Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Data Privacy & Law > W5: Guidelines on Article 25 > Flashcards

W5: Guidelines on Article 25 Flashcards

1
Q

What is the core obligation of DPbDD?

A

The core obligation is the implementation of appropriate measures and necessary safeguards that
provide effective implementation of the data protection principles and, consequentially, data subjects’
rights and freedoms by design and by default. Article 25 prescribes both design and default elements
that should be taken into account

Controllers shall implement DPbDD before processing, and also continually at
the time of processing, by regularly reviewing the effectiveness of the chosen measures and
safeguards. DPbDD also applies to existing systems that are processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the EDPB do?

A

Controllers shall implement DPbDD before processing, and also continually at
the time of processing, by regularly reviewing the effectiveness of the chosen measures and
safeguards. DPbDD also applies to existing systems that are processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who are responsible to comply with the guidelines?

A

The Guidelines focus on controllers’ implementation of DPbDD based on the obligation in Article 25 of
the GDPR.1 Other actors, such as processors and producers of products, services and applications
(henceforth “producers”), who are not directly addressed in Article 25, may also find these Guidelines
useful in creating GDPR compliant products and services that enable controllers to fulfil their data
protection obligations.

The controller is responsible for the fulfilment of the DPbDD
obligations for the processing carried out by their processors and sub-processors, they should
therefore take this into account when contracting with these parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the scope of the guidelines?

A
  1. who are responsible, see answer above
  2. requirement for controllers to have data protection designed into processing of personal data and as a default setting
    and this applies throughout the processing
    lifecycle. DPbDD is also a requirement for processing systems pre-existing before the GDPR entered
    into force. Controllers must have the processing consistently updated in line with the GDPR
  3. Guidelines focuses on an interpretation of the requirements set forth by Article 25
    and explores the legal obligations introduced by the provision
  4. Guidelines address the possibility to establish a certification mechanism to demonstrate
    compliance with Article 25 in Chapter 4, as well as how the Article may be enforced by supervisory
    authorities in Chapter 5. Finally, the Guidelines provide stakeholders with further recommendations
    on how to successfully implement DPbDD.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does it mean to ensure appropriate and effective data protection both by design and by default?

A

The core of the provision is to ensure appropriate and effective data protection both by
design and by default, which means that controllers should be able to demonstrate that they have the
appropriate measures and safeguards in the processing to ensure that the data protection principles
and the rights and freedoms of data subjects are effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some general remarks about the data protection by design and by default?

A

Data protection by design and data protection by default are complementary concepts, which mutually reinforce each
other. Data subjects will benefit more from data protection by default if data protection by design is
concurrently implemented – and vice versa.

DPbDD is a requirement for all controllers, including small businesses and multinational companies
alike. That being the case, the complexity of implementing DPbDD may vary based on the individual
processing operation. Regardless of the size however, in all cases, positive benefits for controller and
data subject can be achieved by implementing DPbDD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

For data protection by design, what does Controller’s obligation to implement appropriate technical and organisational
measures and necessary safeguards into the processing mean?

A

In line with Article 25(1) the controller shall implement appropriate technical and organisational
measures which are designed to implement the data protection principles and to integrate the
necessary safeguardsinto the processing in order to meet the requirements and protect the rights and
freedoms of data subjects.

Technical and organizational measures and necessary safeguards can be understood in a broad sense
as any method or means that a controller may employ in the processing.

Being appropriate means that
the measures and necessary safeguards should be suited to achieve the intended purpose, i.e. they must implement the data protection principles effectively3. The requirement to appropriateness is thus closely related to the requirement of effectiveness.

A technical or organisational measure and safeguard can be anything from the use of advanced
technical solutions to the basic training of personnel. Examplesthat may be suitable, depending on the
context and risks associated with the processing in question, includes pseudonymization of personal
data4
; storing personal data available in a structured, commonly machine readable format

Standards, best practices and codes of conduct that are recognized by associations and other bodies
representing categories of controllers can be helpful in determining appropriate measures. However,
the controller must verify the appropriateness of the measures for the particular processing in
question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does Designed to implement the data protection principles in an effective manner and
protecting data subjects’ rights and freedoms mean?

A

The data protection principles are in Article 5 (henceforth “the principles”), the data subjects’ rights
and freedoms are the fundamental rights and freedoms of natural persons, and in particular their right
to the protection of personal data, whose protection is named in Article 1(2) as the objective of the GDPR (henceforth “the rights”)5
. Their precise formulation can be found in the EU Charter of
Fundamental Rights. It is essential for the controller to have an understanding of the meaning of the
principles and the rights as the basis for the protection offered by the GDPR, specifically by the DPbDD
obligation.

When implementing the appropriate technical and organisational measures, it is with respect to the
effective implementation of each of the aforementioned principles and the ensuing protection of rights
that the measures and safeguards should be designed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How is effectiveness at the heart of the concept of data protection by design?

A

The requirement to implement
the principles in an effective manner means that controllers must implement the necessary measures
and safeguards to protect these principles, in order to secure the rights of data subjects. Each
implemented measure should produce the intended results for the processing foreseen by the
controller. This observation has two consequences.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the two consequences of Each
implemented measure should produce the intended results for the processing foreseen by the
controller?

A

First, it means that Article 25 does not require the implementation of any specific technical and
organizational measures, rather that the chosen measures and safeguards should be specific to the
implementation of data protection principles into the particular processing in question. In doing so,
the measures and safeguards should be designed to be robust and the controller should be able to
implement further measures in order to scale to any increase in risk6
. Whether or not measures are
effective will therefore depend on the context of the processing in question and an assessment of
certain elements that should be taken into account when determining the means of processing.

Second, controllers should be able to demonstrate that the principles have been maintained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How can the controller demonstrate the effectiveness?

A

The implemented measures and safeguards should achieve the desired effect in terms of data
protection, and the controller should have documentation of the implemented technical and
organizational measures.7

To do so, the controller may determine appropriate key performance
indicators (KPI) to demonstrate the effectiveness. A KPI is a measurable value chosen by the controller
that demonstrates how effectively the controller achieves their data protection objective.

KPIs may be
quantitative, such as the percentage of false positives or false negatives, reduction of complaints,
reduction of response time when data subjects exercise their rights;

or qualitative, such as evaluations
of performance, use of grading scales, or expert assessments.

Alternatively to KPIs, controllers may be
able to demonstrate the effective implementation of the principles by providing the rationale behind
their assessment of the effectiveness of the chosen measures and safeguards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the elements that should be taken into account when determining the measures of a specific processing operation?

A

These elements all
contribute to determine whether a measure is appropriate to effectively implement the principles.
Thus, each of these elements is not a goal in and of themselves, but are factors to be considered
together to reach the objective

  1. state of the art
  2. cost of implementation
  3. nature, scope, context and purpose of processing
  4. risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the state of art?

A

In the GDPR, reference to the “state of the art”8
is made not only in Article 32, for
security measures,910 but also in Article 25, thus extending this benchmark to all technical and
organisational measures embedded in the processing.

In the context of Article 25, the reference to “state of the art” imposes an obligation on controllers,
when determining the appropriate technical and organisational measures, to take account of the
current progress in technology that is available in the market. The requirement is for controllers to
have knowledge of, and stay up to date on technological advances; how technology can present data
protection risks or opportunities to the processing operation; and how to implement and update the
measures and safeguards that secure effective implementation of the principles and rights of data
subjects taking into account the evolving technological landscape.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How is the state of the art a dynamic concept?

A

The “state of the art” is a dynamic concept that cannot be statically defined at a fixed point in time, but should be assessed continuously in the context of technological progress. In the face of
technological advancements, a controller could find that a measure that once provided an adequate
level of protection no longer does. Neglecting to keep up to date with technological changes could
therefore result in a lack of compliance with Article 25.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the cost of implementation?

A

The controller may take the cost of implementation into account when choosing and applying
appropriate technical and organisational measures and necessary safeguards that effectively implement the principles in order to protect the rights of data subjects. The cost refers to resources in
general, including time and human resources.

The cost element does not require the controller to spend a disproportionate amount of resources
when alternative, less resource demanding, yet effective measures exist. However, the cost of
implementation is a factor to be considered to implement data protection by design rather than a
ground to not implement it.

Thus, the chosen measures shall ensure that the processing activity foreseen by the controller does
not process personal data in violation of the principles, independent of cost. Controllersshould be able
to manage the overall costs to be able to effectively implement all of the principles and, consequentially, protect the rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the nature, scope, context and purpose of processing?

A

Controllers must take into consideration the nature, scope, context and purpose of processing when
determining needed measures.

These factors should be interpreted consistently with their role in other provisions of the GDPR, such
as Articles 24, 32 and 35, with the aim of designing data protection principles into the processing.

