The obligation to take data protection into account at the design stage of data processing is intended to ensure that the company cannot later declare the implementation of data protection obligations impossible by referring to technical necessities. Systems with which data is to be processed must therefore be designed from the outset in such a way that the principles of the GDPR (e.g. necessity principle, transparency principle) can also be implemented in operations.

Probably the biggest challenge here is that it is not the manufacturer, but the controller - i.e. the company that ultimately uses the system - that is obliged to implement privacy by design. Accordingly, a data protection-compliant design standard should be contractually agreed with the manufacturer in order to avoid having to work with a system that is unusable under data protection law.

This also applies to the privacy-by-default principle: systems must be configurable in such a way that they only process data that is absolutely necessary for the purpose for which it is being processed. This means that if a certain app feature (e.g. personalization) is not required to fulfill a specific processing purpose (e.g. writing texts), it must initially remain deactivated until the data subject specifically activates it.

As with all other obligations under the GDPR, compliance with the privacy-by-design and default principles is subject to fines.