Chapter 4 · Controller and Processor

Article 25Data protection by design and by default

All 99 Articles Chapter 4: Controller and Processor

Privacy must be built into systems from the outset and as the default setting — minimising data, limiting access and applying safeguards by design rather than as an afterthought.

Key points

  • Design data protection into new products and processes.
  • Default settings should be the most privacy-protective.
Read the official text on EUR-Lex

Related articles

24Responsibility of the controller32Security of processing35Data protection impact assessment (DPIA)5Principles relating to processing of personal data
Learn the context
Practical guidance

These summaries are a plain-English orientation only and are not a substitute for the official text of the Regulation or for legal advice.

Need to apply Article 25?

Our data-protection lawyers turn the text into a plan.

Talk to a lawyer
Back to all articles