In short, the concept of nature can be understood as the inherent11 characteristics of the processing.
The scope refers to the size and range of the processing. The context relates to the circumstances of
the processing, which may influence the expectations of the data subject, while the purpose pertains
to the aims of the processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How does the GDPR adopt a coherent risk based approach in article 24, 25, 32 and 35?

A

The GDPR adopts a coherent risk based approach in many of its provisions, in Articles 24, 25, 32 and
35, with a view to identifying appropriate technical and organisational measures to protect individuals,
their personal data and complying with the requirements of the GDPR. The assets to protect are always
the same (the individuals, via the protection of their personal data), against the same risks (to
individuals’ rights), taking into account the same conditions (nature, scope, context and purposes of
processing).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What must the controller do when performing risk analysis?

A

When performing the risk analysis for compliance with Articles 25, the controller has to identify the
risks to the rights of data subjects that a violation of the principles presents, and determine their
likelihood and severity in order to implement measures to effectively mitigate the identified risks. A
systematic and thorough evaluation of the processing is crucial when doing risk assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does the DPIA (data protection impact assessment ) do?

A

When performing the risk analysis for compliance with Articles 25, the controller has to identify the
risks to the rights of data subjects that a violation of the principles presents, and determine their
likelihood and severity in order to implement measures to effectively mitigate the identified risks. A
systematic and thorough evaluation of the processing is crucial when doing risk assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Why does the risk based approach not exclude the use of baselines, best practices and standards?

A

The risk based approach does not exclude the use of baselines, best practices and standards. These
might provide a useful toolbox for controllers to tackle similar risks in similar situations (nature, scope,
context and purpose of processing). Nevertheless, the obligation in Article 25 (as well as Articles 24,
32 and 35(7)(c)) to take into account “risks of varying likelihood and severity for rights and freedoms
of natural persons posed by the processing” remains. Therefore, controllers, although supported by
such tools, must always carry out a data protection risk assessment on a case by case basis for the
processing activity at hand and verify the effectiveness of the appropriate measures and safeguards
proposed. A DPIA, or an update to an existing DPIA, may then additionally be required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does “at the time of determination of the means for
processing” mean?

A

Data protection by design shall be implemented “at the time of determination of the means for
processing”.

The “means for processing” range from the general to the detailed design elements of the processing,
including the architecture, procedures, protocols, layout and appearance.

The “time of determination of the means for processing” refers to the period of time when the
controller is deciding how the processing will be conducted and the manner in which the processing
will occur and the mechanisms which will be used to conduct such processing. It’s in the process of
making such decisions that the controller must assess the appropriate measures and safeguards to
effectively implement the principles and rights of data subjects into the processing, and take into
account elements such as the state of the art, cost of implementation, nature, scope, context and
purpose, and risks. This includes the time of procuring and implementing data processing software,
hardware, and services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Why is an early consideration of DPbDD crucial for a successful implementation?

A

Early consideration of DPbDD is crucial for a successful implementation of the principles and protection
of the rights of the data subjects. Moreover, from a cost-benefit perspective, it is also in controllers’
interest to take DPbDD into account sooner rather than later, as it could be challenging and costly to
make later changes to plansthat have already been made and processing operations that have already
been designed.

23
Q

What must happen at the time of processing itself to maintain the DPbDD?

A

Once the processing has started the controller has a continued obligation to maintain DPbDD, i.e. the
continued effective implementation of the principles in order to protect the rights, staying up to date
on the state of the art, reassessing the level of risk, etc. The nature, scope and context of processing
operations, as well as the risk may change over the course of processing, which means that the controller must re-evaluate their processing operations through regular reviews and assessments of
the effectiveness of their chosen measures and safeguards.

The obligation to maintain, review and update, as necessary, the processing operation also applies to
pre-existing systems. This means that legacy systems designed before the GDPR entered into force are
required to undergo reviews and maintenance to ensure the implementation of measures and
safeguards that implement the principles and rights of data subjects in an effective manner, as outlined
in these Guidelines.

This obligation also extends to any processing carried out by means of data processors. Processors’ operations should be regularly reviewed and assessed by the controllers to ensure that they enable
continuous compliance with the principles and allow the data controller to fulfil its obligations in this
respect.

24
Q

What does the term default mean when processing personal data?

A

Hence, the term “by default” when processing personal data, refers to making choices regarding
configuration values or processing options that are set or prescribed in a processing system, such as a
software application, service or device, or a manual processing procedure that affect the amount of
personal data collected, the extent of their processing, the period of their storage and their
accessibility.

