GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:

IT Security

Should the privacy-by-design principle also apply to existing software?

ANSWER

Yes. This is established by EDPB Guideline 4/2019: “The obligation to maintain, review and, where necessary, update processing operations also applies to pre-existing systems. This means that legacy systems designed before the entry into force of the GDPR must be reviewed and maintained to ensure the implementation of measures and safeguards that effectively implement the principles and the rights of data subjects, as set out in these guidelines. The scope of this obligation also includes all processing operations carried out by data processors. Processor operations should be subject to regular review and assessment by controllers to ensure that they allow for ongoing compliance with principles and allow the data controller to fulfil its obligations in this respect.”

Read also:

07 June 2026

Przygotuj się na atak phishingowy, nim będzie za późno

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

02 June 2026

Czy do spełnienia wymogów ustawy o krajowym systemie cyberbezpieczeństwa (KSC / NIS2) potrzebne jest Security Operations Center (SOC)?

Kalkulator wagi naruszeń

Sprawdź, które naruszenia wymagają zgłoszenia do PUODO

„We are perfectly capable of assessing the risk ourselves."

Are you sure about that?

Ask us about the risk analysis.

Zapanuj nad RODO

Receive a free package of 4 tutorials and 4 e-learning trainings

The controller of your data is ODO 24 sp. z o.o. with its registered office in Warsaw (03-812) at Kamionkowska 45th street. Regulation of the Court of Justice. More information about the processing of personal data and your rights can be found at Privacy policy.

The controller of your data is ODO 24 sp. z o. o.

Privacy by design – principles for existing software | ODO 24 | ODO 24