differences between privacy and data protection, the GDPR speaks of data protection by design –and default, rather than privacy by design- and default.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 25, para 1 (C.H.Beck 2020).</ref> | ||
The overall thrust of the provision is to impose an obligation on controllers to put in place technical and organisational measures that are ''designed'' to implement data protection principles and the rights of data subjects.<ref>''Bygrave'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 25 GDPR, p. 576 (Oxford University Press 2020).</ref> Although the controller is responsible for adherence with these principles, Recital 78 stipulates that producers of applications, products, and services, are ''encouraged'' to consider the data protection obligations that controllers need to fulfil. Hence, ultimately, the goal is that developers and controllers embrace a culture of responsibility and systematically indicate processes which could infringe the GDPR.<ref>AEPD, Guía de Privacidad desde el Diseño, October 2019, p. 3.</ref | The overall thrust of the provision is to impose an obligation on controllers to put in place technical and organisational measures that are ''designed'' to implement data protection principles and the rights of data subjects.<ref>''Bygrave'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 25 GDPR, p. 576 (Oxford University Press 2020).</ref> Although the controller is responsible for adherence with these principles, Recital 78 stipulates that producers of applications, products, and services, are ''encouraged'' to consider the data protection obligations that controllers need to fulfil. Hence, ultimately, the goal is that developers and controllers embrace a culture of responsibility and systematically indicate processes which could infringe the GDPR.<ref>AEPD, Guía de Privacidad desde el Diseño, October 2019, p. 3.</ref> As the EDPB stipulates, these concepts (should) reinforce each other.<ref>''EDPB'', Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, p. 9.</ref> | ||
Article 25 is structured as followed: the first paragraph describes the principles of data protection by ''design'' in more detail. The second paragraph expands on this by describing the principles of data protection by ''default''. The third paragraph is similar to the third paragraph of Article 24 since it explains that an approved certification mechanism, pursuant to Article 42, “may be used as an element to demonstrate compliance”.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 25, para 1 (C.H.Beck 2020).</ref> | Article 25 is structured as followed: the first paragraph describes the principles of data protection by ''design'' in more detail. The second paragraph expands on this by describing the principles of data protection by ''default''. The third paragraph is similar to the third paragraph of Article 24 since it explains that an approved certification mechanism, pursuant to Article 42, “may be used as an element to demonstrate compliance”.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 25, para 1 (C.H.Beck 2020).</ref> |
Revision as of 13:57, 17 February 2022
Legal Text
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Relevant Recitals
Commentary on Article 25
With the introduction of the GDPR, a provision solely dedicated to the concepts of “data protection by design” and “data protection by default”, was introduced. The Data Protection Directive did not contain a similar provision. Although Article 17 DPD Recital 46 did have a similar idea, they focused mostly on the security element of it.[1]
However, these concepts were not new: privacy by design -and default was originally conceptualized in the 1990s by the Canadian Information and Privacy Commissioner of Ontario.[2] They held that, in order to be effective, data protection must be implemented ex ante. Hence, the controller must define the privacy requirements that need to be taken into account while engineering, and determine the default settings of the final product. Now, because of the differences between privacy and data protection, the GDPR speaks of data protection by design –and default, rather than privacy by design- and default.[3]
The overall thrust of the provision is to impose an obligation on controllers to put in place technical and organisational measures that are designed to implement data protection principles and the rights of data subjects.[4] Although the controller is responsible for adherence with these principles, Recital 78 stipulates that producers of applications, products, and services, are encouraged to consider the data protection obligations that controllers need to fulfil. Hence, ultimately, the goal is that developers and controllers embrace a culture of responsibility and systematically indicate processes which could infringe the GDPR.[5] As the EDPB stipulates, these concepts (should) reinforce each other.[6]
Article 25 is structured as followed: the first paragraph describes the principles of data protection by design in more detail. The second paragraph expands on this by describing the principles of data protection by default. The third paragraph is similar to the third paragraph of Article 24 since it explains that an approved certification mechanism, pursuant to Article 42, “may be used as an element to demonstrate compliance”.[7]
(1) Controller Obligations
Data Protection by Design
To have data processing which follows the principle of data protection by design, a controller needs to have a data strategy in place. A data strategy may consist of data guidelines, documentation, monitoring and the evaluation of measures.[8]
The GDPR does not contain concrete examples of data protection by design. However, the Spanish Data Protection Authority has published a useful guide with practical examples regarding a strategy for data collection[9] and processing.[10]
An important part of Article 25 GDPR is the so-called “privacy engineering".[11] Tactics for privacy engineering are needed in each step of the software design pattern and in the final PETS (Privacy Enhancing technologies).[12]
The design and development of the system needs a privacy verification and validation process, which consists of integration of the system, proof, evaluations, and continuous maintenance.[13]
Privacy by design must also correspond to the following criterion:
State of the Art Technology
Article 25 GDPR also refers to technical and organizational measures regarding processing. In general, this means, that the controller has to take into account the latest developments in its field and has to stay up-to-date with technology.
