Article 25 GDPR: Difference between revisions

From GDPRhub
Line 200: Line 200:
==Commentary==
==Commentary==


'''''Overview'''[[Article 25 GDPR#%20msocom%201|[S1]]]''
== '''''Overview''''' ==
Privacy by design and default have already been thought of in the 90es by the Canadian Information and Privacy Commissioner of Ontario.[[Article 25 GDPR#%20ftn1|[1]]] According to this, data protection must be thought of ex ante in order to be effective. The controller needs to define the requirements that need to be taken into account while engineering, as well as how the default settings of the final product or system should look like.


''Privacy by design and default have already been thought of in the 90es by the Canadian Information and Privacy Commissioner of Ontario.[[Article 25 GDPR#%20ftn1|[1]]] According to this, data protection must be thought of ex ante in order to be effective. The controller needs to define the requirements that need to be taken into account while engineering, as well as how the default settings of the final product or system should look like.''
Article 25 GDPR is aiming to implement the data protection principles of Article 5 GDPR, the safeguards and to protect the rights of the data subjects. [[Article 25 GDPR#%20ftn2|[2]]] The approach should be proactive.[[Article 25 GDPR#%20ftn3|[3]]] Therefore, a culture of compromise should be introduced and responsibilities attributed as well as indicators introduced to trigger processes and practices which could infringe the GDPR. [[Article 25 GDPR#%20ftn4|[4]]]


''Article 25 GDPR is aiming to implement the data protection principles of Article 5 GDPR, the safeguards and to protect the rights of the data subjects. [[Article 25 GDPR#%20ftn2|[2]]] The approach should be proactive.[[Article 25 GDPR#%20ftn3|[3]]] Therefore, a culture of compromise should be introduced and responsibilities attributed as well as indicators introduced to trigger processes and practices which could infringe the GDPR. [[Article 25 GDPR#%20ftn4|[4]]]''  
== '''''Article 25 (1) GDPR''''' ==


'''''Article 25 (1) GDPR'''''
=== '''''Controller´s Obligations''''' ===
Article 25 GDPR is addressing the controller, neither the producers of technical products or services or systems, as they are not deciding on the concrete purposes and means of processing. [[Article 25 GDPR#%20ftn5|[5]]] However, recital 78 “encourages” them to take into account the right to data protection, in order to enable controllers and processors to fulfill their data protection obligations. Although they are not directly obliged, the invisible hand of demand and supply should lead to producers who are delivering products that adhere to the principles of data protection by design and default.


'''''Controller´s Obligations'''''
==== '''''Data Protection by Design''''' ====
To have a data processing in place which follows the principle of data protection by design, one need to have a data strategy in place. These may consist out of data guidelines, documentation, monitoring and the evaluation of measures.[[Article 25 GDPR#%20ftn6|[6]]]


''Article 25 GDPR is addressing the controller, neither the producers of technical products or services or systems, as they are not deciding on the concrete purposes and means of processing. [[Article 25 GDPR#%20ftn5|[5]]] However, recital 78 “encourages” them to take into account the right to data protection, in order to enable controllers and processors to fulfill their data protection obligations. Although they are not directly obliged, the invisible hand of demand and supply should lead to producers who are delivering products that adhere to the principles of data protection by design and default.''
The GDPR does not contain concrete examples of data protection by design, however, the Spanish Data Protection Authority published a useful guide with practical examples regarding a strategy for data[[Article 25 GDPR#%20ftn7|[7]]] and processes.[[Article 25 GDPR#%20ftn8|[8]]]


'''''Data Protection by Design'''''
An important part of Article 25 GDPR is the so-called “Privacy engineering” which splits up into different steps, i.e. privacy strategies.[[Article 25 GDPR#%20ftn9|[9]]] Tactics are needed in each steps and software design pattern and in the end PETS (Privacy Enhancing technologies). [[Article 25 GDPR#%20ftn10|[10]]]


''To have a data processing in place which follows the principle of data protection by design, one need to have a data strategy in place. These may consist out of data guidelines, documentation, monitoring and the evaluation of measures.[[Article 25 GDPR#%20ftn6|[6]]]''
The design and development of the system need a verification and validation of the privacy, which consists of the integration of the system, proof and evaluations, operation and continuous maintaining. This is the integration and proof of the project. [[Article 25 GDPR#%20ftn11|[11]]]


