Partly because of the large number of systems that process personal data, it is not possible for privacy supervisors to systematically check all systems for lawfulness and to impose timely sanctions in the event of illegality. To overcome this problem more proactively, the legislator has opted for the concept of "privacy by design and default" (Art. 25 AVG and Recital 78 AVG). The concept also contributes to compliance with other obligations under the AVG (such as Art. 5 (principles), Art. 24(1) (appropriate measures) and 32 AVG (security)).
The concept requires organizations to incorporate privacy protection measures into the design of products and services, pre-emptively and proactively, already during their development, elaboration, selection and use.
Application of the concept is mandatory for all new processing. Existing processing operations will also have to be brought into line with the concept. This can be done as part of the mandatory periodic evaluation of processing operations (Art. 24 (1) and 32 (2) AVG). Whether complete replacement of existing systems is necessary can be assessed, among other things, in terms of the costs involved (Art. 24 (1) AVG, first sentence).
Privacy by design ensures that, in general, the design ensures a good level of protection and also facilitates that the setting options automatically maintain the most privacy-friendly setting (privacy by default).
The first paragraph of Art. 25 AVG elaborates the principle of privacy by design and default in general. The second paragraph elaborates on the principle in relation to purpose limitation (Art. 5(1)(c) AVG) (see also WP 223 and WP 240).
your organization is developing, updating and/or commissioning data-processing systems or techniques;
appropriate technical and organizational privacy-enhancing measures should be taken during the development and/or before these systems go live. These measures should address:
the determination of the means of processing (by what means the data processing will take place); and
the data processing itself.
measures should depend on the following circumstances:
state of the art regarding the action to be taken;
implementation costs; - nature of processing;
context of processing;
purpose of processing;
any risks to the rights and freedoms of natural persons.
the measures serve the data protection principles of the AVG as their purpose, including:
achieving minimal data processing;
Processing data effectively;
compliance with the AVG;
the protection of data subjects.
Privacy by design and default apply in principle to every development updating and/or commissioning of (new) data processing systems and techniques. If your organization has a system or technique that processes personal data developed, developed, selected, put into use or updated, the requirements of privacy by design and default apply. Examples include payroll systems, CRM systems, an electronic patient record, a work laptop, a "Bring Your Own Device," a website, intranet, camera surveillance, an access card system, a personnel tracking system or wearables.
Existing processing operations will also have to be brought in line with the concept. This can be done as part of the mandatory periodic evaluation of processing operations (art. 24 (1) and 32 (2) AVG ). Whether complete replacement of existing systems is necessary can be assessed, among other things, in terms of the costs involved (Art. 24 (1) AVG, first sentence).
Privacy by design and default measures refer to "baked-in" privacy protection measures aimed at meeting legal obligations when designing and commissioning personal data processing systems. A test to verify whether your organization has taken adequate measures is to check whether a reasonably competent expert would have taken the same measures. Concrete examples of privacy-enhancing measures are as follows:
- encryption (scrambling the data);
- pseudonymization (procedure by which identifying data are replaced with encrypted data using an algorithm);
- granular access security (such as Attribute Based Access Control (ABAC));
- data minimization (limiting processing of personal data);
- not automatically ticking consent;
- creating transparency regarding the functions and processing of personal data;
- enabling the data subject to exercise control over information processing;
- a web store that never calls its customers need not process a phone number;
- a deactivated workplace account of an ex-employee should be deleted promptly;
- an address list should be accessible only to employees who process the addresses out of necessity for the purpose;
- the use of "open" input fields should be avoided to prevent entering irrelevant or inadmissible information.
The use of privacy by default means that some processing options for the controller are unchecked by default. Your organization may wish to invite the data subject to still check the unchecked processing option for the controller. This is possible and permitted. Organizations can display options, explaining what data will be processed when checked. This should include an indication of the purposes for which this data is being processed.
measures aimed at ensuring compliance with the principle of purpose limitation;
the obligation applies to any personal data processing within your organization;
appropriate technical and organizational measures should be taken in order to process only those personal data necessary for the relevant processing purpose;
this obligation applies to the following aspects of a data processing operation:
The amount of personal data collected;
the extent to which they are processed;
The retention period for which they are stored;
the accessibility of personal data.
all measures must, among other things, serve the purpose that personal data cannot, in principle, be made accessible to an unlimited number of persons without human intervention.
the European Union Agency for Network and Information Security (ENISA) has written several reports regarding privacy by design and default. ENISA focuses primarily on the technical (privacy-enhancing) measures that organizations can take to comply with privacy by design and default. These reports can be found at www.enisa.europa.eu;
The use of approved certification mechanisms helps demonstrate compliance with the requirements of Art. 25 AVG (Art. 25(3) AVG);
in public procurement, the principle of privacy by design and default must be taken into account in the procurement by the relevant public institution (last sentence of recital 78 AVG).
This is a checklist from the publication Checklist Privacy AVG: privacy policies in 57 checklists
This article can also be found in the AVG file
