Spa­nish regu­la­tor: Pri­va­cy by Design Guide

The Spa­nish super­vi­so­ry aut­ho­ri­ty (Agen­cia espa­ño­la de pro­tección de datos, AEPD) has published a gui­de on Pri­va­cy by Design (PDF in Eng­lish).

The Aut­ho­ri­ty or the Gui­de is based on the fol­lo­wing prin­ci­ples or “foun­da­tio­nal prin­ci­ples” from:

  1. Proac­ti­ve not Reac­ti­ve; Pre­ven­ta­ti­ve not Remedial
  2. Pri­va­cy as the Default Setting
  3. Pri­va­cy Embedded into Design
  4. Full Func­tion­a­li­ty: Posi­ti­ve-Sum, not Zero-Sum
  5. End-to-End Secu­ri­ty: Full Life­cy­cle Protection
  6. Visi­bi­li­ty and Trans­pa­ren­cy: Keep it Open
  7. Respect for User Pri­va­cy: Keep it User-Centric

The­se prin­ci­ples are explai­ned below. Sub­se­quent­ly, the aut­ho­ri­ty sta­tes that the obli­ga­ti­on to pri­va­cy by design con­cerns the con­trol­ler (and of cour­se the joint­ly respon­si­ble par­ties), but not ser­vice pro­vi­ders. Ser­vice pro­vi­ders are indi­rect­ly affec­ted in that their cus­to­mers may rely on appro­pria­te­ly desi­gned pro­ducts for their compliance.

In a second part, the aut­ho­ri­ty explains the data pro­tec­tion requi­re­ments for the design of data pro­ce­s­sing systems. For this pur­po­se, it clas­si­fi­es the prin­ci­ples of data pro­tec­tion law into three over­ar­ching pro­tec­tion goals:

  1. Non-chaina­bi­li­ty:
    1. Data mini­mizati­on
    2. Memo­ry limitation
    3. Inte­gri­ty and confidentiality
  2. Trans­pa­ren­cy
    1. Lega­li­ty, fair­ness and transparency
    2. Ear­mar­king
  3. Con­trol
    1. Ear­mar­king
    2. Cor­rect­ness
    3. Inte­gri­ty and confidentiality
    4. Accoun­ta­bi­li­ty

Inte­gri­ty, con­fi­den­tia­li­ty and avai­la­bi­li­ty, i.e. the pro­tec­tion goals of data secu­ri­ty, are inclu­ded becau­se the Data secu­ri­ty is a requi­re­ment under data pro­tec­tion law; howe­ver, data pro­tec­tion goes bey­ond this, which is why the data pro­tec­tion Pro­tec­tion goals are more comprehensive.

This clas­si­fi­ca­ti­on of the aut­ho­ri­ty is not new. It part­ly coin­ci­des with the Ger­man Stan­dard Data Pro­tec­tion Model (SDM)which makes com­pli­ance with data pro­tec­tion requi­re­ments syste­ma­ti­cal­ly veri­fia­ble. The Ger­man Con­fe­rence of Fede­ral and Sta­te Data Pro­tec­tion Com­mis­sio­ners (DSBK) adopted the con­cept of pro­tec­tion goals in 2010, and the SDM was published in the form of a hand­book in 2015. The cur­rent ver­si­on 2.0 was adopted by the 98th Con­fe­rence of the DSBK from Novem­ber 5 to 7, 2019.




Rela­ted articles