News top

Privacy by Default

As the General Data Protection Regulation entered into force on May 25, 2018, many changes arose in companies’ approach to their own privacy. One of the main principles that many entities were struggling with grasping was set out in Article 25 “Data protection by design and by default” – privacy by default.


The general idea behind this principle is simple – only data strictly essential for each specific processing purpose is administered by default (without the user intervention). That applies to the amount of personal data collected, the extent of its processing, the period of its storage and its accessibility. In addition, any personal data provided by the user to enable a product's optimal use should only be kept for time necessary to provide the product or service and erased right after it has been used. If more information than necessary to provide the service is disclosed, then "privacy by default" principle has been breached.

In addition, it should be clear, that no data traditionally viewed as sensitive or harmful should be gathered "by default" from consumers using online services. Under the GDPR, that kind of data includes:

  • data revealing racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data for the purpose of uniquely identifying a natural person;
  • data concerning health;
  • data concerning a natural person's sex life or sexual orientation.


An example of implementing this principle into a company’s operation is very simple to make. Imagine that a user signs up for a new social media account (be it Facebook, Twitter, Google Plus, etc.) and he or she you discovers that far more of his or her profile information has been shared by default than he or she expected. This is a clear breach of the regulation. For a social media account, the most essential information would be the name and the e-mail address provided by the user, but not the person’s age and location, for example.

Are you meeting the privacy by default requirement of GDPR? What about all the other set of requirements that have an impact on legal, marketing, security clauses? We’ve developed a self-assessment tool which will help you complete quickly an internal audit before the authorities do. Check whether your GDPR compliance project is meeting all related requirements. Based on a set of questions and answers, GDPRQ generates your compliance evidence report that you can show to auditing authorities and which will also help you keep the GDPR progress on track. Check it now on


A honlap utolsó módosításának időpontja: 2018.09.21