''The GDPR does not contain concrete examples of data protection by design, however, the Spanish Data Protection Authority published a useful guide with practical examples regarding a strategy for data[[Article 25 GDPR#%20ftn7|[7]]] and processes.[[Article 25 GDPR#%20ftn8|[8]]]''
=== '''''State of the art''''' ===
Article 25 GDPR refers not only to security measures, but also to technical and organizational measures regarding processing. In general, this means, that the controller has to take into account the latest developments in the different fields and has to stay up-to-date.


''An important part of Article 25 GDPR is the so-called “Privacy engineering” which splits up into different steps, i.e. privacy strategies.[[Article 25 GDPR#%20ftn9|[9]]] Tactics are needed in each steps and software design pattern and in the end PETS (Privacy Enhancing technologies). [[Article 25 GDPR#%20ftn10|[10]]]''
=== '''''Costs of implementation''''' ===
According to the EDPB Guidelines 4/2019 on Article 25, the “incapacity to bear the costs is no excuse for non-compliance with the GDPR”[[Article 25 GDPR#%20ftn12|[12]]]. These “business costs” need to take into account not only the implementation costs, but also the follow up on them, in order to preserve compliance. [[Article 25 GDPR#%20ftn13|[13]]]


''The design and development of the system need a verification and validation of the privacy, which consists of the integration of the system, proof and evaluations, operation and continuous maintaining. This is the integration and proof of the project. [[Article 25 GDPR#%20ftn11|[11]]]''
=== '''''Nature, scope, context and purpose of processing''''' ===
The nature of processing is “the inherent characteristics of the processing”[[Article 25 GDPR#%20ftn14|[14]]], the scope concerns the “size and range of processing” [[Article 25 GDPR#%20ftn15|[15]]], the context “relates to the circumstances of the processing, which may influence the expectations of the data subject” and the purpose “pertains to the aims of the processing”[[Article 25 GDPR#%20ftn16|[16]]].


'''''State of the art'''''
=== '''''Risks of varying likelihood and severity for rights and freedoms of natural persons''''' ===
The GDPR foresees a risks based approach. In order to assess these risks, the EDPB Guideline 4/2019 refers to the “EDPB Guidelines on Data Protection Impact Assessments (DPIA), which can be used as a help for determining the risk.


''Article 25 GDPR refers not only to security measures, but also to technical and organizational measures regarding processing. In general, this means, that the controller has to take into account the latest developments in the different fields and has to stay up-to-date.''
=== '''''Time of determination of the means''''' ===
The determination of the means of data processing is located in an early phase of planning a new processing activity, i.e. it “ranges from the abstract to the concrete detailed design elements of the processing, such as the architecture, procedures, protocols, layout and appearance”[[Article 25 GDPR#%20ftn17|[17]]]. The controller has to assess the appropriate measures and safeguards in order to effectively implement the obligations arising out of the GDPR.  


'''''Costs of implementation'''''
However, problematic is the point in time, when there is already a whole system existent that cannot easily be changed. This might the issue in practical terms, as the GDPR came into force only in 2018. Therefore, many companies and institutions need to reassess their means of processing. In the end, the privacy by design principle needs to be observed anyhow during the ongoing processing activities, due to the fact that the state of the art changes continuously.[[Article 25 GDPR#%20ftn18|[18]]]


''According to the EDPB Guidelines 4/2019 on Article 25, the “incapacity to bear the costs is no excuse for non-compliance with the GDPR”[[Article 25 GDPR#%20ftn12|[12]]]. These “business costs” need to take into account not only the implementation costs, but also the follow up on them, in order to preserve compliance. [[Article 25 GDPR#%20ftn13|[13]]]''
=== '''''Time of the processing''''' ===
During the processing operation, regular re-assessments have to take place in order to continue to be compliant. [[Article 25 GDPR#%20ftn19|[19]]]


'''''Nature, scope, context and purpose of processing'''''
=== '''''Necessary safeguards''''' ===
Processes on technical level in order to guarantee rights for data subjects. For example, under Article 20, document assessment process which measures have been taken and why.