25
How should the controller choose and be accountable for implementing default processing settings and options in a way?
The controller should choose and be accountable for implementing default processing settings and options in a way that only processing that is strictly necessary to achieve the set, lawful purpose is carried out by default. Here, controllers should rely on their assessment of the necessity of the processing with regards to the legal grounds of Article 6(1). This means that by default, the controller shall not collect more data than is necessary, they shall not process the data collected more than is necessary for their purposes, nor shall they store the data for longer than necessary. The basic requirement is that data protection is built into the processing by default. The controller is required to predetermine for which specified, explicit and legitimate purposes the personal data is collected and processed.13 The measures must by default be appropriate to ensure that only personal data which are necessary for each specific purpose of processing are being processed
26
What must the controller do when there are third part software and orgainzational measures supporting processing operations?
If the controller uses third party software or off-the-shelf software, the controller should carry out a risk assessment of the product and make sure that functions that do not have a legal basis or are not compatible with the intended purposes of processing are switched off. 45. The same considerations apply to organisational measures supporting processing operations. They should be designed to process, at the outset, only the minimum amount of personal data necessary for the specific operations. This should be particularly considered when allocating data access to staff with different roles and different access needs.
27
What does the appropriate technical and organizational measures mean in the context of data protection by default?
Appropriate “technical and organisational measures” in the context of data protection by default is thus understood in the same way as discussed above in subchapter 2.1.1, but applied specifically to implementing the principle of data minimisation. 47. The aforementioned obligation to only process personal data which are necessary for each specific purpose applies to the following elements.
28
What does article 25(2) list?
Article 25 (2) lists the dimensions of the data minimisation obligation for default processing, by stating that the obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
29
What does the amount of personal data collection mean in terms of default processing?
Controllersshould consider both the volume of personal data, as well asthe types, categories and level of detail of personal data required for the processing purposes. Their design choices should take into account the increased risks to the principles of integrity and confidentiality, data minimisation and storage limitation when collecting large amounts of detailed personal data, and compare it to the reduction in risks when collecting smaller amounts and/or less detailed information about data subjects. In any case, the default setting shall not include collection of personal data that is not necessary for the specific processing purpose. In other words, if certain categories of personal data are unnecessary or if detailed data isn’t needed because less granular data is sufficient, then any surplus personal data shall not be collected. The same default requirements apply to services independent of what platform or device in use, only the necessary personal data for the given purpose can be collected.
30
What does the extent of the default processing mean?
Processing17 operations performed on personal data shall be limited to what is necessary. Many processing operations may contribute to a processing purpose. Nevertheless, the fact that certain personal data is necessary to fulfil a purpose does not mean that all types of, and frequencies of, processing operations may be carried out on the data. Controllers should also be careful not to extend the boundaries of “compatible purposes” of Article 6(4), and have in mind what processing will be within the reasonable expectations of data subjects.
31
What does the period of storage mean in terms of default processing?
Personal data collected shall not be stored if it is not necessary for the purpose of the processing and there is no other compatible purpose and legal ground according to Article 6(4). Any retention should be objectively justifiable as necessary by the data controller in accordance with the accountability principle. The controller shall limit the retention period to what is necessary for the purpose. If personal data is no longer necessary for the purpose of the processing, then it shall by default be deleted or anonymized. The length of the period of retention will therefore depend on the purpose of the processing in question. This obligation is directly related to the principle of storage limitation in Article 5(1)(e), and shall be implemented by default, i.e. the controller should have systematic procedures for data deletion or anonymization embedded in the processing. Anonymization of personal data is an alternative to deletion, provided that all the relevant contextual elements are taken into account and the likelihood and severity of the risk, including the risk of reidentification, are regularly assessed.
32
What does accessibility have to do with default processing?
The controller should limit who has access and which types of access to personal data based on an assessment of necessity, and also make sure that personal data is in fact accessible to those who need it when necessary, for example in critical situations. Access controls should be observed for the whole data flow during the processing. Article 25(2) further states that personal data shall not be made accessible, without the individual’s intervention, to an indefinite number of natural persons. The controller shall by default limit accessibility and give the data subject the possibility to intervene before publishing or otherwise making available personal data about the data subject to an indefinite number of natural persons. Making personal data available to an indefinite number of persons may result in even further dissemination of the data than initially intended. This is particularly relevant in the context of the Internet and search engines. This means that controllers should by default give data subjects an opportunity to intervene before personal data is made available on the open Internet. This is particularly important when it comes to children and vulnerable groups. Depending on the legal grounds for processing, the opportunity to intervene could vary based on the context of the processing. Even in the event that personal data is made available publicly with the permission and understanding of a data subject, it does not mean that any other controller with access to the personal data may freely process it themselves for their own purposes – they must have their own legal basis.
