Guidelines by the European Data Protection Board
Home » The GDPR » Main Concepts » Data Protection by Design and by Default (DPbDD) » Guidelines by the European Data Protection Board

The European Data Protection Board (EDPB) has issued guidelines on Data Protection by Design and by Default[1]. It emphasizes the importance of understanding and applying the data protection principles (see the “Main Principles” section in the general part of these Guidelines) and of implementing data subject rights (see the “Data Subject Rights” section in the general part of these Guidelines).

The importance of the data protection principles is for example expressed in paragraph 61: “Controllers need to implement the principles to achieve DPbDD. These principles include: transparency, lawfulness, fairness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. These principles are outlined in Article 5 and Recital 39 of the GDPR. To have a complete understanding of how to implement DPbDD, the importance of understanding the meaning of each of the principles is emphasized.”

The importance of data subject rights is stated in paragraph 63: “While this section focuses on the implementation of the principles, the controller should also implement appropriate and effective ways to protect data subjects’ rights, also according to Chapter III in the GDPR where this is not already mandated by the principles themselves.”

The EDPB guideline dedicates its section 3 to the implementation of data protection principles. The PANELFIT guidelines go beyond this by providing a more detailed description of each principle together with many examples of technical and organizational measures suitable to implement those principles.

Like the EDPB guidelines, the following text also analyzes the meaning of Article 25 GDPR. The present text attempts to provide additional concrete guidance, however. To achieve this, it not only provides a legal analysis of the phases of processing according to the GDPR, but also provides a technical analysis of what tasks are necessary for each phase. In particular, this is done for determining the means of processing and for the processing itself. In each of the tasks that are identified, the data protection principles can then be applied and technical and organizational measures identifies and implemented.

A second major difference from the present text and the EDPB guidelines is that the former discusses the actual process necessary for applying DPbDD in the various phases.

A minor difference is that the present text goes into further detail on how controllers can pass on requirements to producers of software and services. The text does not go into the merit of certification, however; should this be relevant to readers, they are referred to the EDBP guidelines.


1European Data Protection Board, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, Version 2.0, Adopted on 20 October 2020, (last visited 30/11/2021).


Skip to content