''The nature of processing is “the inherent characteristics of the processing”[[Article 25 GDPR#%20ftn14|[14]]], the scope concerns the “size and range of processing” [[Article 25 GDPR#%20ftn15|[15]]], the context “relates to the circumstances of the processing, which may influence the expectations of the data subject” and the purpose “pertains to the aims of the processing”[[Article 25 GDPR#%20ftn16|[16]]].''
== '''''Art. 25 II GDPR – Data Protection by Default''''' ==
Art. 25 GDPR leads only to a violation of the GDPR in case it is not adhered to in connection with other GDPR principles. [[Article 25 GDPR#%20ftn20|[20]]] Article 25 (2) GDPR is lex specialis in relation to Article 25 (1) GDPR, as Article 25 (2) GDPR concerns the data subject who should be able to decide on his or her own what is processed, Article 25 (1) GDPR regulates only general obligations which leaves some room for discretion. [[Article 25 GDPR#%20ftn21|[21]]]


'''''Risks of varying likelihood and severity for rights and freedoms of natural persons'''''  
=== '''''By default''''' ===
“A ‘default’, as commonly defined in computer science, refers to the pre-existing or preselected value of a configurable setting that is assigned to a software application, computer program or device. Such settings are also called “presets” or “factory presets”, especially for electronic devices.” [[Article 25 GDPR#%20ftn22|[22]]] It follows that if third party software is used, features that collect personal data which cannot be based on Art. 6 (1) GDPR, controllers are obliged to disable them. [[Article 25 GDPR#%20ftn23|[23]]] “By default” comes also into play, when roles are allocated to staff who has access to data. [[Article 25 GDPR#%20ftn24|[24]]] Finally, the storage period needs to be objectively justified and if possible, data shall be deleted by default.[[Article 25 GDPR#%20ftn25|[25]]]


''The GDPR foresees a risks based approach. In order to assess these risks, the EDPB Guideline 4/2019 refers to the “EDPB Guidelines on Data Protection Impact Assessments (DPIA), which can be used as a help for determining the risk.''
=== '''''Appropriate technical and organizational measures''''' ===
Before analyzing the technical and organizational measures, it needs to be clarified what “appropriate” means.  


'''''Time aspect'''''
In order to assess what are appropriate technical and organizational measures, the EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data[[Article 25 GDPR#%20ftn26|[26]]] can be used, this has already been described in Art. 24 GDPR and 32 GDPR.


''The time aspect, i.e. when to take into account privacy by design and default.''
Technical measures[[Article 25 GDPR#%20ftn27|'''[27]''']] and organizational measures that implement data protection principles[[Article 25 GDPR#%20ftn28|[28]]] are also named as examples in some commentaries.


'''''Time of determination of the means'''''
Above all, controllers have to demonstrate that they have implemented measures to be effective.


''The determination of the means of data processing is located in an early phase of planning a new processing activity, i.e. it “ranges from the abstract to the concrete detailed design elements of the processing, such as the architecture, procedures, protocols, layout and appearance”[[Article 25 GDPR#%20ftn17|[17]]]. The controller has to assess the appropriate measures and safeguards in order to effectively implement the obligations arising out of the GDPR.''
=== '''''Certification mechanism''''' ===
A certification mechanism could be Article 42, but it only makes communication with institutions easier.[[Article 25 GDPR#%20ftn29|[29]]]
----[[Article 25 GDPR#%20ftnref1|[1]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 1.


''However, problematic is the point in time, when there is already a whole system existent that cannot easily be changed. This might the issue in practical terms, as the GDPR came into force only in 2018. Therefore, many companies and institutions need to reassess their means of processing. In the end, the privacy by design principle needs to be observed anyhow during the ongoing processing activities, due to the fact that the state of the art changes continuously.[[Article 25 GDPR#%20ftn18|[18]]]''
[[Article 25 GDPR#%20ftnref2|[2]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 8.


