> For the complete documentation index, see [llms.txt](https://doc.dastra.eu/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/privacy-by-design.md). # Privacy by design and by default ### 🌍 Introduction The principles of **privacy by design** and **privacy by default** are at the heart of the **GDPR**, set out in [Article 25](https://gdpr-info.eu/art-25-gdpr/). They aim to ensure that **personal data protection** is integrated **from the design phase of a project**, and that **default settings** respect the highest possible level of privacy. > 🎯 Objective: prevent risks before they arise and demonstrate compliance at every stage of the data lifecycle. *** ### 🧩 Key definitions #### 🧠 Privacy by Design The data controller anticipates data protection **from the design phase** of a product, service or processing activity. ➡️ Action is taken **upfront**, before any data collection or deployment. #### 🛡️ Privacy by Default Default settings must guarantee the **highest possible level of protection**: only **strictly necessary** data is processed, and sharing or visibility options must be **disabled by default**. #### ⚖️ Data minimisation Process only data that is **adequate, relevant and limited** to the purpose. #### 🔐 Integrity and confidentiality Restrict access, ensure **confidentiality, integrity and availability** of data, and log all actions. #### ⏳ Storage limitation Plan **from the design phase** for the deletion, anonymisation or archiving of data at the end of its useful life. *** ### 🧭 Implementing Privacy by Design The approach must be **continuous** and integrated into the **lifecycle of the processing**: #### Key steps: 1. **Identify the project** * Any new processing, tool or process change. * Alert the DPO from the study phase. 2. **Assess the impacts** * Map data and purposes. * Identify risks to individuals' rights and freedoms. * Launch a **DPIA** if necessary. 3. **Design appropriate measures** * Minimisation, compartmentalisation, encryption, pseudonymisation, logging. * Define retention periods, roles and access rights. * Plan mechanisms for the exercise of rights. 4. **Document compliance** * Include measures in the **record of processing activities**. * Archive evidence in the **audit trail**. * Justify decisions (proportionality, technology choices, etc.). 5. **Monitor and improve** * Audit processing activities regularly. * Update records and action plans. *** ### 🧱 Typical measures to integrate | Objective | Technical or organisational measure | | ------------------- | --------------------------------------------------------- | | Minimise data | Selective collection, masking, automatic deletion | | Secure data flows | Encryption, TLS, strong authentication, access management | | Preserve rights | Rights management portal (DSR), objection procedures | | Ensure transparency | Privacy notices, access logs, clear documentation | | Ensure traceability | Processing logs, regular audits | | Control retention | Purge, anonymisation, secure intermediate archiving | *** ### 🧠 Link with accountability **Privacy by Design** flows directly from the [accountability principle (Article 5 GDPR)](https://gdpr-info.eu/art-5-gdpr/). The data controller must be able to **demonstrate compliance at any time**. > 💬 This means: *"Not only being compliant, but being able to prove it."* *** ### ⚙️ Privacy by Design in Dastra Dastra facilitates the practical implementation of **privacy by design** and **privacy by default** through its integrated modules: #### 🔍 1. Identify risks Create **targeted questionnaires** or **analysis templates** for each new project. *** #### 🧮 2. Assess and document risks Conduct **DPIAs** or **risk assessments** for each processing activity. *** #### 📋 3. Plan compliance actions Assign **remediation tasks**, track progress and automate follow-ups. *** #### 🗂️ 4. Document in the record Integrate security and governance measures into your **processing activity forms**, with evidence and logging. *** ### 🤖 Extension: Privacy by Design and responsible AI **Privacy by Design** also applies to **AI system governance** (AI Act). Dastra allows you to link your **AI models** to their **data processing activities**, assess compliance and document **risk control measures**. *** {% hint style="success" %} 💡 **Good practice:** Anticipate compliance from the design phase: involve the DPO, document decisions, assess risks and integrate privacy safeguards by default. Dastra helps you structure this approach and demonstrate it easily. {% endhint %} *** ### 📘 For more information {% content-ref url="/pages/HZ7BHBxW3vOIuUoFleaJ" %} [Security measures](/en/useful-reminders/gdpr-key-concepts/security-measures.md) {% endcontent-ref %} {% content-ref url="/pages/-Lvfac70bYn9YDhTkikw" %} [Record of processing activities (ROPA)](/en/useful-reminders/gdpr-key-concepts/record-of-processing-activities.md) {% endcontent-ref %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/privacy-by-design.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.