Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default
Section 2.2. Article 25(2): Data protection by default
39. A “default”, as commonly defined in computer science, refers to the pre-existing or preselected value of a configurable setting that is assigned to a software application, computer programor device. Such settings are also called “presets” or “factory presets”, especially for electronic devices.
40. Hence, “data protection by default” refers to the choices made by a controller regarding any pre-existing configuration value or processing option that is assigned in a software application, computer program or device that has the effect of adjusting, in particular but not limited to, the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
41. If there were no default settings, data subjects would be overwhelmed by options that he or she may not have the ability to grasp. Thus, in many cases, controllers must decide on these options on behalf of the data subjects, and in doing so they have to ensure that only the personal data that is necessary to achieve the purpose of the processing is enabled. Here, controllers must rely on their assessment of the necessity of the processing with regards to the legal grounds of Article 6(1). If the controller uses third party software or off-the-shelf software, it is vital that functions that do not have coverage in the legal grounds or are not compatible with the intended purposes are switched off.
42. The values and processing options should be universal to all instances of the device, service or model, and should minimise the processing of personal data “out of the box”.
43. The same considerations apply to organisational measures supporting processing operations. They should be designed to process, at the outset, only the minimum amount of personal data necessary for the specific operations. This should be particularly considered when allocating data access to staff with different roles.
Technical and organisational measures
44. “Technical and organisational measures” in the context of data protection by default is understood in the same way as discussed above in section 2.1.1, but applied specifically to the principle of data minimisation. The measures applied must be appropriate, meaning they must be suitable, adequate, relevant and limited to achieve the intended purpose.
45. The controller is required to predetermine for which specified, explicit and legitimate purposes the personal data is collected and processed. The measures must by default be appropriate to ensure that only personal data which are necessary for each specific purpose of processing are being processed.
46. The EDPS guidelines to assess necessity and proportionality of measures that limit the right to data protection can be useful also to decide which data is necessary to process in order to achieve a specific purpose.
47.Information security shall always be a default for all systems, transfers, solutions and options when processing personal data.