Article 25 of GDPR: Privacy and data protection by design
One important obligation stemming from GDPR is the data privacy and data protection by design concept.
Article 25 of GDPR sets the stage for companies to consider data privacy and data protection in all aspects of their business, including product development and their operations all the way to the rendering of their services.
Data minimisation and pseudonymisation (Article 25(1) GDPR)
To observe the obligations of Article 25(1) of GDPR, companies are required to incorporate principles like data minimisation and measures like pseudonymisation designed to protect personal data.
Such principles should be implemented:
- When the company determines the personal data processing means
- At the time of personal data processing
To determine the most appropriate technical and organisational measure suitable to implement data minimisation measures, an organization should take into consideration:
- The state of the art
- Cost of implementation
- Nature of processing
- Scope of processing
- Context of processing
- Purpose of processing
- Risks to data subjects
Collect only the personal data necessary (Article 25(2) GDPR)
By default, companies should only collect personal data necessary for the intended purpose.
There should be no other personal data processing.
To achieve this objective by default, companies must implement processes and procedures in place to only collect the needed personal data.
Such measures should apply to:
- The amount of personal data collected
- The extent of personal data processing
- The period of time personal data will be stored
- The accessibility to the personal data
Last, companies should make sure that, by default, personal data is not made accessible to others without the individual’s intervention.
Approved certifications (Article 25(3) GDPR)
To demonstrate that a company complies with its obligation of data privacy and data protection by design, it can opt for an approved certification mechanism further to Article 42 of GDPR.
Recitals applicable to Article 25 of GDPR
Relevant Recitals: 78
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 25 or relevant recitals
GDPR Text: Article 25 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)