In November 2019, the EDPB opened its consultation on the Draft Guidelines regarding Data Protection by Design and by Default. Bitkom welcomes the opportunity to comment on the Guidelines, as we believe that more cooperation and exchange between data protection authorities and practitioners is needed to translate the legal text of the GDPR into practice and reduce legal uncertainty. We therefore appreciate that the EDPB published the draft Guidelines to provide clarity for scope and interpretation of Article 25 GDPR. We welcome that the Guideline show that the Principles of Data Protection by Design and by Default embody, above all, the principles of Art. 5 and 6 GDPR and the risk based approach. Also, the distinction between Art. 25 (1) and Art. 25 (2) is helpful as it clarifies that para 1 addresses the procedural consideration of data protection in the development and implementation of new data processing systems, whereas Art. 25 (2) describes a substantive legal requirement (data minimisation) and refers to a specific application, namely that of the setting options for users. It is our understanding that para 2 can be seen as an explanation or specification of Art. 5 (1) lit. c).
The given interpretation of Art. 25 (1) deserves closer examination though and we provide detailed comments on how to find a more practical approach in our Position Paper, which can be downloaded below.