33
What must be done in all stages of design of the processing activities?
In all stages of design of the processing activities, including procurement, tenders, outsourcing, development, support, maintenance, testing, storage, deletion, etc., the controller should take into account and consider the various elements of DPbDD In all stages of design of the processing activities, including procurement, tenders, outsourcing, development, support, maintenance, testing, storage, deletion, etc., the controller should take into account and consider the various elements of DPbDD While this section focuses on the implementation of the principles, the controller should also implement appropriate and effective ways to protect data subjects’ rights, also according to Chapter III in the GDPR where this is not already mandated by the principles themselves.
34
What is the accountability principle?
The accountability principle is overarching: it requires the controller to be responsible choosing the necessary technical and organisational measures.
35
What is the transparancy principle?
The controller must be clear and open with the data subject about how they will collect, use and share personal data. Transparency is about enabling data subjects to understand, and if necessary, make use of their rights in Articles 15 to 22. The principle is embedded in Articles 12, 13, 14 and 34. Measures and safeguards put in place to support the principle of transparency should also support the implementation of these Articles.
36
What are the key design and default elements for the principle of transparency may include?
Clarity – Information shall be in clear and plain language, concise and intelligible. Semantics – Communication should have a clear meaning to the audience in question. Accessibility - Information shall be easily accessible for the data subject. Contextual – Information should be provided at the relevant time and in the appropriate form. Relevance – Information should be relevant and applicable to the specific data subject. Universal design – Information shall be accessible to all data subjects, include use of machine readable languages to facilitate and automate readability and clarity.  Comprehensible – Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups. Multi-channel – Information should be provided in different channels and media, not only the textual, to increase the probability for the information to effectively reach the data subject. Layered – The information should be layered in a manner that resolves the tension between completeness and understanding, while accounting for data subjects’ reasonable expectations.
37
What does the principle of lawfulness mean?
The controller must identify a valid legal basis for the processing of personal data. Measures and safeguards should support the requirement to make sure that the whole processing lifecycle is in line with the relevant legal grounds of processing.
38
What are Key design and default elements for lawfulness?
Relevance – The correct legal basis shall be applied to the processing.  Differentiation26 – The legal basis used for each processing activity shall be differentiated.  Specified purpose – The appropriate legal basis must be clearly connected to the specific purpose of processing.27  Necessity– Processing must be necessary and unconditional for the purpose to be lawful.  Autonomy – The data subject should be granted the highest degree of autonomy as possible with respect to control over personal data within the frames of the legal basis.  Gaining consent – consent must be freely given, specific, informed and unambiguous.28 Particular consideration should be given to the capacity of children and young people to provide informed consent.  Consent withdrawal – Where consent is the legal basis, the processing should facilitate withdrawal of consent. Withdrawal shall be as easy as giving consent. If not, then the consent mechanism of the controller does not comply with the GDPR.29  Balancing of interests – Where legitimate interests is the legal basis, the controller must carry out a weighted balancing of interest, giving particular consideration to the power imbalance, specifically children under the age of 18 and other vulnerable groups. There shall be measures and safeguards to mitigate the negative impact on the data subjects.  Predetermination – The legal basis shall be established before the processing takes place.  Cessation – If the legal basis ceases to apply, the processing shall cease accordingly.  Adjust – If there is a valid change of legal basis for the processing, the actual processing must be adjusted in accordance with the new legal basis. Allocation of responsibility – Whenever joint controllership is envisaged, the parties must apportion in a clear and transparent way their respective responsibilities vis-à-vis the data subject, and design the measures of the processing in accordance with this allocation.
39
What is the fairness principle?
Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject. Measures and safeguards implementing the principle of fairness also support the rights and freedoms of data subjects, specifically the right to information (transparency), the right to intervene (access, erasure, data portability, rectify) and the right to limit the processing (right not to be subject to automated individual decision-making and non-discrimination of data subjects in such processes).
40
What are Key design and default fairness elements?
Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as over the scope and conditions of that use or processing.  Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.  Expectation – Processing should correspond with data subjects’ reasonable expectations.  Non-discrimination – The controller shall not unfairly discriminate against data subjects.  Non-exploitation – The controller should not exploit the needs or vulnerabilities of data subjects.  Consumer choice – The controller should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20.  Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.  No risk transfer – Controllers should not transfer the risks of the enterprise to the data subjects.  No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.  Respect rights – The controller must respect the fundamental rights of data subjects and implement appropriate measures and safeguards and not impinge on those rights unless expressly justified by law.  Ethical – The controller should see the processing’s wider impact on individuals’ rights and dignity.  Truthful – The controller must make available information about how they process personal data, they should act as they declare they will and not mislead the data subjects.  Human intervention – The controller must incorporate qualified human intervention that is capable of uncovering biases that machines may create in accordance with the right to not be subject to automated individual decision making in Article 22.32  Fair algorithms – Regularly assess whether algorithms are functioning in line with the purposes and adjust the algorithms to mitigate uncovered biases and ensure fairness in the processing. Data subjects should be informed about the functioning of the processing of personal data based on algorithms that analyse or make predictions about them, such as work performance, economic situation, health, personal preferences, reliability or behaviour, location or movements.
41
What is the principle of purpose limitation?
The controller must collect data for specified, explicit, and legitimate purposes, and not further process the data in a manner that is incompatible with the purposes for which they were collected.35 The design of the processing should therefore be shaped by what is necessary to achieve the purposes. If any further processing is to take place, the controller must first make sure that this processing has purposes compatible with the original ones and design such processing accordingly. Whether a new purpose is compatible or not, shall be assessed according to the criteria in Article 6(4)
42
What are Key design and default purpose limitation elements?
Predetermination – The legitimate purposes shall be determined before the design of the processing.  Specificity – The purposes shall be specified and explicit as to why personal data is being processed.  Purpose orientation – The purpose of processing should guide the design of the processing and set processing boundaries.  Necessity – The purpose determines what personal data is necessary for the processing.  Compatibility – Any new purpose must be compatible with the original purpose for which the data was collected and guide relevant changes in design.  Limit further processing – The controller should not connect datasets or perform any further processing for new incompatible purposes.  Limitations of reuse – The controller should use technical measures, including hashing and encryption, to limit the possibility of repurposing personal data. The controller should also have organisational measures, such as policies and contractual obligations, which limit reuse of personal data.  Review – The controller should regularly review whether the processing is necessary for the purposes for which the data was collected and test the design against purpose limitation.
43
What is data minimization?
Only personal data that is adequate, relevant and limited to what is necessary for the purpose shall be processed.36 As a result, the controller has to predetermine which features and parameters of processing systems and their supporting functions are permissible. Data minimisation substantiates and operationalises the principle of necessity. In the further processing, the controller should periodically consider whether processed personal data is still adequate, relevant and necessary, or if the data shall be deleted or anonymized. Controllers should first of all determine whether they even need to process personal data for their relevant purposes. The controller should verify whether the relevant purposes can be achieved by processing less personal data, or having less detailed or aggregated personal data or without having to process personal data at all37 . Such verification should take place before any processing takes place, but could also be carried out at any point during the processing lifecycle. This is also consistent with Article 11. Minimising can also refer to the degree of identification. If the purpose of the processing does not require the final set of data to refer to an identified or identifiable individual (such as in statistics), but the initial processing does (e.g. before data aggregation), then the controller shall delete or anonymize personal data as soon as identification is no longer needed. Or, if continued identification is needed for other processing activities, personal data should be pseudonymized to mitigate risks for the data subjects’ rights.
44
What are Key design and default data minimisation elements?
Data avoidance – Avoid processing personal data altogether when this is possible for the relevant purpose. Limitation – Limit the amount of personal data collected to what is necessary for the purpose  Access limitation – Shape the data processing in a way that a minimal number of people need access to personal data to perform their duties, and limit access accordingly.  Relevance – Personal data should be relevant to the processing in question, and the controller should be able to demonstrate this relevance.  Necessity – Each personal data category shall be necessary for the specified purposes and should only be processed if it is not possible to fulfil the purpose by other means.  Aggregation – Use aggregated data when possible.  Pseudonymization – Pseudonymize personal data as soon as it is no longer necessary to have directly identifiable personal data, and store identification keys separately.  Anonymization and deletion – Where personal data is not, or no longer necessary for the purpose, personal data shall be anonymized or deleted.  Data flow – The data flow should be made efficient enough to not create more copies than necessary.  “State of the art” – The controller should apply up to date and appropriate technologies for data avoidance and minimisation.
