Show the recitals of the Regulation related to article 25 keyboard_arrow_down
Hide the recitals of the Regulation related to article 25 keyboard_arrow_up
(78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.
There is no recital in the Directive related to article 25.
The GDPR
Article 25 defines the obligations of the controller resulting from the principles of data protection by design and data protection by default.
The objective of European legislature is to make the protection of fundamental rights more effective and more dynamic, by strengthening the classic principles of necessity, proportionality, purpose and transparency with new principles such as data protection by design (see Article 25 (1)) and data protection by default (see Article 25 (2)).
The purpose of these principles is to take into account the rights and the interests of individuals since the very data processing design and the settings by default.
According to paragraph 1 of article 25, the principle of data protection by design requires the controller to implement appropriate technical and organizational measures, both at the time of the determination of the means for processing and at the time of the processing itself, to make it complying with the Regulation, taking into account the processing-related risks.
The measures to be adopted must take account of available technologies, the costs associated with their implementation as well as the nature, the scope, the context and the purpose of the processing as well as the probability and the severity of the risk presented by the processing with respect to the rights and freedoms of individuals.
Among these measures, paragraph 1 indicates minimisation and pseudonymisation. The notion of pseudonymisation must be understood as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person" (Art.. 4 (5)). On the other hand, the notion of minimisation is not subject to any definition in the Regulation but is explained in Article 5 (c).
Pursuant to this principle, new innovative and responsible techniques need to be developed to facilitate the exercise of individual rights to object, to access, to opt-out, to rectification and the right to data portability (see EDPS, Opinion 7/2015 of 19 November 2015, p. 14 et seq.).
The second paragraph addresses the principle of data protection by default. This principle requires the controller to adopt measures to limit by default the personal data processing to what is strictly necessary, with regard to the amount of data processed, their accessibility and the period of their storage. For example, when the processing is not intended to provide information to the public, the principle of data protection by default requires the implementation of mechanisms guaranteeing that by default, the data is rendered inaccessible to an undetermined number of individuals, without intervention by the subject data. It is actually a strict application of the principle of necessity already contained in the principle of purpose itself.
Finally, article 25 in its paragraph 3 provides in fine that controller may use a certification mechanism approved in accordance with article 42 in order to demonstrate compliance with the aforementioned obligations.
The Directive
No provision of the Directive specifically covers the protection of data by design and the protection of data by default.
Potential issues
Two new obligations for data protection by design and default will pose difficulties in the implementation in that they involve consideration of the data protection at all levels of the process - and of all involved categories of said process of processing. They need to be properly implemented in close collaboration between the different position within the organization of the controller and awareness, or even a true knowledge of the principles involved: technical data processing staff (programmers, analysts, statisticians, etc.), staff related to the legal and compliance field and, as appropriate, other operational staff (marketing, etc.).
The task is even more difficult as we are facing delicate assessments (principles of necessity, taking into account the risk, etc.) which actually require know-how and experience.
European Union
European data protection board (EDPB)
Guidelines on Article 25 - 4/2019 (20 octobre 2020)
In an increasingly digital world, adherence to Data Protection by Design and by Default requirements plays a crucial part in promoting privacy and data protection in society. It is therefore essential that controllers take this responsibility seriously and implement the GDPR obligations when designing processing operations.
These Guidelines give general guidance on the obligation of Data Protection by Design and by Default (henceforth “DPbDD”) set forth in Article 25 in the GDPR. DPbDD is an obligation for all controllers, irrespective of size and varying complexity of processing. To be able to implement the requirements of DPbDD, it is crucial that the controller understands the data protection principles and the data subject’s rights and freedoms.
The core obligation is the implementation of appropriate measures and necessary safeguards that provide effective implementation of the data protection principles and, consequentially, data subjects’ rights and freedoms by design and by default. Article 25 prescribes both design and default elements that should be taken into account. Those elements, will be further elaborated in these Guidelines.
Article 25(1) stipulates that controllers should consider DPbDD early on when they plan a new processing operation. Controllers shall implement DPbDD before processing, and also continually at the time of processing, by regularly reviewing the effectiveness of the chosen measures and safeguards. DPbDD also applies to existing systems that are processing personal data.
The Guidelines also contain guidance on how to effectively implement the data protection principles in Article 5, listing key design and default elements as well as practical cases for illustration. The controller should consider the appropriateness of the suggested measures in the context of the particular processing in question.
The EDPB provides recommendations on how controllers, processors and producers can cooperate to achieve DPbDD. It encourages the controllers in industry, processors, and producers to use DPbDD as a means to achieve a competitive advantage when marketing their products towards controllers and data subjects. It also encourages all controllers to make use of certifications and codes of conduct.
Link
Retour au sommaire