The Many Shades of Impact Assessments

An analysis of data protection by design in the case law of national supervisory authorities

Authors

  • Pierre Dewitte KU Leuven Centre for IT & IP Law

DOI:

https://doi.org/10.26116/techreg.2024.018

Keywords:

GDPR, Accountability, Responsibility, Data protection by design, Case law review, decisions repository

Abstract

Data protection by design is one of the cornerstones of the reform that led to the adoption of the GDPR. Yet, the very nature of that obligation, coupled with the broad wording used by the EU legislator, makes substantiating data protection by design particularly complex. This paper is the second part a two-paper series that explores the intricacies of Article 25(1) GDPR. While the first entry delved into the history and role of data protection by design, this paper aims to clarify the material scope of that provision. It does so by analysing the three core components of Article 25(1) GDPR in light of the findings of a case law review spanning 177 administrative and judicial decisions issued by 26 supervisory authorities in 24 countries between the entry into force of the GDPR and 31 December 2023. That process exposed the role of data protection by design as a proxy to Fundamental Rights Impact Assessments and shed light on its added value in guaranteeing the flexibility and future-proofness of the Regulation.

Downloads

Download data is not yet available.

Downloads

Published

13-09-2024 — Updated on 18-09-2024

Versions

Issue

Section

Articles

How to Cite

Dewitte, P. (2024). The Many Shades of Impact Assessments: An analysis of data protection by design in the case law of national supervisory authorities. Technology and Regulation, 2024, 209-253. https://doi.org/10.26116/techreg.2024.018 (Original work published 2024)