Interplay between the GDPR Articles 25 (‘Data protection by design’, DPbD) and 35 (DPIA).

One is not a ‘special case’ of another as it may seem prima facie. The KEY consideration here is that DPIA is conducted prior to rolling out new projects implying data processing operations posing a high risk and thus tailored specifically to them. In contrast, DPbD comes into play at the very earliest stage of the lifecycle of a data controller and applies to every processing activity (not only those posing a high risk), including core ones.

Similarly, DPIA may just say whether the particular processing is in line with the controller’s privacy policy in the context of the project at issue, but it will not evaluate this policy’s content, etc.

This leads to a clear understanding that DPIA is not a substitution for DPbD and, hence, may not be the answer.

Further to this, it should also be noted that DPbD has recently received an increased attention from EDPB (see Guidelines 4/2019) and national watchdogs in Romania, Greece and Germany issuing fines for non-compliance with Article 25.

More to read on this – in an article from IAPP authors (see below)

https://iapp.org/news/a/privacy-by-design-gdprs-sleeping-giant/

One Reply to “Interplay between the GDPR Articles 25 (‘Data protection by design’, DPbD) and 35 (DPIA).”

  1. I agree Konstantin. This article is confusing, not sure the author himself understands the significance of Article 25 vs. Article 35. He is mixing up. A DPIA is one, and only one, of the tools to use in order to achieve Data Protection by Design by Default. The interchangeability on the use of Privacy by Design vs. Data Protection by Design by Default is also indicative that the author doesn’t really get it.

Leave a Reply

Your email address will not be published.