45
What is the accuracy principle?
Personal data shall be accurate and kept up to date, and every reasonable step shall be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.38 The requirements should be seen in relation to the risks and consequences of the concrete use of data. Inaccurate personal data could be a risk to the data subjects’ rights and freedoms, for example when leading to a faulty diagnosis or wrongful treatment of a health protocol, or an incorrect image of a person can lead to decisions being made on the wrong basis either manually, using automated decision-making, or through artificial intelligence.
46
What are Key design and default accuracy elements?
Data source – Sources of personal data should be reliable in terms of data accuracy.  Degree of accuracy – Each personal data element should be as accurate as necessary for the specified purposes.  Measurably accurate - Reduce the number of false positives/negatives, for example biases in automated decisions and artificial intelligence.  Verification – Depending on the nature of the data, in relation to how often it may change, the controller should verify the correctness of personal data with the data subject before and at different stages of the processing (e.g. to age requirements).  Erasure/rectification – The controller shall erase or rectify inaccurate data without delay. The controller shall in particular facilitate this where the data subjects are or were children and later want to remove such personal data.39  Error propagation avoidance – Controllers should mitigate the effect of an accumulated error in the processing chain. Access – Data subjectsshould be given information about and effective access to personal data in accordance with the GDPR articles 12 to 15 in order to control accuracy and rectify as needed.  Continued accuracy – Personal data should be accurate at all stages of the processing, tests of accuracy should be carried out at critical steps.  Up to date – Personal data shall be updated if necessary for the purpose.  Data design - Use of technological and organisational design features to decrease inaccuracy, for example present concise predetermined choices instead of free text fields.
47
What is the principle of storage limitation?
The controller must ensure that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.40 It is vital that the controller knows exactly what personal data the company processes and why. The purpose of the processing shall be the main criterion to decide in how long personal data shall be stored. Measures and safeguards that implement the principle of storage limitation shall complement the rights and freedoms of the data subjects, specifically, the right to erasure and the right to object.
48
What are Key design and default storage limitation elements?
Deletion and anonymization – The controller should have clear internal procedures and functionalities for deletion and/or anonymization.  Effectiveness of anonymization/deletion – The controller shall make sure that it is not possible to re-identify anonymized data or recover deleted data, and should test whether this is possible.  Automation – Deletion of certain personal data should be automated  Storage criteria – The controller shall determine what data and length of storage is necessary for the purpose.  Justification – The controller shall be able to justify why the period of storage is necessary for the purpose and the personal data in question, and be able to disclose the rationale behind, and legal grounds for the retention period.  Enforcement of retention policies – The controller should enforce internal retention policies and conduct tests of whether the organization practices its policies.  Backups/logs – Controllers shall determine what personal data and length of storage is necessary for back-ups and logs.  Data flow – Controllers should beware of the flow of personal data, and the storage of any copies thereof, and seek to limit their “temporary” storage.
49
What are the integrity and confidentiality principle?
The principle of integrity and confidentiality includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The security of personal data requires appropriate measures designed to prevent and manage data breach incidents; to guarantee the proper execution of data processing tasks, and compliance with the other principles; and to facilitate the effective exercise of individuals’ rights. Recital 78 states that one of the DPbDD measures could consist of enabling the controller to “create and improve security features”. Along with other DPbDD measures, Recital 78 suggests a responsibility on the controllers to continually assess whether it is using the appropriate means of processing at all times and to assess whether the chosen measures actually counter the existing vulnerabilities. Furthermore, controllers should conduct regular reviews of the information security measures that surround and protect personal data, and the procedure for handling data breaches.
50
What are Key design and default integrity and confidentiality elements?
Information security management system (ISMS) – Have an operative means of managing policies and procedures for information security.  Risk analysis – Assess the risks against the security of personal data by considering the impact on individuals’ rights and counter identified risks. For use in risk assessment; develop and maintain a comprehensive, systematic and realistic “threat modelling” and an attack surface analysis of the designed software to reduce attack vectors and opportunities to exploit weak points and vulnerabilities.  Security by design – Consider security requirements as early as possible in the system design and development and continuously integrate and perform relevant tests.  Maintenance – Regular review and test software, hardware, systems and services, etc. to uncover vulnerabilities of the systems supporting the processing.  