(EN) Example of lawful processing:

Example A bank plans to offer a service to improve efficiency in the management of loan applications. The idea behind the service is that the bank, by requesting permission from the customer, can be able to retrieve data from public authorities about the customer. This may be, for example, tax data from the tax administration.

Initially, this personal data is necessary in order to take steps at the request of the data subject prior to entering into a contract. However, this specific way of processing the personal data is not necessary for entering into a contract, because a loan may be granted without obtaining data directly from public authorities. The customer is able to enter into a contract by providing the information from the tax administration herself.

When implementing the principle of lawfulness, the controller realizes that they cannot use the “necessary for contract-”basis for the part of the processing that involves gathering personal data directly from the tax authorities. The fact that this specific processing presents a risk of the data subject becoming less involved in the processing of their data is also a relevant factor in assessing the lawfulness of the processing itself. The bank concludes that this part of the processing must rely on consent.

The bank therefore presents information about the processing on the online application platform in such a manner that makes it easy for data subjects to understand what processing is mandatory and what is optional. The processing options, by default, do not allow retrieval of data directly from other sources than the data subject herself, and the option for direct information retrieval is presented in a manner that does not deter the data subject from abstaining. Any consent given to collect data directly from other controllers is a temporary right of access to a specific set of information.

Any given consent is processed electronically in a documentable manner, and data subjects are presented with an easy way of controlling what they have consented to and to withdraw their consent.

The controller has assessed these Data protection by design and default (DPbDD) requirements beforehand and includes all of these criteria in their requirements specification for the tender to procure the platform. The controller is aware that if they do not include the DPbDD requirements in the tender, it may either be too late or a very costly process to implement data protection afterwards.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

(EN) Example of transparency measures:

A controller is designing a privacy policy in order to comply with the requirements of transparency. The privacy policy cannot contain a lengthy bulk of information that is difficult for the average data subject to penetrate and understand, it must be written in clear and concise language and make it easy for the user of the website to understand how their personal data is processed. The controller therefore provides information in a multi-layered manner, where the most important points are highlighted. Drop-down menus and links to other pages are provided to further explain the concepts in the policy. The controller also makes sure that the information is provided in a multi-channel manner, providing video clips to explain the most important points of the information.

The privacy policy cannot be difficult for data subjects to access. The privacy policy is thus made available and visible on all internal web-pages of the site in question, so that the data subject is always only one click away from accessing the information. The information provided is also designed in accordance with the best practices and standards of universal design to make it accessible to all.

Moreover, necessary information must also be provided in the right context, at the appropriate time. This means, that generally a privacy policy on the website alone is not sufficient for the controller to meet the requirements of transparency. The controller therefore designs an information flow, presenting the data subject with relevant information within the appropriate contexts using e.g. informational snippets or pop-ups. For example, when asking the data subject to enter personal data, the controller informs the data subject of how the personal data will be processed and why that personal data is necessary for the processing.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

(EN) Examples of fairness considerations:

Example 1

A controller operates a search engine that processes mostly user-generated personal data. The controller benefits from having large amounts of personal data and being able to use that personal data for targeted advertisements. The controller therefore wishes to influence data subjects to allow extensive collection and use of their personal data.

When implementing the fairness principle, taking into account the nature, scope, context and purpose of the processing, the controller realizes that they cannot present the options in a way that nudges the data subject in the direction of allowing the controller to collect more personal data than if the options were presented in an equal and neutral way. This means that they cannot present the processing options in such a manner that makes it difficult for data subjects to abstain from sharing their data, or make it difficult for the data subjects to adjust their privacy settings and limit the processing. The default options for the processing must be the least invasive, and the choice for further processing must be presented in a manner that does not deter the data subject from abstaining.

Example 2

Another controller processes personal data for the provision of a streaming service where users may choose between a regular subscription of standard quality and a premium subscription with higher quality. As part of the premium subscription, subscribers get prioritized customer service. With regard to the fairness principle, the prioritized customer service granted to premium subscribers cannot discriminate other data subjects’ rights according to the GDPR Article 12. This means that although the premium subscribers get prioritized service, such prioritization cannot result in a lack of appropriate measures to respond to request from regular subscribers without undue delay and in any event within one month of receipt of the requests.

