Article 25 GDPR
Legal Text
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Relevant Recitals
Commentary
Article 25 GDPR establishes the idea of data protection "by design and by default”.[1] Accordingly, controllers must put in place technical and organisational measures that are designed to implement data protection principles.[2] This means that when programming, designing, and conceptualizing systems and programs, as well as when acquiring systems and services from third parties, the relevant data protection aspects should be taken into account and integrated into the technology.[3] The first paragraph describes the principles of data protection by design in more detail. The second paragraph expands on this by describing the principles of data protection by default. The third paragraph explains that an approved certification mechanism, pursuant to Article 42, may be used as an element to demonstrate compliance.[4]
(1) Data protection by design
The controller must implement every measure that is capable of effectively realizing the principles of correct data processing (Article 5), meeting the requirements of the whole Regulation and ensuring the protection of the data subject's rights (including Articles 12-22). This should happen from the beginning of the processing and throughout all subsequent stages. These obligations must be addressed with practical and effective solutions.[5]
The controller
The main obligations under Article 25 are directed specifically at the controller which remains accountable for fulfilling all legal obligations related to data processing. Processors are indirectly affected since, under Article 28(1) GDPR, a controller shall only use processors providing the same standards under Article 25 GDPR.[6] Manufacturers or producers of systems are not directly addressed by the GDPR. Nevertheless, as suggested by Recital 78, they are influenced by data protection laws, either indirectly or due to market dynamics. This encourages manufacturers and service providers to offer and introduce products, systems, and services that prioritize data protection.[7]
Taking into account...
Article 25 (1) lists elements that the controller has to take into account when determining the measures of a specific processing operation.
State of the art
In general, this means, that the controller has to take into account the latest developments in its field and has to stay up-to-date with technology. In detail, the interpretation of this criterion can be challenging, requiring appropriate technical expertise and experts to resolve any doubts unless guidelines are provided by supervisory authorities.[8]
EDPB: In the context of Article 25, the reference to “state of the art” imposes an obligation on controllers, when determining the appropriate technical and organisational measures, to take account of the current progress in technology that is available in the market. The requirement is for controllers to have knowledge of, and stay up to date on technological advances; how technology can present data protection risks or opportunities to the processing operation; and how to implement and update the measures and safeguards that secure effective implementation of the principles and rights of data subjects taking into account the evolving technological landscape.[9]
However, "state of the art" also refers to organisational measures, meaning that the internal policies, training etc., must also be assessed accordingly. Although existing standards can indicate what is "state of the art", this assessment must be done continuously.
Cost of implementation
The cost factor does not impose an obligation on the controller to allocate an excessive amount of resources if there are alternative measures available that are less resource-intensive yet still effective. However, the implementation cost should be taken into consideration when incorporating data protection by design, rather than being used as a justification for not implementing it. Therefore, the chosen measures must guarantee that the controller's intended processing activities adhere to the principles, regardless of cost. Controllers should have the ability to manage overall costs in order to effectively implement all principles and, consequently, safeguard individual rights.[10]
Nature, scope, context and purpose of processing
These criteria have the same meaning as in Article 24(1) and Article 32(1). The "nature" of the processing consists of its “the inherent characteristics” (i.e., special categories personal data, automatic decision-making, skewed power relations, unpredictable processing, difficulties for the data subject to exercise the rights, etc.); the "scope" refers to the size and range of the processing; the "context" relates to all relevant circumstances, and with "purpose", the law refers to the aim of the processing. According to the EDPB, "[t]hese factors should be interpreted consistently with their role in other provisions of the GDPR, such as Articles 24, 32 and 35, with the aim of designing data protection principles into the processing."[11]
Risks of varying likelihood and severity for rights and freedoms of natural persons
The GDPR adopts a coherent risk based approach in many of its provisions, in Articles 24, 25, 32 and 35, with a view to identifying appropriate technical and organisational measures to protect individuals, their personal data and complying with the requirements of the GDPR.[12]
During the risk analysis to ensure compliance with Articles 25, the controller is required to identify risks to the rights of data subjects that may arise from a breach of the principles. The likelihood and severity of these risks must be determined to implement effective measures for mitigating them. A controller shall always perform a data protection risk assessment with regard to a given processing activity.
