Privacy by default
Privacy by default obliges controllers under Article 25(2) GDPR to ensure, through data protection-friendly default settings, that by default only the personal data necessary for each specific purpose is processed without any action by the data subject.
Privacy by default (data protection-friendly default settings) is, alongside privacy by design, one of the two central pillars of Article 25 GDPR. While privacy by design targets data protection-compliant technical design, privacy by default under Article 25(2) GDPR requires that default settings ensure that, by default, only personal data that is necessary for each specific processing purpose is processed. The decisive factor is therefore the as-delivered or factory state of a product, app or service: without active intervention by the data subject, the most data protection-friendly configuration must apply.
According to the wording of the provision, this obligation expressly extends to the amount of personal data collected, the extent of its processing, its period of storage and its accessibility. Privacy by default thus directly operationalises the principles of data minimisation (Article 5(1)(c) GDPR), purpose limitation (Article 5(1)(b) GDPR) and storage limitation (Article 5(1)(e) GDPR). In concrete terms this means, for example: optional profiling is disabled by default, fields that are not strictly required are not pre-filled, visibility settings in social networks are preset to the narrowest circle, and personal data must not be made accessible to an indefinite number of natural persons without the person's intervention (Article 25(2) sentence 3 GDPR).
The addressee of the obligation is the controller, not the software manufacturer; nevertheless, the requirement effectively affects the entire supply chain, because controllers must deploy products that can be configured in a data protection-friendly way. When implementing it, controllers must take into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons. Infringements of Article 25 GDPR are subject to fines under Article 83(4)(a) GDPR; at the same time, demonstrable implementation serves the accountability principle of Article 5(2) GDPR. Compliance may be demonstrated under Article 25(3) GDPR through approved certification mechanisms.
Legal Basis
Article 25(2) GDPR (data protection by default); supplemented by Article 5(1)(b), (c), (e) and (2) GDPR and Recital 78 GDPR
Practical Example
An online shop introduces a new customer account. In the registration form, the checkboxes for the newsletter and for analysing usage behaviour for advertising purposes are unticked by default; only name, email address and password are marked as mandatory fields. The data protection coordinator documents in the record of processing activities that the profile visibility is set to 'private' by default and that order data is automatically deleted once the statutory commercial retention periods expire. The customer must therefore actively consent if they want any further processing – the default setting itself remains data protection-friendly and satisfies Article 25(2) GDPR.