'''''Time of the processing'''''
[[Article 25 GDPR#%20ftnref3|[3]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 7


''During the processing operation, regular re-assessments have to take place in order to continue to be compliant. [[Article 25 GDPR#%20ftn19|[19]]]''
[[Article 25 GDPR#%20ftnref4|[4]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 7


'''''Necessary safeguards'''''
[[Article 25 GDPR#%20ftnref5|[5]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 11.


''Processes on technical level in order to guarantee rights for data subjects. For example, under Article 20, document assessment process which measures have been taken and why.''
[[Article 25 GDPR#%20ftnref6|[6]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 18 ff.8.


'''''Art. 25 II GDPR – Data Protection by Default'''''
[[Article 25 GDPR#%20ftnref7|[7]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki>, p. 24:


''Art. 25 GDPR leads only to a violation of the GDPR in case it is not adhered to in connection with other GDPR principles. [[Article 25 GDPR#%20ftn20|[20]]] Article 25 (2) GDPR is lex specialis in relation to Article 25 (1) GDPR, as Article 25 (2) GDPR concerns the data subject who should be able to decide on his or her own what is processed, Article 25 (1) GDPR regulates only general obligations which leaves some room for discretion. [[Article 25 GDPR#%20ftn21|[21]]]''
These practical examples consist out of (1) '''Minimisation:''' Limit the needed data to the maximum needed (selection, exclusion, cutting of and delete by means of anonymization, pseudonymisation, bloc possibilities to connect data with each other), (2) '''Hiding:''' Measures that prevent personal data to be public or known (Restrict access possibilities, disassociate and aggregate credential-based attributes, mixing data or encrypt them), (3) '''Separating:''' Separate data in different containers, isolate data or distribute them by means of anonymous blacklists, homorphic encryption, physical and logical separation, (4) '''Abstraction''': by leaving out details to the highest extent possible (summarizing, grouping and disturbing with aggregation in time, K-anonymity, obfuscation of measurements by noise aggregation, dynamic location granularity).


'''''By default'''''
[[Article 25 GDPR#%20ftnref8|[8]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki>, p. 25:


''“A ‘default’, as commonly defined in computer science, refers to the pre-existing or preselected value of a configurable setting that is assigned to a software application, computer program or device. Such settings are also called “presets” or “factory presets”, especially for electronic devices.” [[Article 25 GDPR#%20ftn22|[22]]] It follows that if third party software is used, features that collect personal data which cannot be based on Art. 6 (1) GDPR, controllers are obliged to disable them. [[Article 25 GDPR#%20ftn23|[23]]] “By default” comes also into play, when roles are allocated to staff who has access to data. [[Article 25 GDPR#%20ftn24|[24]]] Finally, the storage period needs to be objectively justified and if possible, data shall be deleted by default.[[Article 25 GDPR#%20ftn25|[25]]]''
These practical examples consist out of: (1) '''Information''' of data subjects on the processing and its conditions via simple explanation and notifications (also: notification of data breaches,  dynamic visualization of privacy policies,  privacy icons and processing alerts), (2) '''Control''' – Giving data subjects control over their personal data by consent, alert, choice, actualization, reiterations (panels to choose preferences, active presence transmission, selection of credentials, informed consent), (3) '''Compliance''' by respect and boost compliance with obligations imposed by current legislation and own privacy policies (definitions, maintenance and defense, evaluation of DPIAs, access control, management of obligations, compliance with policies), (4) '''Demonstration''' – show that processing is respecting privacy by registering, audit and information.


'''''Appropriate technical and organizational measures'''''
[[Article 25 GDPR#%20ftnref9|[9]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 17 et seqq.: E.g. disconnecting information from each other – minimize, abstract, spate, occult; control – comply, show; transparency – inform).


''Before analyzing the technical and organizational measures, it needs to be clarified what “appropriate” means.''
[[Article 25 GDPR#%20ftnref10|[10]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 16: “...the use of appropriate technological measures is an essential complement to legal means and  should be  an  integral part  in  any efforts  to  achieve a  sufficient  level of  privacy  protection..." (<nowiki>https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52007DC0228&from=EN</nowiki> , p.3).