Prioritized customers may pay to get better service, but all data subjects shall have equal and indiscriminate access to enforce their rights and freedoms according to the GDPR.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

(EN) Examples of purpose limitation

Example

The controller processes personal data about its customers. The purpose of the processing is to fulfil a contract, i.e. to be able to deliver goods to the correct address and obtain payment. The personal data stored is the purchase history, name, address, e-mail address and telephone number.

The controller is considering buying a Customer Relationship Management (CRM) product that gathers all the customer data such as sales, marketing and customer service in one place. The product gives the opportunity of storing all phone calls, activities, documents, emails and marketing campaigns to get a 360-degree view of the customer. Ultimately the CRM automatically analyses the customers’ purchasing power by using public information. The purpose of the analysis is to target the advertising better but is not a part of the original lawful purpose of the processing.

To be in line with the principle of purpose limitation, the controller requires the provider of the product to map the different processing activities using personal data with the purposes relevant for the controller. Another requirement is that the product shall be able to flag which kind of processing activities using personal data that is not in line with the legitimate purposes of the controller.

After receiving the results of the mapping, the controller assesses whether the new marketing purpose and the targeted advertisement purpose are within the contractual purposes or if they need another legal ground for this processing. Alternatively the controller could choose to not make use of this functionality in the product.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

(EN) Examples of data minimisation

Example 1

A bookshop wants to add to their revenue by selling their books online. The bookshop owner wants to set up a standardised form for the ordering process. To prevent that customers don’t fill out all the necessary information the bookshop owner makes all of the fields in the form a required field (if you don’t fill out all the fields the customer can’t place the order) using a standard contact form. The webshop owner initially uses a standard contact form, which asks the customer’s date of birth, phone number and home address. However, not all the fields in the form are strictly necessary for the purpose of buying and delivering the books. The data subject’s date of birth and phone number are not necessary for the purchase of the product. This means that these cannot be required fields in the web form to order the product. Moreover, there are situations where an address will not be necessary. For example, when ordering an eBook the customer can download the product and his or her address does not need to be processed by the webshop.

The webshop owner therefore decides to make two web forms: one for ordering books, with a field for the customer’s address and one web form for ordering eBooks without a field for the customer’s address.

Example 2

A public transportation company wishes to gather statistical information based on travellers’ routes. This is useful for the purposes of making proper choices on changes in public transport schedules and proper routings of the trains. The passengers must pass their ticket through a reader every time they enter or exit a means of transport. Having carried out a risk assessment related to the rights and freedoms of passengers’ regarding the collection of passengers’ travel routes, the controller establishes that it is possible to identify the passengers based on the ticket identifier. Therefore, since it is not necessary for the purpose of optimizing the public transport schedules and routings of the trains, the controller does not store the ticket identifier. Once the trip is over, the controller only stores the individual travel routes so as to not be able to identify trips connected to a single ticket, but only retains information about separate travel routes.

In cases where there can be a risk of identifying a person solely by their travel route (this might be the case in remote areas) the controller implements measures to aggregate the travel route, such as cutting the beginning and the end of the route.

Example 3

A courier aims at assessing the effectiveness of its deliveries in terms of delivery times, workload scheduling and fuel consumption. In order to reach this goal, the courier has to process a number of personal data relating to both employees (drivers) and customers (addresses, items to be delivered, etc.). This processing operation entails risks of both monitoring employees, which requires specific legal safeguards, and tracking customers’ habits through the knowledge of the delivered items over time. These risks can be significantly reduced with appropriate pseudonymization of employees and customers. In particular if pseudonymization keys are frequently rotated and macro areas are considered instead of detailed addresses, an effective data minimization is pursued, and the controller can solely focus on the delivery process and on the purpose of resource optimization, without crossing the threshold of monitoring individuals’ (customers’ or employees’) behaviours.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

(EN) Examples of the measures ensuring data accuracy

Example 1

A bank wishes to use artificial intelligence (AI) to profile customers applying for bank loans as a basis for their decision making. When determining how their AI solutions should be developed, they are determining the means of processing and must consider data protection by design when choosing an AI from a vendor and when deciding on how to train the AI.

When determining how to train the AI, the controller must have accurate data to achieve precise results. Therefore, the controller must ensure that the data used to train the AI is accurate.

Granted they have the legal basis to train the AI using personal data from a large pool of their existing customers, the controller chooses a pool of customers that is representative of the population to also avoid bias.

Customer data is gathered from their own systems, gathering data about the existing loan customers’ payment history, bank transactions, credit card debt, they conduct new credit checks, and they gather data from public registries that they have legal access to use.

To ensure that the data used for AI training is as accurate as possible, the controller only collects data from data sources with correct and up-to date information.

Finally, the bank tests whether the AI is reliable and provides non-discriminatory results. When the AI is fully trained and operative, the bank uses the results as a part of the loan assessments, and will never rely solely on the AI to decide whether to grant loans.

The bank will also review the reliability of the results from the AI at regular intervals.

Example 2

The controller is a health institution looking to find methods to ensure the integrity and accuracy of personal data in their client registers.

In situations where two persons arrive at the institution at the same time and receive the same treatment, there is a risk of mistaking them if the only parameter to separate them is by name. To ensure accuracy, the controller needs a unique identifier for each person, and therefore more information than just the name of the client.

The institution uses several systems containing personal information of clients, and need to ensure that the information related to the client is correct, accurate and consistent in all the systems at any point in time. The institution has identified several risks that may arise if information is changed in one system but not another.

The controller decides to mitigate the risk by using a hashing technique that can be used to ensure integrity of data in the treatment journal. Immutable hash signatures are created for treatment journal records and the employee associated with them so that any changes can be recognized, correlated and traced if required.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

(EN) Example of storage limitation

The controller collects personal data where the purpose of the processing is to administer a membership with the data subject, the personal data shall be deleted when the membership is terminated.

The controller makes an internal procedure for data retention and deletion. According to this, employees must manually delete personal data after the retention period ends. The employee follows the procedure to regularly delete and correct data from any devices, from backups, logs, e-mails and other relevant storage media.

To make deletion more effective, the controller instead implements an automatic system to delete data automatically and more regularly. The system is configured to follow the given procedure for data deletion which then occurs at a predefined regular interval to remove personal data from all of the company’s storage media. The controller reviews and tests the retention policy regularly.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

(EN) Example of integrity and confidentiality measures

A controller wants to extract personal data from a medical database to a server in the company. The company has assessed the risk for routing the extracts to a server that is accessible to all of the company’s employees as likely to be high for data subjects’ rights and freedoms. There is only one department in the company who needs to process these patient data. The extracts will also have a high value to the company.

To regulate access and mitigate possible damage from malware, the company decides to segregate the network, and establish access controls to the server and the directory. In addition, they put up security monitoring and an intrusion detection and prevention system. The controller activates access control on the server and isolates it from routine use. An automated auditing system is put in place to monitor access and changes. Reporting and automated alerts are generated from this when certain events related to usage are configured. This security measure will ensure that all users have access on a need to know basis and with the appropriate access level. Inappropriate use can be quickly and easily recognised.

Some of the extracts have to be compared with new extracts, and must therefore be stored for three months. The controller decides to put them into separate directories and encrypt the stored extracts.

Handling the incident makes the system more robust, and reliable, both for the controller and the data subjects. The data controller understands that preventative and effective measures and safeguards should be built into all personal data processing undertakes now and in the future, and that doing so may help prevent future such data breach incidents.

The controller establishes these security measures both to ensure accuracy, integrity and confidentiality, but also to prevent malware spread by cyber-attacks to make the solution robust.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).