Data Protection by Design and by Default (DPbDD)
Home » The GDPR » Main Concepts » Data Protection by Design and by Default (DPbDD)

Bud P. Bruegger (ULD)

Acknowledgements: The author thankfully acknowledges Kirsten Bock’s help with legal interpretation, Harald Zwingelberg’s feedback and review and a detailed review and suggestions by Hans Graux

This part of the Guidelines was validated by Hans Graux, guest lecturer on ICT and privacy protection law at the Tilburg Institute for Law, Technology, and Society (TILT) and at the AP Hogeschool Antwerpen. President of the Vlaamse Toezichtscommissie (Flemish Supervisory Committee), which supervises data protection compliance within Flemish public sector bodies.

The present section attempts to provide practitioners with a more detailed understanding of how to practically implement the requirements of Art. 25 GDPR Data Protection by Design and by Default (DPbDD).

The present section on DPbDD is structured as follows:

A first subsection discusses the guidelines on the topic issued by the EDPB. It points out the differences to the approach taken here.

A second subsection describes the scope of the obligations arising from Art. 25 GDPR. Most importantly, it clarifies in which way technology providers are affected by it.

A third subsection analyzes Art. 25 GDPR. Since Art. 25(1) mandates controllers to implement measures both, at the time of determining the means and at the time of processing itself, the precise meaning of determining the means and processing itself is discussed. This relies on an analysis of what the GDPR states about the structure of processing. The analysis of Art. 25(1) also puts emphasis on the meaning of effectiveness of measures. The discussion of Art. 25(2) explains what exactly is meant by the term default and analyss of the controller’s obligations.

A fourth subsection focusses on the actual processes that implement data protection by design. In particular, it describes the processes to implement DPbDD in the three main phases of determining the purposes, determining the means, and the processing itself. These processes aim at a systematic implementation of the data protection principles in every work task of each phase. This then results in the identification and implementation of technical and organizational measures.

Skip to content