''In order to assess what are appropriate technical and organizational measures, the EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data[[Article 25 GDPR#%20ftn26|[26]]] can be used, this has already been described in Art. 24 GDPR and 32 GDPR.''
[[Article 25 GDPR#%20ftnref11|[11]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 15.


''Technical measures[[Article 25 GDPR#%20ftn27|'''[27]''']] and organizational measures that implement data protection principles[[Article 25 GDPR#%20ftn28|[28]]] are also named as examples in some commentaries.''
[[Article 25 GDPR#%20ftnref12|[12]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 24.


''Above all, controllers have to demonstrate that they have implemented measures to be effective.''
[[Article 25 GDPR#%20ftnref13|[13]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 23 f.


'''''Certification mechanism'''''
[[Article 25 GDPR#%20ftnref14|[14]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 27.


''A certification mechanism could be Article 42, but it only makes communication with institutions easier.[[Article 25 GDPR#%20ftn29|[29]]]''
[[Article 25 GDPR#%20ftnref15|[15]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 27.
----''[[Article 25 GDPR#%20ftnref1|[1]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 1.''


''[[Article 25 GDPR#%20ftnref2|[2]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 8.''
[[Article 25 GDPR#%20ftnref16|[16]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 27.


''[[Article 25 GDPR#%20ftnref3|[3]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 7''
[[Article 25 GDPR#%20ftnref17|[17]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 33.


''[[Article 25 GDPR#%20ftnref4|[4]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 7''
[[Article 25 GDPR#%20ftnref18|[18]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 14.


''[[Article 25 GDPR#%20ftnref5|[5]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 11.''
[[Article 25 GDPR#%20ftnref19|[19]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 37.


''[[Article 25 GDPR#%20ftnref6|[6]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 18 ff.8.''
[[Article 25 GDPR#%20ftnref20|[20]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 3.


''[[Article 25 GDPR#%20ftnref7|[7]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki>, p. 24:''
[[Article 25 GDPR#%20ftnref21|[21]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 8.


''These practical examples consist out of (1) '''Minimisation:''' Limit the needed data to the maximum needed (selection, exclusion, cutting of and delete by means of anonymization, pseudonymisation, bloc possibilities to connect data with each other), (2) '''Hiding:''' Measures that prevent personal data to be public or known (Restrict access possibilities, disassociate and aggregate credential-based attributes, mixing data or encrypt them), (3) '''Separating:''' Separate data in different containers, isolate data or distribute them by means of anonymous blacklists, homorphic encryption, physical and logical separation, (4) '''Abstraction''': by leaving out details to the highest extent possible (summarizing, grouping and disturbing with aggregation in time, K-anonymity, obfuscation of measurements by noise aggregation, dynamic location granularity).''
[[Article 25 GDPR#%20ftnref22|[22]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 39.


''[[Article 25 GDPR#%20ftnref8|[8]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki>, p. 25:''
[[Article 25 GDPR#%20ftnref23|[23]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 41.


''These practical examples consist out of: (1) '''Information''' of data subjects on the processing and its conditions via simple explanation and notifications (also: notification of data breaches,  dynamic visualization of privacy policies,  privacy icons and processing alerts), (2) '''Control''' – Giving data subjects control over their personal data by consent, alert, choice, actualization, reiterations (panels to choose preferences, active presence transmission, selection of credentials, informed consent), (3) '''Compliance''' by respect and boost compliance with obligations imposed by current legislation and own privacy policies (definitions, maintenance and defense, evaluation of DPIAs, access control, management of obligations, compliance with policies), (4) '''Demonstration''' – show that processing is respecting privacy by registering, audit and information.''
[[Article 25 GDPR#%20ftnref24|[24]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 43.


''[[Article 25 GDPR#%20ftnref9|[9]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 17 et seqq.: E.g. disconnecting information from each other – minimize, abstract, spate, occult; control – comply, show; transparency – inform).''
[[Article 25 GDPR#%20ftnref25|[25]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 52.


''[[Article 25 GDPR#%20ftnref10|[10]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 16: “...the use of appropriate technological measures is an essential complement to legal means and  should be  an  integral part  in  any efforts  to  achieve a  sufficient  level of  privacy  protection..." (<nowiki>https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52007DC0228&from=EN</nowiki> , p.3).''
[[Article 25 GDPR#%20ftnref26|[26]]] EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data: <nowiki>https://edps.europa.eu/sites/edp/files/publication/19-02-25_proportionality_guidelines_en.pdf</nowiki> accessed on 3 September 2020.


