Article 25 GDPR
Consideration of data protection in the design phase and default data protection

1. Taking into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of violation of the rights or freedoms of natural persons of varying probability and severity arising from the processing, the controller, both in determining the means of processing and at the time of the processing itself, shall implement appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement data protection principles, such as data minimization, and to give the processing the necessary safeguards to meet the requirements of this Regulation and protect the rights of data subjects.

2. The controller shall implement appropriate technical and organizational measures so that, by default, only those personal data are processed that are necessary to achieve each specific purpose of processing. This obligation refers to the amount of personal data collected, the extent of its processing, the period of its storage and its availability. In particular, these measures ensure that, by default, personal data is not made available to an unspecified number of individuals without the person's intervention.

3. Compliance with the obligations referred to in paragraphs 1 and 2 of this Article may be demonstrated, inter alia, by implementing the approved certification mechanism specified in Article 42.