Data protection by design and by default

• Author: Michèle Finck
• Pages: 85-86

Blockchain and the General Data Protection Regulation

85

8. Data protection by design and by default

Pursuant to Article 25 G DPR

1. Taking into account the state of the art, the cost of implementation and the nature, scope,

context and purposes of processing as well as the risks of varying likelihood and severity for

rights and freedoms of natural persons posed by the processing, the controller shall, both at

the time of the determination of the means for processing and at the time of the processing

itself, implement appropriate technical and organisational measures, such as

pseudonymisation, which are designed to implement data-protec tion principles, such as data

minimisation, in an effective manner and to integrate the necessary safeguards into the

processing in order to meet the requirements of this Regulation and protect the rights of data

subjects.

2. The controller shall implement appropriate technical and organisational measures for

ensuring that, by default, only personal data which are necessary for each specific purpose of

the processing are processed. That obligation applies to the amount of personal data

collected, the extent of their processing, the period of their storage and their accessibility. In

particular, such measures shall ensure that by default personal data are not made accessible

without the individual's intervention to an indefinite number of natural persons.

3. An approved certification mechanism pursuant to Article 42 may be used as an element to

demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 25 GDPR imposes an obligation on data controllers to implement technical and

organisational measures capable of ensuring respect for the principles of European data

protection law. This underlines that both system design and organisational structures (which

includes blockchain governance) should account for data protection principles, underlining

importance of architecture and its influence on individuals.

In accordance with this obligation, the data controller ought to adopt internal policies and

implement measures which meet in particular the principles of data protection by design and data

protection by default which could include 'minimising the processing of personal data,

pseudonymising personal data as soon as possible, transparency with regard to the functions and

processing of personal data, enabling the data su bject to monitor the data processing, enabling the

controller to create and improve security features'.526 The GDPR foresees the possibility of using

certification mechanisms pursuant to Article 42 GDPR 'as an element to demonstrate compliance'

with these requirements.527 Certification is examined separately just below.

Although the Court of Justice has not yet decided any cases on Article 25 GDPR; it held in Digital

Rights Ireland that the essence of Article 8 of the Charter of Fundamental Rights requires the

adoption of 'technical and organisational measures' that are able to ensure that personal data is

given 'effective protection' against any risk of abuse and against unlawful access and use. 528 This

indicates that it is likely that the ECJ will provide a strict interpretation of Article 25 GDPR when called

526 Recital 78 GDPR.

527 Article 25 (3) GDPR.

528 Joined Cases C-293/12 and C-594/12 Digi tal Rights Ireland, paras 40 and 66-67.