Article 25 of GDPR
Privacy by design and default

Who is obliged

All data controllers

When

Both at the time of the determination of the means for processing

And at the time of the processing itself.

What (privacy by desing)

Implementation of appropriate technical and organisational measures which are designed to implement data-protection principles, such as

  • pseudonymisation,
  • data minimisation,
  • in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

What (privacy by default)

Implementation of appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. Specifically with regards to

  • the amount of personal data collected,
  • the extent of their processing,
  • the period of their storage and
  • their accessibility.
  • personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.