EDPB: For example, a controller assesses the particular risks associated with a lack of freely given consent, which constitutes a violation of the lawfulness principle, in the course of the processing of personal data of children and young people under 18 as a vulnerable group, in a case where no other legal ground exists, and implements appropriate measures to address and effectively mitigate the identified risks associated with this group of data subjects.[13]
The methods used in carrying out a Data Protection Impact Assessment (DPIA) under Article 35 may be useful in this regard.[14]
Shall implement appropriate technical and organizational measures and necessary safeguards
A technical or organisational measure and safeguard can be anything from the use of advanced technical solutions to the basic training of personnel.[15] Examples that may be suitable, depending on the context and risks associated with the processing in question, includes pseudonymization of personal data;[16] storing personal data available in a structured, commonly machine-readable format; enabling data subjects to intervene in the processing; providing information about the storage of personal data; having malware detection systems; training employees about basic "cyber hygiene"; establishing privacy and information security management systems, obligating processors contractually to implement specific data minimisation practices, etc.[17]
Designed to implement data-protection principles in an effective manner and protecting data subjects' rights and freedoms
The measures to be implemented to ensure compliance with the principle of data protection by design, must be understood in a broad sense. Any method that implements the data protection principles "effectively" can be used. As the EDPB stipulates, the "appropriateness" requirement is closely related to the requirement of "effectiveness".[18]
Integrate the necessary safeguards
To meet GDPR requirements
And to protect the rights of the data subject
Both at the time..
Controllers must assess their implemented measures "at the time of the determination of the means for processing" and "at the time of the processing itself", therefore from beginning to the end, continually. Hence, the processing operations should be considered as early as possible, and the controller can not use the "excuse" that it would lead to disproportionally high costs to implement data protection friendly measures at a later stage.[19] More problematic is what to do with an existent system (that pre-dated the coming into force of the GDPR) that cannot easily be changed. Companies and institutions must re-asses their means of processing if the systems they use are outdated, and incompatible to ensure compliance with the GDPR.[20] Because the the state of the art continuously changes, updating systems will be a continuous and necessary practical component of adhering to the privacy by design principle during ongoing processing activities.[21]
(2) Data protection by default
The principle of data protection by default means that a product or service should have the most data protection-friendly settings configured when the product or service is first turned on or used.[22] The word "default" comes from computer science, and means so much as "the pre-existing or preselected value of a configurable setting". Hence, the "factory presets", in case of electronic products, should conform to the highest data protection standard.[23]
Scope
Although many different kinds of controllers fall under the scope of Article 25(2), it seems to primarily focus on internet-based services, like social media networks, but also operating systems "smart devices" that collect data. Sentence 3 of Article 25(3) seems to particularly refer to social media networks and services alike that offer to provide personal data to an indefinite number of people. It follows from the principle of data protection by default that users of such services can select how big the group of recipients of of their personal data should be, but that the smallest group of people should be the standard.[24] Moreover, it follows that if third party software is used, controllers are obliged to disable features that collect personal data without a basis in Article 6(1) GDPR. Lastly, the principle is also relevant where roles are allocated to staff who have access to data.[25]
Appropriate Technical and Organisational Measures
To ensure the highest "default" data protection standard, the controller must implement appropriate organisational and technical measures. Again, before analysing what these measures entail, it needs to be clarified what “appropriate” means. The EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data[26], described in Article 24 GDPR and Article 32 GDPR, can be used for insight. Although the measures should be implemented to ensure compliance with every data protection principle, and are therefore to be understood the same way as in Article 25(1), the measures in the context of Article 25(2) apply especially to the principle of data minimisation.[27]
Dimensions of the data minimisation obligation
It follows from the second sentence of Article 25(2) that there are different dimensions that result from the obligation of data minimisation: the amount of personal data collected; the extent of their processing; the period of their storage and the accessibility. By default, controllers should not collect a higher amount of data than is necessary for the purpose. Moreover, not every processing operation is necessary to fulfil the purpose. The storage period needs to be objectively justified and if possible, data shall be deleted by default. Lastly, the controller must limit, by default, the amount of persons that have access to the personal data.[28]
Differences with Principle of Data Protection by Design
Although the principles of data protection by design -and by default are similar, there are are considerable differences between them. First, "by design" is broader than "by default, since the focus of the latter principle is on ensuring data minimisation and confidentiality. Moreover, whereas "by design" seems to have a focus on the stages of the development of the product, "by default" focusses more on the end-result: are the settings configured in such a way that data minimisation and confidentiality are ensured? However, although Article 25(1) mentions that the measures apply to both the development and processing stage, this also has to be assumed for Article 25(2), even though the paragraph does not state it explicitly.[29] After all, a factory preset can only be set to the most data protection-friendly default setting when this end-result has already been envisaged during the development process. Hence, as the EDPB stipulates, these concepts (should) reinforce each other. One can consider the following example: a company that produces operating software for a computer has, inter alia, to consider that a customer might want to change their settings in such a way that they can amend their data protection settings themselves, as follows from Article 25(1). However, when this computer is delivered to the customer, the default settings within the software must already be set in such a way that the data protection principles of data minimisation and confidentiality are already ensured, since this follows from Article 25(2).