Costs of Implementation
According to the EDPB Guidelines 4/2019 on Article 25 GDPR, the “incapacity to bear the costs is no excuse for non-compliance with the GDPR”.[14] These “business costs” need to take into account not only the implementation costs, but also the costs of maintaining compliance.[15]
Nature, Scope, Context and Purpose of Processing
The nature of processing is “the inherent characteristics of the processing”; the scope concerns the “size and range of processing”; the context “relates to the circumstances of the processing, which may influence the expectations of the data subject”; and the purpose “pertains to the aims of the processing”.[16]
Risks of Varying Likelihood and Severity for Rights and Freedoms of Natural Persons
The GDPR foresees a risk based approach. In order to assess these risks, the EDPB Guideline 4/2019 refers to the “EDPB Guidelines on Data Protection Impact Assessments (DPIA), which can be used to help determine risk [Reference?].
Time of Determination of the Means
The determination of the means of data processing “ranges from the abstract to the concrete detailed design elements of the processing, such as the architecture, procedures, protocols, layout and appearance”.[17] The controller has to assess the appropriate measures and safeguards in order to effectively implement the obligations arising out of the GDPR.
More problematic is what to do with an existent system (which predates the GDPR coming into force in 2018) that cannot easily be changed. Outdated systems incompatible with the GDPR require that companies and institutions reassess their means of processing. Because the the state of the art continuously changes, updating systems will be a continuous and necessary practical component of adhering to the privacy by design principle during ongoing processing activities.[18]
Time of the Processing
During the processing operation, regular re-assessments have to take place in order to verify and maintain GDPR compliance.[19]
Necessary Safeguards
On a technical level there need to be safeguards on processing to guarantee the rights of data subjects. For example, according to Article 20 GDPR, the controller needs to be able to produce a document listing processing activities carried out with regard to each data subject.
(2) Data Protection by Default
Article 25 GDPR can result in a violation of the GDPR only if it is violated in connection with other GDPR principles.[20] Article 25 (2) GDPR is lex specialis in relation to Article 25(1) GDPR. Article 25(2) GDPR states that only the personal data which is necessary for each specific purpose shall be processed, while Article 25(1) GDPR regulates general privacy design obligations.[21]
Privacy by Default
“A ‘default’, as commonly defined in computer science, refers to the pre-existing or preselected value of a configurable setting that is assigned to a software application, computer program or device. Such settings are also called “presets” or “factory presets”, especially for electronic devices.”[22] It follows that if third party software is used, controllers are obliged to disable features that collect personal data without a basis in Article 6(1) GDPR.[23] Defaults are also relevant where roles are allocated to staff who have access to data.[24] Finally, the storage period needs to be objectively justified and if possible, data shall be deleted by default.[25]
Appropriate Technical and Organisational Measures
Before analysing technical and organisational measures, it needs to be clarified what “appropriate” means. The EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data[26], described in Article 24 GDPR and Article 32 GDPR, can be used for insight. Technical measures[27] and organisational measures that implement data protection principles[28] are also named as examples in some commentaries
Above all, controllers have to demonstrate that they have implemented measures to be effective.
Certification Mechanism
A certification mechanism could be the certification described in Article 42 GDPR, but this remains debated.[29]
Decisions
→ You can find all related decisions in Category:Article 25 GDPR
References
- ↑ Bygrave, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 25 GDPR, p. 573 (Oxford University Press 2020).
