The European Data Protection Board (EDSA) has published draft guidelines on Privacy by Design and Privacy by Default as defined in Article 25 of the GDPR, dated November 13, 2019 (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default). The draft is open for consultation and comments will be accepted until January 16, 2020.
The (prima vista not very productive) guidelines mainly contain an analysis of Art. 25 GDPR. Since Art. 25(1) GDPR requires that appropriate technical and organizational measures (TOMs) be taken – only not at the time of the actual processing, but already at the “time of the determination of the means for the processing” – the EDSA’s comments are generally relevant for the determination of appropriate TOMs.