Data protection by design and by default settings
Having regard to the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as to the risks to the rights and freedoms of natural persons which are likely to vary in terms of probability and gravity with respect to the processing, the controller shall, both in determining the means of processing and in the processing itself appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement the data protection principles, such as data minimization, and build the necessary safeguards into the processing to comply with the requirements of this Regulation and to protect the rights of data subjects.
The controller shall implement appropriate technical and organizational measures to ensure that, in principle, only personal data necessary for each specific purpose of processing are processed. This obligation shall apply to the amount of personal data collected, the extent to which they are processed, the period for which they are stored and their accessibility. In particular, these measures ensure that, in principle, personal data are not made accessible to an unlimited number of natural persons without human intervention.
A certification mechanism approved in accordance with Article 42 may be used as an element to demonstrate compliance with the requirements of paragraphs 1 and 2 of this Article.
