Data protection by design and by default
Author | Michèle Finck |
Pages | 85-86 |
Blockchain and the General Data Protection Regulation
85
8.Data protection by design and by default
Pursuant to Article 25 G DPR
1. Taking into account the state of the art, the cost of implementation and the nature, scope,
context and purposes of processing as well as the risks of varying likelihood and severity for
rights and freedoms of natural persons posed by the processing, the controller shall, both at
the time of the determination of the means for processing and at the time of the processing
itself, implement appropriate technical and organisational measures, such as
pseudonymisation, which are designed to implement data-protec tion principles, such as data
minimisation, in an effective manner and to integrate the necessary safeguards into the
processing in order to meet the requirements of this Regulation and protect the rights of data
subjects.
2. The controller shall implement appropriate technical and organisational measures for
ensuring that, by default, only personal data which are necessary for each specific purpose of
the processing are processed. That obligation applies to the amount of personal data
collected, the extent of their processing, the period of their storage and their accessibility. In
particular, such measures shall ensure that by default personal data are not made accessible
without the individual's intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an element to
demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
organisational measurescapable of ensuring respect for the principles of European data
protection law. This underlines that both system design and organisational structures (which
includes blockchain governance) should account for data protection principles, underlining
importanceof architecture and its influence on individuals.
In accordance with this obligation, the data controller ought to adopt internal policies and
implement measures which meet in particular the principles of data protection by design and data
protection by default which could include 'minimising the processing of personal data,
pseudonymising personal data as soon as possible, transparency with regard to the functions and
processing of personal data, enabling the data su bject to monitor the data processing, enabling the
controller to create and improve security features'.526The GDPR foresees the possibility of using
certification mechanismspursuant to Article 42GDPR'as an element to demonstrate compliance'
with these requirements.527Certification is examined separately just below.
Rights Irelandthat the essence of Article 8 of the Charter of Fundamental Rightsrequires the
adoption of 'technical and organisational measures' that are able to ensure that personal data is
given 'effective protection' against any risk of abuse and against unlawful access and use.528This
indicates that it is likely that the ECJ will provide a strict interpretation of Article 25GDPR when called
526Recital 78 GDPR.
527Article 25 (3) GDPR.
528Joined Cases C-293/12 and C-594/12 Digi tal Rights Ireland, paras 40 and 66-67.
Get this document and AI-powered insights with a free trial of vLex and Vincent AI
Get Started for FreeUnlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

Unlock full access with a free 7-day trial
Transform your legal research with vLex
-
Complete access to the largest collection of common law case law on one platform
-
Generate AI case summaries that instantly highlight key legal issues
-
Advanced search capabilities with precise filtering and sorting options
-
Comprehensive legal content with documents across 100+ jurisdictions
-
Trusted by 2 million professionals including top global firms
-
Access AI-Powered Research with Vincent AI: Natural language queries with verified citations