''[[Article 25 GDPR#%20ftnref11|[11]]] <nowiki>https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf</nowiki> , p. 15.''
[[Article 25 GDPR#%20ftnref27|[27]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 16: (1) pseudonymization (Article 4 nr. 5), (2) encryption, (3) access controls, (4) anonymization, (5) aggregation, (6) transparency on functions and processing, (7) control of processing via dashboards, (8) purpose principle.


''[[Article 25 GDPR#%20ftnref12|[12]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 24.''
[[Article 25 GDPR#%20ftnref28|[28]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 17: (1) training, (2) internal checks/audits, (3) interdisciplinary project teams, (4) ethic committees for complex assessments (Article 5 (1) (a) GDPR, (5) role and access concepts (Article 5 (1)(c) GDPR, (6) deletion concepts (Article 5 (1) (e) GDPR, (7) voluntary DPIAS (Article 35, 5 (2) GDPR).


''[[Article 25 GDPR#%20ftnref13|[13]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 23 f.''
[[Article 25 GDPR#%20ftnref29|[29]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 32.
 
''[[Article 25 GDPR#%20ftnref14|[14]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 27.''
 
''[[Article 25 GDPR#%20ftnref15|[15]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 27.''
 
''[[Article 25 GDPR#%20ftnref16|[16]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 27.''
 
''[[Article 25 GDPR#%20ftnref17|[17]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 33.''
 
''[[Article 25 GDPR#%20ftnref18|[18]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 14.''
 
''[[Article 25 GDPR#%20ftnref19|[19]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 37.''
 
''[[Article 25 GDPR#%20ftnref20|[20]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 3.''
 
''[[Article 25 GDPR#%20ftnref21|[21]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 8.''
 
''[[Article 25 GDPR#%20ftnref22|[22]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 39.''
 
''[[Article 25 GDPR#%20ftnref23|[23]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 41.''
 
''[[Article 25 GDPR#%20ftnref24|[24]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 43.''
 
''[[Article 25 GDPR#%20ftnref25|[25]]] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 52.''
 
''[[Article 25 GDPR#%20ftnref26|[26]]] EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data: <nowiki>https://edps.europa.eu/sites/edp/files/publication/19-02-25_proportionality_guidelines_en.pdf</nowiki> accessed on 3 September 2020.''
 
''[[Article 25 GDPR#%20ftnref27|[27]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 16: (1) pseudonymization (Article 4 nr. 5), (2) encryption, (3) access controls, (4) anonymization, (5) aggregation, (6) transparency on functions and processing, (7) control of processing via dashboards, (8) purpose principle.''
 
''[[Article 25 GDPR#%20ftnref28|[28]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 17: (1) training, (2) internal checks/audits, (3) interdisciplinary project teams, (4) ethic committees for complex assessments (Article 5 (1) (a) GDPR, (5) role and access concepts (Article 5 (1)(c) GDPR, (6) deletion concepts (Article 5 (1) (e) GDPR, (7) voluntary DPIAS (Article 35, 5 (2) GDPR).''
 
''[[Article 25 GDPR#%20ftnref29|[29]]] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 32.''
---- ''[[Article 25 GDPR#%20msoanchor%201|[S1]]]Very good''
---- ''[[Article 25 GDPR#%20msoanchor%201|[S1]]]Very good''



Revision as of 10:06, 30 September 2020

Article 25 - Data protection by design and by default
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 25 - Data protection by design and by default

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Relevant Recitals

Recital 78: Appropriate Technical and Organisational Measures

The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Commentary

Overview

Privacy by design and default have already been thought of in the 90es by the Canadian Information and Privacy Commissioner of Ontario.[1] According to this, data protection must be thought of ex ante in order to be effective. The controller needs to define the requirements that need to be taken into account while engineering, as well as how the default settings of the final product or system should look like.