Access control management – Only the authorized personnel who need to should have access to the personal data necessary for their processing tasks, and the controller should differentiate between access privileges of authorized personnel. - Access limitation (agents) – Shape the data processing in a way that a minimal number of people need access to personal data to perform their duties, and limit access accordingly. - Access limitation (content) – In the context of each processing operation, limit access to only those attributes per data set that are needed to perform that operation. Moreover, limit access to data pertaining to those data subjects who are in the remit of the respective employee. - Access segregation – Shape the data processing in a way that no individual needs comprehensive access to all data collected about a data subject, much less all personal data of a particular category of data subjects.  Secure transfers – Transfers shall be secured against unauthorized and accidental access and changes.  Secure storage – Data storage shall be secure from unauthorized access and changes. There should be procedures to assess the risk of centralized or decentralized storage, and what categories of personal data this applies to. Some data may need additional security measures than others or isolation from others.  Pseudonymization – Personal data and back-ups/logs should be pseudonymized as a security measure to minimise risks of potential data breaches, for example using hashing or encryption.  Backups/logs – Keep back-ups and logs to the extent necessary for information security, use audit trails and event monitoring as a routine security control. These shall be protected from unauthorised and accidental access and change and reviewed regularly and incidents should be handled promptly.  Disaster recovery/ business continuity – Address information system disaster recovery and business continuity requirements to restore the availability of personal data following up major incidents.  Protection according to risk – All categories of personal data should be protected with measures adequate with respect to the risk of a security breach. Data presenting special risks should, when possible, be kept separated from the rest of the personal data.  Security incident response management – Have in place routines, procedures and resources to detect, contain, handle, report and learn from data breaches.  Incident management – Controller should have processes in place to handle breaches and incidents, in order to make the processing system more robust. This includes notification procedures, such as management of notification (to the supervisory authority) and information (to data subjects).
51
What is the accountability principle?
The principle of accountability states that the controller shall be responsible for, and be able to demonstrate compliance with all of the abovementioned principles. The controller needs to be able to demonstrate compliance with the principles. In doing so, the controller may demonstrate the effects of the measures taken to protect the data subjects’ rights, and why the measures are considered to be appropriate and effective. For example, demonstrating why a measure is appropriate to ensure the principle of storage limitation in an effective manner. To be able to process personal data responsibly, the controller should have both the knowledge of and the ability to implement data protection. This entails that the controller should understand their data protection obligations of the GDPR and be able to comply with these obligations.
52
What is article 25(3) about?
According to Article 25(3), certification pursuant to Article 42 may be used as an element to demonstrate compliance with DPbDD. Conversely, documents demonstrating compliance with DPbDD may also be useful in a certification process. This means that where a processing operation by a controller or a processor has been certified as per Article 42, supervisory authorities shall take this into account in their assessment of compliance with the GDPR, specifically with regards to DPbDD. When a processing operation by a controller or processor is certified according to Article 42, the elements that contribute to demonstrating compliance with Article 25(1) and (2) are the design processes, i.e. the process of determining the means of processing, the governance and the technical and organizational measures to implement the data protection principles The data protection certification criteria are determined by the certification bodies or certification scheme owners and then approved by the competent supervisory authority or by the EDPB. For further information about certification mechanisms, we refer the reader to the EDPB Guideline on Certification42 and other relevant guidance, as published on the EDPB website. Even where a processing operation is awarded a certification in accordance with Article 42, the controller still has the responsibility to continuously monitor and improve compliance with the DPbDD- criteria of Article 25.
53
What are the enforcements of art 25 and the consequences?
Supervisory authorities may assess compliance with Article 25 according to the procedures listed in Article 58. The corrective powers are specified in Article 58(2) and include the issuance of warnings, reprimands, orders to comply with data subjects’ rights, limitations on or ban of processing, administrative fines, etc. DPbDD is further a factor in determining the level of monetary sanctions for breaches of the GDPR, see Article 83(4).
54
What are some recommentations?
Although not directly addressed in Article 25, processors and producers are also recognized as key enablers for DPbDD, they should be aware that controllers are required to only process personal data with systems and technologies that have built-in data protection. 95. When processing on behalf of controllers, or providing solutions to controllers, processors and producers should use their expertise to build trust and guide their customers, including SMEs, in designing /procuring solutions that embed data protection into the processing. This means in turn that the design of products and services should facilitate controllers’ needs. 96. It should be kept in mind when implementing Article 25 that the main design objective is the effective implementation of the principles and protection of the rights of data subjects into the appropriate measures of the processing. In order to facilitate and enhance the adoption of DPbDD, we make the following recommendations to controllers as well as producers and processors: see recommendations in GDPR guidelines book

Data Privacy & Law (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions