Privacy by Design
According to Art. 7 para. 1 FADP, those responsible are obliged to organise data processing technically and organisationally in such a way that data protection regulations are complied with. For example, during a data protection audit at a fundraising company, I objected to the fact that call centre employees had a general ‘Comments’ field on their online form where they could enter any information they wanted. This is particularly likely to lead to a violation of the principle of proportionality. The fields in the form may only be available for precisely defined information related to fundraising.
Privacy by Default
Privacy by design in accordance with Art. 7 para. 1 FADP also includes privacy by default in accordance with Art. 7 para. 3 FADP. According to this provision, data controllers are obliged to ensure, by means of appropriate default settings, that the processing of personal data is limited to the minimum necessary for the intended purpose, unless the data subject specifies otherwise. This rule applies in particular to the acceptance of cookies on the internet. If the default settings are accepted, only cookies that are absolutely necessary for the service may be set (e.g. cookies for recognition when switching to the ‘shopping basket’). However, the user can accept other cookies in the ‘settings’ of the website (e.g. for the general display of social media content).