Data protection by design and by default

AuthorMichèle Finck
Blockchain and the General Data Protection Regulation
8. Data protection by design and by default
Pursuant to Article 25 G DPR
1. Taking into account the state of the art, the cost of implementation and the nature, scope,
context and purposes of processing as well as the risks of varying likelihood and severity for
rights and freedoms of natural persons posed by the processing, the controller shall, both at
the time of the determination of the means for processing and at the time of the processing
itself, implement appropriate technical and organisational measures, such as
pseudonymisation, which are designed to implement data-protec tion principles, such as data
minimisation, in an effective manner and to integrate the necessary safeguards into the
processing in order to meet the requirements of this Regulation and protect the rights of data
2. The controller shall implement appropriate technical and organisational measures for
ensuring that, by default, only personal data which are necessary for each specific purpose of
the processing are processed. That obligation applies to the amount of personal data
collected, the extent of their processing, the period of their storage and their accessibility. In
particular, such measures shall ensure that by default personal data are not made accessible
without the individual's intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an element to
demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Article 25 GDPR imposes an obligation on data controllers to implement technical and
organisational measures capable of ensuring respect for the principles of European data
protection law. This underlines that both system design and organisational structures (which
includes blockchain governance) should account for data protection principles, underlining
importance of architecture and its influence on individuals.
In accordance with this obligation, the data controller ought to adopt internal policies and
implement measures which meet in particular the principles of data protection by design and data
protection by default which could include 'minimising the processing of personal data,
pseudonymising personal data as soon as possible, transparency with regard to the functions and
processing of personal data, enabling the data su bject to monitor the data processing, enabling the
controller to create and improve security features'.526 The GDPR foresees the possibility of using
certification mechanisms pursuant to Article 42 GDPR 'as an element to demonstrate compliance'
with these requirements.527 Certification is examined separately just below.
Although the Court of Justice has not yet decided any cases on Article 25 GDPR; it held in Digital
Rights Ireland that the essence of Article 8 of the Charter of Fundamental Rights requires the
adoption of 'technical and organisational measures' that are able to ensure that personal data is
given 'effective protection' against any risk of abuse and against unlawful access and use. 528 This
indicates that it is likely that the ECJ will provide a strict interpretation of Article 25 GDPR when called
526 Recital 78 GDPR.
527 Article 25 (3) GDPR.
528 Joined Cases C-293/12 and C-594/12 Digi tal Rights Ireland, paras 40 and 66-67.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT