Data Protection becomes increasingly important, especially in the digital world. Data Protection by Design and by Default (“DPbDD”) plays a critical role in this connection and has been enshrined in Article 25 the EU General Data Protection Regulation (“GDPR”). Data Protection by Design requires that data protection principles are to be taken into consideration at the earliest stage of the design process, while Data Protection by Default should ensure that, by default, only personal data that are necessary for each purpose of the processing are processed.
Even though Article 25 GDPR specifically addresses data controllers (e.g. companies or public administrations using software for processing personal data), developers may find it useful to get familiar with DPbDD requirements for creating GDPR compliant software that enables data controllers to fulfill their data protection obligations. This could possibly lead to competitive advantages over competitors who do not design their products with data protection principles in mind.
11. Developer /
Producer?
Recital 78 GDPR:
Producers “should be encouraged“ to take
data protection into account when
developing and designing products and to
make sure that controllers are able to fulfil
their data protection obligations.
DPbDD “should also be taken into
consideration” in the context of public
tenders.
1. Introduction
13. From the very beginning and in all stages of design of processing
activities (from development, procurerment to maintenance, deletion),
the controller shall implement appropriate technical and organisational
measures (TOM)
designed to implement data protection principles in an effective
manner
2. Data Protection
by Design
14. 2. Data Protection
by Design
From the very beginning and in all stages of design of processing
activities (from development, procurerment to maintenance, deletion),
the controller shall implement appropriate technical and organisational
measures (TOM)
designed to implement data protection principles in an effective
manner
15. 2. Data Protection
by Design
From the very beginning and in all stages of design of processing
activities (from development, procurerment to maintenance, deletion),
the controller shall implement appropriate technical and organisational
measures (TOM)
designed to implement data protection principles in an effective
manner
21. Controller shall implement appropriate technical and
organisational measures (TOM)
for ensuring that, by default, only personal data that are
necessary for each purpose are processed,
as to: (a) amount of data collected; (b) extent of
processing; (c) storage period; and (d) their accessibility.
3. Data Protection
by Default
22. Controller shall implement appropriate technical and
organisational measures (TOM)
for ensuring that, by default, only personal data that are
necessary for each purpose are processed,
as to: (a) amount of data collected; (b) extent of
processing; (c) storage period; and (d) their accessibility.
3. Data Protection
by Default
23. Controller shall implement appropriate technical and
organisational measures (TOM)
for ensuring that, by default, only personal data that are
necessary for each purpose are processed,
as to: (a) amount of data collected; (b) extent of
processing; (c) storage period; and (d) their accessibility.
3. Data Protection
by Default
27. Think about
data protection
from the very
beginning
Integrate
DPbDD in
procurement,
development &
life-cycle
Think about
guarantees
(e.g.
certification)
4. Recommendations
28. Help
controllers to
comply
Think about
data protection
from the very
beginning
Integrate
DPbDD in
procurement,
development &
life-cycle
Think about
guarantees
(e.g.
certification)
4. Recommendations
34. Data Protection
by Design
Data Protection
by Default
5. Conclusions 1. No GDPR obligations if
you are not a controller.
2. A contractual
obligation?
35. Data Protection
by Design
Data Protection
by Default
5. Conclusions 1. No GDPR obligations if
you are not a controller.
2. A contractual
obligation?
3. Public tenders?
36. Data Protection
by Design
Data Protection
by Default
5. Conclusions 1. No GDPR obligations if
you are not a controller.
2. A contractual
obligation?
3. Public tenders?
4. A competitive
advantage?
37. Thank you
Avv. Christian Notdurfter
T +39 392 9100 581 Via Paul von Sternbach 1 Corso Magenta 63
E contact@notdurfter.com 39031 Brunico (Bolzano) 20123 Milano