Revisiting Privacy by design and default in articles 25 and 32 for the nerds
If there is no material content in GDPR Article 25, then there is no legal basis for the data controller to consider the technologies that only support data protection through design. However, that does not support some of the other goals, for example, treatment of safety. Without material content in Article 25, they may not register the protection they should expect from GDPR.
Based on the above diagram, you can find references to data protection through design that has a material content. Cauvokian principles, Borkins PET's and ENISA's architecture and design patterns are some of the material content that may be covered by Article 25.
However, the transition to a risky approach to the data security clause in Article 32, specific material content ceases in the form of safety notice. That does not mean that anybody is asking whether Article 32 does not have in the future any material content because you are used to it through practice and case law.
Article 25 should be understood in the same way as Article 32: Data controller must make an accurate assessment and choose from its wide range of technologies and methods available. Further the data controller must implement them as measures to support security and a design that protects the registered warranties, rights and freedoms based on the entire GDPR regulation.
Therefore, there is also an independent substantive content in Article 25, and Article 25 sets a separate and independent requirement for data controllers.
In other words data privacy by design confirms that privacy is built into products, services, application, business and technical processes. Data privacy by default then protects the data subjects fundamental rights and freedom to protection of the personal data.
Based on the above Implementing data privacy by design and default guarantees that:
- Personal data necessary for a specific purpose is collected
- Data relevant to the original data collection purpose can be processed
- Data that is no longer needed is deleted.
- Data subject can opt in or opt out of any site, collection, storage, processing, or deletion of their personal data.