Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default

Paragraph 2.2.1  Required application of data protection by default

48. The aforementioned obligation to only process personal data which are necessary for each specific purpose applies to the following elements:

“amount of personal data collected”

49. In accordance with the principle of data minimisation, by default, only the amount of personal data that is necessary for the processing shall be processed.

50. “Amount” refers to quantitative as well as qualitative considerations. Controllers must consider both the volume of personal data, as well as the types, categories and level of detail of personal data required for the processing purposes. Their design choices should take into account the increased risks to the principles of security, data minimisation and storage limitation when collecting large amounts of detailed personal data, and compare that against the reduced risks of collecting less finely detailed information about data subjects. In any case, the default setting must not include collection of personal data that is not necessary for the specific processing purpose. In other words, if certain categories of personal data is unnecessary or if detailed data isn’t needed because less granular data is sufficient, then any surplus personal data shall not be collected.

“the extent of their processing”

51. Processing operations performed on personal data shall be limited to what is necessary. As noted above, many processing operations may contribute to a processing purpose, but just because personal data is needed to fulfil a purpose does not mean that all types of, and frequencies of, processing operations may be carried out on the data. Controllers should also be careful not to extend the boundaries of “compatible purposes”, and have in mind what processing will be within the reasonable expectations of data subjects.

“the period of their storage”

52. If personal data is not needed after its first processing, then it shall by default be deleted or anonymized. Any retention should be objectively justifiable and demonstrable by the data controller in an accountable way. Anonymization of personal data is an alternative to deletion, provided that all the relevant contextual elements are taken into account and the likelihood and severity of the risk, including the risk of re-identification, is regularly assessed. Further guidance is available in Opinion 05/2014 of the Art. 29 Working Party. For both deletion and anonymization process, the controller shall limit the retention period to what is strictly necessary. This obligation is directly related to the principle of storage limitation in Article 5(1)(e), and it is a requirement that storage limitation is default in the processing, i.e. the controller must have systematic procedures for data deletion embedded in the processing.

“their accessibility”

53. The controller must limit who can have access to personal data based on an assessment of necessity, and also make sure that personal data is in fact accessible to those who need it when necessary, for example in critical situations. Access controls must be observed for the whole data flow during the processing.

Article 25(2) further states that personal data shall not be made accessible, without the individual’s intervention, to an indefinite number of natural persons. The controller must by default limit accessibility and consult with the data subject before publishing or otherwise making available personal data about the data subject to an indefinite number of natural persons.

54. This provision applies, irrespective of the legal grounds for processing and of national legislation on freedom of information. Limiting intended or unintended dissemination is to limit possible situations where data subjects may experience a negative impact from the processing stemming from a lack of control over personal data.

55. Depending on the legal grounds for processing, the opportunity to intervene could either mean to ask for consent to make the personal data publicly accessible, or to provide information about the public accessibility in order to enable data subjects to exercise their rights in Articles 15 to 22. Either way, the extent of the public accessibility of the personal data should be made transparent to the data subject at the time of “intervention”, which is the moment for the data subject’s intervention.

56. Making personal data available to an indefinite number of persons may result in even further dissemination of the data than initially intended, this is particularly relevant in the context of the Internet and search engines. Even though the recipient controller is accountable for the legality of the further processing, there is still an obligation on the original controller not to make the personal data unduly accessible in the first place. This can be done using technical tools and protocols to limit search engines from indexing the data. For example a controller using a website to publish personal data can make use of a “no-robot-textfile” to give a message to search engines not to crawl the webpage. In this case, it is also vital that the controllers responsible for the search engines respect these protocols, although they aren’t binding.

57. Even in the event that personal data is made available publicly with the permission and understanding of a data subject, it does not mean that anyother controller with access to the personal data may freely process it themselves, for their own purposes–they must have a separate legal basis.