The following will analyze the requirements of Art. 25(2) GDPR. It uses the definition of defaults provided in thedetermining the instructions for technical resourcessection in this document (1.3.3).
As clear from the above definition, defaults pertain to settings (sometimes arranged as preferences or user profile) that are under the control of the data subject. Controllers decide about the default settings, i.e. the settings that are active in the absence of any intervention on part of the data subject.
These settings influence the processing that takes place, including the following aspects:
- the personal data that are being processed,
- the extent of processing that is performed,
- the period for which the data are stored, and
- the natural persons to which the personal data is made accessible.
The following example of settings shall illustrate this:
- Data subjects can optionally provide an e-mail address in order to be informed about the processing status of an order. Evidently, this affects the amount of personal data that is processed by the controller. It also affects the extent of processing.
- For an order processing, data subjects always have to provide a shipping address and payment information. Optionally, they can click a box to remember this information to avoid typing it in repeatedly for future orders. While the amount of data processed by the controller is always the same, the user-controlled option obviously affects the storage period of that data.
- A social media provider may present its users with privacy settings that control the visibility of their posts, ranging from only close friends to everybody. Evidently, this privacy setting controls the natural persons who have access to the posts, which represent personal data.
The GDPR includes the following:
The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
Art. 25(2) thus mandates that by default, the processing shall be limited to what is necessary for the purposes. It further clarifies that this must be understood in respect of the amount of data, the extent of processing, and the period of data storage. The third sentence states that this is also applicable to the number of persons to which the data is made accessible. This thus seems to refer to the number of recipients (as defined in Art. 4(9) GDPR).
The wording of Art. 25(2) implies that there must be some kinds of additional purposes: by default, the processing must be limited to a certain set of purposes; but after the intervention of the data subject, evidently the processing goes beyond this limitation. This implies, the processing then pursues additional purposes.
The above examples help to understand this better. In the first example, the additional purpose is to keep the data subject informed about the processing status of orders. In the second example, the additional purpose is to improve user convenience for those data subjects who expect to place orders again in the future. In the third example, no additional purpose is pursued. In fact, the purpose of restricting the visibility of social media posts to the range intended by the user, is always present. Note that the third sentence of Art. 25(2) that fits this example also refrains from making reference to purposes.
These examples illustrate that the additional purposes and the purposes underlying the situation addressed in the third sentence are always purposes that benefit the data subjects.
Based on this analysis, Art. 25(2) seems to state that by default:
- additional purposes that may benefit data subjects shall be disabled, at least as long as they require the collection additional data, increase the extent of processing, cause an extension of the storage period, or increase the number of recipients;
- where a purpose in the interest of the data subject is always pursued by the processing (i.e., cannot be disabled), its data protection impact must be minimized regarding collected data, extent of processing, storage period, and number of recipients.
Art. 25(2) can be seen as some kind of protection against “back doors” where controllers collect additional data, store it for longer periods, increase the extent of processing or the recipients, with the justification that it was the wish of the data subject. Evidently, data subjects who have not intervened in any way, may not even be aware of “their wishes”, may not have read the expression of their wishes in detail, or are at least influenced by the default values to more likely express “wishes” favored by the controller.
This safeguard that explicitly requires the data subject’s explicit intervention thus mandates the use of opt-in dialogs and prohibits opt-out dialogs. It is the same concept that is called a “clear affirmation action” in the context of consent (see Art. 4(11) GDPR). It is directly comparable to stating that without a clear affirmative action, i.e., “without the individual’s intervention”, additional processing in terms of the amount and storage period of data, extent of processing, or number of recipients is illegitimate. It is important to note that this requirement of opt-in solutions is independent on whether consent is chosen as the legal basis or not.
Based on the above analysis, the measures referred to in Art. 25(2) could include the following:
- Measures that ascertain that the default settings minimize the data protection impact of the processing.
- Measures that ascertain that the data subjects are informed about the consequences of the settings that are under their control.
- Measures that ascertain that the decisions expressed by the settings are specific. For example, additional purposes cannot be enabled all with a single check-box, but it needs to be possible to enable them individually.
- Measures that verify the absence of any kind of nudging in the dialog where users chose their settings, in order to make sure that data subject can freely choose their preferences.
1“In particular” indicates that the rest of the sentence is an application of the expression of the previous sentence. ↑