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 1 (Beck 2018, 2nd ed.) (accessed 19 August 2021).
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 25, para 1 (C.H.Beck 2020).
- ↑ Bygrave, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 25 GDPR, p. 576 (Oxford University Press 2020).
- ↑ AEPD, Guía de Privacidad desde el Diseño, October 2019, p. 3.
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, p. 9.
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 25, para 1 (C.H.Beck 2020).
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 18 (Beck 2018, 2nd ed.) (accessed 19 August 2021).
- ↑ AEPD, Guía de Privacidad desde el Diseño, October 2019, p. 24: These practical examples consist out of (1) minimisation: Limit the needed data to the maximum needed (selection, exclusion, cutting of and delete by means of anonymization, pseudonymisation, bloc possibilities to connect data with each other), (2) hiding: Measures that prevent personal data to be public or known (Restrict access possibilities, disassociate and aggregate credential-based attributes, mixing data or encrypt them), (3) separating: Separate data in different containers, isolate data or distribute them by means of anonymous blacklists, homorphic encryption, physical and logical separation, (4) abstraction: by leaving out details to the highest extent possible (summarizing, grouping and disturbing with aggregation in time, K-anonymity, obfuscation of measurements by noise aggregation, dynamic location granularity).
- ↑ AEPD, Guía de Privacidad desde el Diseño, October 2019, p. 25: These practical examples consist out of: (1) information of data subjects on the processing and its conditions via simple explanation and notifications (also: notification of data breaches, dynamic visualization of privacy policies, privacy icons and processing alerts), (2) control – Giving data subjects control over their personal data by consent, alert, choice, actualization, reiterations (panels to choose preferences, active presence transmission, selection of credentials, informed consent), (3) compliance by respect and boost compliance with obligations imposed by current legislation and own privacy policies (definitions, maintenance and defense, evaluation of DPIAs, access control, management of obligations, compliance with policies), (4) demonstration – show that processing is respecting privacy by registering, audit and information..
- ↑ AEPD, Guía de Privacidad desde el Diseño, October 2019, pp. 17 et seqq: E.g. disconnecting information from each other – minimise, abstract, spate, occult; control – comply, show; transparency – inform).
- ↑ AEPD, Guía de Privacidad desde el Diseño, October 2019, p. 16, citing Commission, Communication from the Commission to the European Parliament and the Council on Promoting Data Protection by Privacy Enhancing Technologies (PETs), 2 May 2007, p. 3: “...the use of appropriate technological measures is an essential complement to legal means and should be an integral part in any efforts to achieve a sufficient level of privacy protection...".
- ↑ AEPD, Guía de Privacidad desde el Diseño, October 2019, p. 15.
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, p. 9.
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, pp. 8 et seq.
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, p. 9.
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, p. 10.
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 14 (Beck 2018, 2nd ed.) (accessed 19 August 2021).
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, pp. 10 et seq.
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 3 (Beck 2018, 2nd ed.) (accessed 19 August 2021).
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 8 (Beck 2018, 2nd ed.) (accessed 19 August 2021).
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, p. 11.
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, p. 11.
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, pp. 11 et seq.
- ↑ EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020, p. 13.
- ↑ EDPS, Guidelines on Assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data, 19 December 2019, pp. 1 et seqq.
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 16 (Beck 2018, 2nd ed.) (accessed 19 August 2021): (1) pseudonymization (Article 4 nr. 5), (2) encryption, (3) access controls, (4) anonymization, (5) aggregation, (6) transparency on functions and processing, (7) control of processing via dashboards, (8) purpose principle.
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 17 (Beck 2018, 2nd ed.) (accessed 19 August 2021): (1) training, (2) internal checks/audits, (3) interdisciplinary project teams, (4) ethic committees for complex assessments (Article 5(1)(a) GDPR, (5) role and access concepts (Article 5(1)(c) GDPR, (6) deletion concepts (Article 5(1)(e) GDPR, (7) voluntary DPIAS (Articles 35 and 5(2) GDPR).
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 32 (Beck 2018, 2nd ed.) (accessed 19 August 2021).