Privacy by design

Privacy by design, referred to in the GDPR as "data protection by design", is a core obligation of the controller under Article 25(1) GDPR. The underlying idea is that data protection must not be bolted on afterwards but built into systems, processes and products from the very beginning. The controller must therefore, both at the time of determining the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures that give effect to the data protection principles of Article 5 GDPR, such as data minimisation, and integrate the necessary safeguards into the processing.

Which measures are "appropriate" is determined by Article 25(1) GDPR on a risk-based basis: account must be taken of the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons. The legislator expressly names pseudonymisation as an example. Privacy by design is therefore not a fixed catalogue of measures but a continuous balancing exercise that becomes more demanding as risk rises and technology advances, and that must be reviewed across the entire lifecycle of a processing operation.

Closely linked is privacy by default (data protection by default) under Article 25(2) GDPR: default settings must ensure that, in principle, only the personal data necessary for each specific purpose are processed. Both obligations are subject to fines under Article 83(4) GDPR and form part of the accountability principle: the controller must be able to demonstrate that and how it has implemented the principles. The European Data Protection Board has clarified in its Guidelines 4/2019 that the measures must be effective, verifiable and tied to the relevant processing principles.