The European Data Protection Board ("EDPB") has adopted, for public comments, draft guidelines on the obligation of data protection by design and by default, as set out in Article 25 of the General Data Protection Regulation ("GDPR").

The core obligation is the effective implementation of the data protection principles and rights and freedoms by design and by default. This requires controllers to

implement appropriate technical and organizational measures and necessary safeguards, which are designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects. Controllers must be able to demonstrate the effectiveness of the implemented measures.

According to the guidelines, data protection by design must be implemented both at the time of determining the means of processing and also at the time of the processing itself. In this regard, it is at the time of determining the means of processing that controllers shall implement measures and safeguards designed to effectively implement the data protection principles.

To ensure effective data protection at the time of processing, the controller must regularly review the effectiveness of the chosen measures and safeguards. The EDPB encourages early consideration of the principles when planning a new processing operation.

The guidelines cover elements that controllers must take into account when designing the processing. The applicable criteria requires controllers to be and stay up to date on technological progress in order to secure continued effective implementation of the d into account the cost and resources required for the effective implementation and continued maintenance of all of the data protection principles throughout the processing operation. Other elements, which controllers must take into account, are the nature, scope, context and purpose of processing, and the risk of the likelihood and substance of the rights and freedoms of natural persons affected by the processing.

Furthermore, the guidelines emphasize that Article 25 of the GDPR, requires data protection by default, which means that by default, only personal data, that is necessary for each specific purpose of the processing, is processed. Consequently, the default settings must be clearly designed with data protection, as the primary objective. Default settings, include both parameters that can be set by controllers and data subjects.

Finally, the guidelines also contain practical guidance on how to effectively implement the data protection principles in Art. 5(1) of the GDPR, listing key design and default elements, as well as practical cases for illustration.