Article 25 GDPR is aiming to implement the data protection principles of Article 5 GDPR, the safeguards and to protect the rights of the data subjects. [2] The approach should be proactive.[3] Therefore, a culture of compromise should be introduced and responsibilities attributed as well as indicators introduced to trigger processes and practices which could infringe the GDPR. [4]

Article 25 (1) GDPR

Controller´s Obligations

Article 25 GDPR is addressing the controller, neither the producers of technical products or services or systems, as they are not deciding on the concrete purposes and means of processing. [5] However, recital 78 “encourages” them to take into account the right to data protection, in order to enable controllers and processors to fulfill their data protection obligations. Although they are not directly obliged, the invisible hand of demand and supply should lead to producers who are delivering products that adhere to the principles of data protection by design and default.

Data Protection by Design

To have a data processing in place which follows the principle of data protection by design, one need to have a data strategy in place. These may consist out of data guidelines, documentation, monitoring and the evaluation of measures.[6]

The GDPR does not contain concrete examples of data protection by design, however, the Spanish Data Protection Authority published a useful guide with practical examples regarding a strategy for data[7] and processes.[8]

An important part of Article 25 GDPR is the so-called “Privacy engineering” which splits up into different steps, i.e. privacy strategies.[9] Tactics are needed in each steps and software design pattern and in the end PETS (Privacy Enhancing technologies). [10]

The design and development of the system need a verification and validation of the privacy, which consists of the integration of the system, proof and evaluations, operation and continuous maintaining. This is the integration and proof of the project. [11]

State of the art

Article 25 GDPR refers not only to security measures, but also to technical and organizational measures regarding processing. In general, this means, that the controller has to take into account the latest developments in the different fields and has to stay up-to-date.

Costs of implementation

According to the EDPB Guidelines 4/2019 on Article 25, the “incapacity to bear the costs is no excuse for non-compliance with the GDPR”[12]. These “business costs” need to take into account not only the implementation costs, but also the follow up on them, in order to preserve compliance. [13]

Nature, scope, context and purpose of processing

The nature of processing is “the inherent characteristics of the processing”[14], the scope concerns the “size and range of processing” [15], the context “relates to the circumstances of the processing, which may influence the expectations of the data subject” and the purpose “pertains to the aims of the processing”[16].

Risks of varying likelihood and severity for rights and freedoms of natural persons

The GDPR foresees a risks based approach. In order to assess these risks, the EDPB Guideline 4/2019 refers to the “EDPB Guidelines on Data Protection Impact Assessments (DPIA), which can be used as a help for determining the risk.

Time of determination of the means

The determination of the means of data processing is located in an early phase of planning a new processing activity, i.e. it “ranges from the abstract to the concrete detailed design elements of the processing, such as the architecture, procedures, protocols, layout and appearance”[17]. The controller has to assess the appropriate measures and safeguards in order to effectively implement the obligations arising out of the GDPR.

However, problematic is the point in time, when there is already a whole system existent that cannot easily be changed. This might the issue in practical terms, as the GDPR came into force only in 2018. Therefore, many companies and institutions need to reassess their means of processing. In the end, the privacy by design principle needs to be observed anyhow during the ongoing processing activities, due to the fact that the state of the art changes continuously.[18]

Time of the processing

During the processing operation, regular re-assessments have to take place in order to continue to be compliant. [19]

Necessary safeguards

Processes on technical level in order to guarantee rights for data subjects. For example, under Article 20, document assessment process which measures have been taken and why.

Art. 25 II GDPR – Data Protection by Default

Art. 25 GDPR leads only to a violation of the GDPR in case it is not adhered to in connection with other GDPR principles. [20] Article 25 (2) GDPR is lex specialis in relation to Article 25 (1) GDPR, as Article 25 (2) GDPR concerns the data subject who should be able to decide on his or her own what is processed, Article 25 (1) GDPR regulates only general obligations which leaves some room for discretion. [21]

By default

“A ‘default’, as commonly defined in computer science, refers to the pre-existing or preselected value of a configurable setting that is assigned to a software application, computer program or device. Such settings are also called “presets” or “factory presets”, especially for electronic devices.” [22] It follows that if third party software is used, features that collect personal data which cannot be based on Art. 6 (1) GDPR, controllers are obliged to disable them. [23] “By default” comes also into play, when roles are allocated to staff who has access to data. [24] Finally, the storage period needs to be objectively justified and if possible, data shall be deleted by default.[25]

Appropriate technical and organizational measures

Before analyzing the technical and organizational measures, it needs to be clarified what “appropriate” means.