(3) Approved Certification Mechanism
The last paragraph of the provision is similar to Article 24(3). It states that an "approved certification mechanism pursuant to Article 42" may be used as an element to demonstrate compliance with the requirements set out in the first two paragraphs of the provision. Hence, just like in Article 24(3), it follows from the word "element" that such adherence only supports the assumption that the controller is compliant, and does not prove it.[30]
Decisions
→ You can find all related decisions in Category:Article 25 GDPR
References
- ↑ The Data Protection Directive did not contain a similar provision. Although Article 17 DPD Recital 46 had a similar thrust, the focus in those provisions revolved mostly around security. See, Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 25 GDPR, p. 573 (Oxford University Press 2020). However, these concepts were not new: privacy by design -and default was originally conceptualized in the 1990s by the Canadian Information and Privacy Commissioner of Ontario. They held that, in order to be effective, data protection must be implemented ex ante. Hence, the controller must define the privacy requirements that need to be taken into account while engineering, and determine the default settings of the final product. See, Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 1 (C.H. Beck 2018, 2nd Edition).
- ↑ Although the controller is responsible for adherence with these principles, Recital 78 stipulates that producers of applications, products, and services, are encouraged to consider the data protection obligations that controllers need to fulfil. Hence, the goal is to have developers and controllers embrace a culture of responsibility and systematically indicate processes which could infringe the GDPR, and to strengthen the data subject's trust in the processing systems. Martini, in Paal, Pauly, DS-GVO, Article 25, margin number 11 (C.H. Beck 2021, 3rd Edition), citing 'Cavoukian Privacy by Design - The 7 Foundational Principles', 2011, p. 1 (available here). See also, AEPD, Guía de Privacidad desde el Diseño, October 2019, pp. 6-7 (available here).
- ↑ Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 25 GDPR, p. 576 (Oxford University Press 2020).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25, margin number 10 (C.H. Beck 2020, 3rd Edition).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), p. 6 (available here).
- ↑ Article 28(1) literally repeats the wording of Article 25(1): "processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject".
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 13 (C.H. Beck 2020, 3rd Edition). The Author also highlishts the existance of an ongoing discussion regarding whether the delivery of software that does not prioritize data protection could be considered a defect that holds the manufacturer liable, even without a specific agreement. However, it is important to note that if there are no data protection-friendly technologies available on the market, and this represents the current state of the industry, manufacturers are not obligated to create new technologies. This aspect of the standard has received criticism due to potential interference with the economic freedom of manufacturers.
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 21 (C.H. Beck 2020, 3rd Edition). The Author also points out that the concept also defines a superior limit to the controller's responibility. Authorities cannot ask the controller to go beyond the "state of the art".
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), p. 8 (available here).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), pp. 8-9 (available here).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default' (Version 2.0) p. 9 (available here).
- ↑ The assets to protect are always the same (the individuals, via the protection of their personal data), against the same risks (to individuals’ rights), taking into account the same conditions (nature, scope, context and purposes of processing).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), pp. 9-10 (available here).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), pp. 9-10 (available here).
- ↑ While the wording of Article 25 seemingly distinguishes between the concepts of "technical and organizational measures" and "safeguards," in practice, drawing a clear distinction between them can be challenging, if not unnecessary. Baumgartner in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 11 (C.H. Beck 2018, 2nd Edition). Moreover, the EDPB itself appears to follow this approach, as the two concepts are used interchangeably in the frequently referenced guidelines.
- ↑ Although "pseudonymisation" is the only measure that is listed in the provision as an example, the training of personnel, limiting access to personal data, or any technical measure like anonymisation or advanced encryption, could all be effective measures. However, what differs these measures from measures under Article 24(1), is that these measures are already designed. For example: automatic erasure of certain personal data by the software to comply with the principle of storage limitation. Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 25 GDPR, p. 577 (Oxford University Press 2020).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), p. 6 (available here).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), p. 6 (available here).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), p. 10 (available here); Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25, margin number 23 (C.H. Beck 2020, 3rd Edition).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), p. 11 (available here).
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 14 (C.H. Beck 2018, 2nd Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25, margin number 24 (C.H. Beck 2020, 3rd Edition).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), p. 11 (available here).
- ↑ Nolte, Werkmeister, in Gola, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 28 (C.H. Beck 2018, 2nd Edition); Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25, margin numbers 25-26 (C.H. Beck 2020, 3rd Edition).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default' Version 2.0 (2020). p. 11 (available here).
- ↑ EDPS, ‘Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data’, 19 December 2019 (available here).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), p. 12 (available here).
- ↑ EDPB, 'Guidelines 4/2019 on Article 25 Data Protection by Design and by Default', 20 October 2020 (Version 2.0), pp. 12-14 (available here).
- ↑ Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 25 GDPR, p. 577 (Oxford University Press 2020).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25, margin numbers 25-26 (C.H. Beck 2020, 3rd Edition).