The Spanish supervisory authority (Agencia española de protección de datos, AEPD) has published a guide on Privacy by Design (PDF in English).
The Authority or the Guide is based on the following principles or “foundational principles” from:
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default Setting
- Privacy Embedded into Design
- Full Functionality: Positive-Sum, not Zero-Sum
- End-to-End Security: Full Lifecycle Protection
- Visibility and Transparency: Keep it Open
- Respect for User Privacy: Keep it User-Centric
These principles are explained below. Subsequently, the authority states that the obligation to privacy by design concerns the controller (and of course the jointly responsible parties), but not service providers. Service providers are indirectly affected in that their customers may rely on appropriately designed products for their compliance.
In a second part, the authority explains the data protection requirements for the design of data processing systems. For this purpose, it classifies the principles of data protection law into three overarching protection goals:
- Non-chainability:
- Data minimization
- Memory limitation
- Integrity and confidentiality
- Transparency
- Legality, fairness and transparency
- Earmarking
- Control
- Earmarking
- Correctness
- Integrity and confidentiality
- Accountability
Integrity, confidentiality and availability, i.e. the protection goals of data security, are included because the Data security is a requirement under data protection law; however, data protection goes beyond this, which is why the data protection Protection goals are more comprehensive.
This classification of the authority is not new. It partly coincides with the German Standard Data Protection Model (SDM)which makes compliance with data protection requirements systematically verifiable. The German Conference of Federal and State Data Protection Commissioners (DSBK) adopted the concept of protection goals in 2010, and the SDM was published in the form of a handbook in 2015. The current version 2.0 was adopted by the 98th Conference of the DSBK from November 5 to 7, 2019.