In order to assess what are appropriate technical and organizational measures, the EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data[26] can be used, this has already been described in Art. 24 GDPR and 32 GDPR.

Technical measures[27] and organizational measures that implement data protection principles[28] are also named as examples in some commentaries.

Above all, controllers have to demonstrate that they have implemented measures to be effective.

Certification mechanism

A certification mechanism could be Article 42, but it only makes communication with institutions easier.[29]


[1] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 1.

[2] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 8.

[3] https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf , p. 7

[4] https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf , p. 7

[5] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 11.

[6] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 18 ff.8.

[7] https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf, p. 24:

These practical examples consist out of (1) Minimisation: Limit the needed data to the maximum needed (selection, exclusion, cutting of and delete by means of anonymization, pseudonymisation, bloc possibilities to connect data with each other), (2) Hiding: Measures that prevent personal data to be public or known (Restrict access possibilities, disassociate and aggregate credential-based attributes, mixing data or encrypt them), (3) Separating: Separate data in different containers, isolate data or distribute them by means of anonymous blacklists, homorphic encryption, physical and logical separation, (4) Abstraction: by leaving out details to the highest extent possible (summarizing, grouping and disturbing with aggregation in time, K-anonymity, obfuscation of measurements by noise aggregation, dynamic location granularity).

[8] https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf, p. 25:

These practical examples consist out of: (1) Information of data subjects on the processing and its conditions via simple explanation and notifications (also: notification of data breaches,  dynamic visualization of privacy policies,  privacy icons and processing alerts), (2) Control – Giving data subjects control over their personal data by consent, alert, choice, actualization, reiterations (panels to choose preferences, active presence transmission, selection of credentials, informed consent), (3) Compliance by respect and boost compliance with obligations imposed by current legislation and own privacy policies (definitions, maintenance and defense, evaluation of DPIAs, access control, management of obligations, compliance with policies), (4) Demonstration – show that processing is respecting privacy by registering, audit and information.

[9] https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf , p. 17 et seqq.: E.g. disconnecting information from each other – minimize, abstract, spate, occult; control – comply, show; transparency – inform).

[10] https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf , p. 16: “...the use of appropriate technological measures is an essential complement to legal means and  should be  an  integral part  in  any efforts  to  achieve a  sufficient  level of  privacy  protection..." (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52007DC0228&from=EN , p.3).

[11] https://www.aepd.es/sites/default/files/2019-11/guia-privacidad-desde-diseno.pdf , p. 15.

[12] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 24.

[13] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 23 f.

[14] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 27.

[15] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 27.

[16] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 27.

[17] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 33.

[18] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 14.

[19] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 37.

[20] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 3.

[21] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 8.

[22] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 39.

[23] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 41.

[24] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 43.

[25] EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, adopted on 13 November 2019, Version 1.0, para 52.

[26] EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data: https://edps.europa.eu/sites/edp/files/publication/19-02-25_proportionality_guidelines_en.pdf accessed on 3 September 2020.

[27] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 16: (1) pseudonymization (Article 4 nr. 5), (2) encryption, (3) access controls, (4) anonymization, (5) aggregation, (6) transparency on functions and processing, (7) control of processing via dashboards, (8) purpose principle.

[28] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 17: (1) training, (2) internal checks/audits, (3) interdisciplinary project teams, (4) ethic committees for complex assessments (Article 5 (1) (a) GDPR, (5) role and access concepts (Article 5 (1)(c) GDPR, (6) deletion concepts (Article 5 (1) (e) GDPR, (7) voluntary DPIAS (Article 35, 5 (2) GDPR).

[29] Nolte/Werkmeister in Gola, DS-GVO, Kommentar, 2nd edition, 2018, Art. 25 para 32.


[S1]Very good

Decisions

→ You can find all related decisions in Category:Article 25 GDPR

References