EDPB: Gui­de­lines on Pri­va­cy by Design and Pri­va­cy by Default (draft).

The Euro­pean Data Pro­tec­tion Board (EDSA) has published draft gui­de­lines on Pri­va­cy by Design and Pri­va­cy by Default as defi­ned in Artic­le 25 of the GDPR, dated Novem­ber 13, 2019 (Gui­de­lines 4/2019 on Artic­le 25 Data Pro­tec­tion by Design and by Default). The draft is open for con­sul­ta­ti­on and comm­ents will be accept­ed until Janu­ary 16, 2020.

The (pri­ma vista not very pro­duc­ti­ve) gui­de­lines main­ly con­tain an ana­ly­sis of Art. 25 GDPR. Sin­ce Art. 25(1) GDPR requi­res that appro­pria­te tech­ni­cal and orga­nizatio­nal mea­su­res (TOMs) be taken – only not at the time of the actu­al pro­ce­s­sing, but alre­a­dy at the “time of the deter­mi­na­ti­on of the means for the pro­ce­s­sing” – the EDSA’s comm­ents are gene­ral­ly rele­vant for the deter­mi­na­ti­on of appro­pria­te TOMs.