Spanish regulator: Privacy by Design Guide

The Spanish supervisory authority (Agencia española de protección de datos, AEPD) has published a guide on Privacy by Design (PDF in English).

The Authority or the Guide is based on the following principles or “foundational principles” from:

Proactive not Reactive; Preventative not Remedial

Privacy as the Default Setting

Privacy Embedded into Design

Full Functionality: Positive-Sum, not Zero-Sum

End-to-End Security: Full Lifecycle Protection

Visibility and Transparency: Keep it Open

Respect for User Privacy: Keep it User-Centric

These principles are explained below. Subsequently, the authority states that the obligation to privacy by design concerns the controller (and of course the jointly responsible parties), but not service providers. Service providers are indirectly affected in that their customers may rely on appropriately designed products for their compliance.

In a second part, the authority explains the data protection requirements for the design of data processing systems. For this purpose, it classifies the principles of data protection law into three overarching protection goals:

Non-chainability:
1. Data minimization
2. Memory limitation
3. Integrity and confidentiality
Transparency
1. Legality, fairness and transparency
2. Earmarking
Control
1. Earmarking
2. Correctness
3. Integrity and confidentiality
4. Accountability

Integrity, confidentiality and availability, i.e. the protection goals of data security, are included because the Data security is a requirement under data protection law; however, data protection goes beyond this, which is why the data protection Protection goals are more comprehensive.

This classification of the authority is not new. It partly coincides with the German Standard Data Protection Model (SDM)which makes compliance with data protection requirements systematically verifiable. The German Conference of Federal and State Data Protection Commissioners (DSBK) adopted the concept of protection goals in 2010, and the SDM was published in the form of a handbook in 2015. The current version 2.0 was adopted by the 98^th Conference of the DSBK from November 5 to 7, 2019.

David Vasella

November 10, 2019

Deutsch

Authority

AEPD (ESP)

Area

Privacy, Security & Resilience

Topics

GDPR 25, Privacy by design

DSK: Position paper on cloud-based digital health applications

Ireland: fine of EUR 345 million against TikTok – violations of the duty to inform and insufficient TOMs regarding children

EDSA: 2^nd version of the guidelines on Privacy by Design and Privacy by Default / comments on the systematics.

Subscribe to news →

common search words

Topics

Spanish regulator: Privacy by Design Guide

EDSA: Guidelines on the scope of application of cookie consent, comments on cookies under Swiss law

Ireland: fine of EUR 345 million against TikTok – violations of the duty to inform and insufficient TOMs regarding children

EDSA: 2^nd version of the guidelines on Privacy by Design and Privacy by Default / comments on the systematics.

com­mon search words

Topics

Spa­nish regu­la­tor: Pri­va­cy by Design Guide

EDSA: Gui­de­lines on the scope of appli­ca­ti­on of coo­kie con­sent, comm­ents on coo­kies under Swiss law

DSK: Posi­ti­on paper on cloud-based digi­tal health applications

Ire­land: fine of EUR 345 mil­li­on against Tik­Tok – vio­la­ti­ons of the duty to inform and insuf­fi­ci­ent TOMs regar­ding children

EDSA: 2nd ver­si­on of the gui­de­lines on Pri­va­cy by Design and Pri­va­cy by Default / comm­ents on the systematics.

common search words

Spanish regulator: Privacy by Design Guide

EDSA: Guidelines on the scope of application of cookie consent, comments on cookies under Swiss law

DSK: Position paper on cloud-based digital health applications

Ireland: fine of EUR 345 million against TikTok – violations of the duty to inform and insufficient TOMs regarding children

EDSA: 2^nd version of the guidelines on Privacy by Design and Privacy by Default / comments on the systematics.