EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default

These Guidelines give general guidance on the obligation of Data Protection by Design and by Default set forth in Art. 25 GDPR, where the core obligation is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default.

This requires that controllers implement appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects. Controllers must be able to demonstrate the effectiveness of the implemented measures.