Intro: What is meant by the requirement of privacy by design and default, what function does it have and what must be taken into account when implementing it?
To-Dos: What is the specific procedure for fulfilling privacy by design and default and the associated obligations?
Statements: What have the data protection supervisory authorities published on the subject of privacy by design and default?
The obligation to take data protection into account at the design stage of data processing is intended to ensure that the company cannot later declare the implementation of data protection obligations impossible by referring to technical necessities. Systems with which data is to be processed must therefore be designed from the outset in such a way that the principles of the GDPR (e.g. necessity principle, transparency principle) can also be implemented in operations.
Probably the biggest challenge here is that it is not the manufacturer, but the controller - i.e. the company that ultimately uses the system - that is obliged to implement privacy by design. Accordingly, a data protection-compliant design standard should be contractually agreed with the manufacturer in order to avoid having to work with a system that is unusable under data protection law.
This also applies to the privacy-by-default principle: systems must be configurable in such a way that they only process data that is absolutely necessary for the purpose for which it is being processed. This means that if a certain app feature (e.g. personalization) is not required to fulfill a specific processing purpose (e.g. writing texts), it must initially remain deactivated until the data subject specifically activates it.
As with all other obligations under the GDPR, compliance with the privacy-by-design and default principles is subject to fines.
Creation of a catalog of requirements regarding what the system provided by the manufacturer must or should be able to do from a data protection perspective (e.g. interface for exercising data subject rights).
Commitment of the manufacturer to the defined data protection requirements
If necessary, configure the system according to Privacy by Default (if not already done by the manufacturer)
Continuous compliance with the two principles, especially when implementing new features in the system.
>> Find out which other data protection obligations have to be considered with respect to European data protection law.
familiar with the characteristics of small and large companies
experienced in communicating with data protection authorities
active in data protection for over 10 years.
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
