"/> "/> PAe - AEPD publishes a guide to facilitate the practical application of data protection by default
accesskey _ mod _ content

The AEPD publishes a guide to facilitate the practical application of data protection by default

09 october 2020

  • The document offers a practical vision that will help to implement this principle in the treatment of data along the lines set out in RGPD and in the guidelines adopted by the european committee for the protection of Data

The Spanish data protection agency (Opens in new window) (AEPD) has published the Guide to the protection of data by Default (Opens in new window) (PDpD), which offers a practical vision to help implement this principle to the treatment of data along the lines set out in regulation General data protection (RGPD) and in the guidelines adopted by the european committee for the protection of Data.

The recipients of this document are responsible for treatment and delegates of data protection, in addition to those units or departments within the responsible entity are responsible for the design, selection, development, deployment, and exploitation of applications and services. It was also advised its consultation to suppliers, developers, or the extent that provide products and services to responsible and seek to comply with the requirements of the PDpD laid down in regulation.

The concept of privacy by default refers to only be the object of processing personal data that are strictly necessary and sufficient to each of the purposes of treatment. Therefore, irrespective of the body of data gathered by the responsible, It must segmenting the use of the set of data between the different treatments and between different phases of treatment, so that not all operations carried out within the framework of a treatment are implemented on all data, but to act only on those who may be required and at the time strictly necessary.

The RGPD requires responsible of a default configuration of the treatments that are respectful of data protection principles, advocating a minimally intrusive processing (minimal amount of personal data, minimal volume of treatment, minimum term minimum maintenance and accessibility to personal data). All this without the intervention of the person whose data are treated to ensure these minimal.

The Guide discusses the measures to continue to implement the protection of data by default. As stated in the European Committee for the protection of Data Guidelines on article 25 in relation to the protection of data from the design and by default (Opens in new window) the implementation of those measures focuses optimization strategies configurability, and restriction.

The objective of optimization is to analyse the treatment in terms of data protection, which is to implement measures in relation to the number of data collected, the length of treatment, their preservation and accessibility. The second strategy is the configuration of services, systems or applications, which should permit the establishment of parameters or options to determine the form in which they were going to carry out the treatment, and that they could be modified by the responsible and even by the user. For its part, the restriction ensures that, by default, the treatment is the most respectful with privacy, so that the configuration options are brought into line by default, those values that limit the amount of data collected, the length of treatment, their preservation and accessibility.

Has also been included a separate editable with actions (Opens in new window) to implement the data protection strategy by default. In particular, it is action on the amount of personal data collected; the length of treatment; the preservation or accessibility of data. This paragraph is also included in a separate table for the guide so that it can be used by those responsible. In Addition, the guide is a chapter to the documentation and auditing standards necessary to prove compliance with the rule. As establishes the principle of responsibility proactive, the responsible shall implement the measures necessary to ensure and to the treatment of data meets the RGPD.

Conclusions

In the conclusions, the agency recalls that the PDpD is one of the measures of proactive responsibility which integrates with the rest of the guarantees laid down in the rules of procedure, and can opt for different approaches and alternatives to implement this principle. It also highlighted that both responsible for processing of personal data, as a responsible and developers should bear in mind the PDpD measures within the limits of its obligations.

Another finding highlighted is that this principle must always be conducted for a processing of personal data, regardless of nature. The establishment of privacy measures by default does not mean the result of an analysis of risks to the rights and freedoms, but these are measures and guarantees that it is necessary to establish in any case.

Original source of news (Opens in new window)

  • Electronic services
  • Security