DOMAIN:PRIVACY¶

OWNER: julian
UPDATED: 2026-03-18
SCOPE: all client projects processing personal data (virtually all)

GDPR:ART25 — Data Protection by Design and by Default¶

STANDARD: Regulation (EU) 2016/679, Article 25
STATUS: binding obligation — NOT aspirational
ENFORCEMENT_EXAMPLE: Sambla Group fined EUR 950,000 for Art. 25 violation

BY_DESIGN: integrate privacy into system architecture during design phase
BY_DEFAULT: without user config, only necessary personal data processed. extended retention/public visibility/optional sharing = disabled by default

ASSESSMENT_FACTORS (EDPB Guidelines 4/2019):
1. state of the art — dynamic, must stay current
2. cost of implementation — optimization factor, NOT excuse to lower protection
3. nature/scope/context of processing — what data, how much, how sensitive
4. risks to individuals — likelihood and severity

IMPLEMENTATION:
- privacy checkpoints in sprint cycles
- privacy-focused definition of done (feature handles PII? mini-DPIA done?)
- semgrep rules for PII logging, hardcoded emails
- default settings = most privacy-friendly option

HOEPMAN_8_STRATEGIES (Dutch privacy-by-design researcher, Radboud University):
1. MINIMIZE — limit processing to minimum needed
2. HIDE — protect from being visible or linkable
3. SEPARATE — process in distributed fashion
4. AGGREGATE — process at highest possible aggregation level
5. INFORM — adequately inform data subjects
6. CONTROL — provide adequate control over their data
7. ENFORCE — commit to privacy-friendly processing
8. DEMONSTRATE — prove privacy-friendly processing

GDPR:ART32 — Security of Processing¶

REQUIRED_MEASURES:
1. pseudonymisation and encryption
2. ongoing confidentiality, integrity, availability, resilience
3. ability to restore availability after incidents
4. regular testing and evaluation

MINIMUM_TECHNICAL_MEASURES:
CHECK: TLS 1.3 in transit (minimum)
CHECK: AES-256 at rest — PostgreSQL SSL connection != encryption at rest. need disk-level or column-level.
CHECK: MFA (increasingly treated as baseline by DPAs)
CHECK: RBAC with least privilege
CHECK: vulnerability scanning and patch management
CHECK: audit trails for data access
CHECK: automated breach detection

FINES_FOR_ART32_FAILURE:
- Capita plc: GBP 14M — inadequate security after cyber-attack (6.6M individuals)
- Advanced Computer Software: GBP 3.1M — FIRST FINE ON A DATA PROCESSOR (no MFA, no vuln scanning)
- Vodafone Germany: EUR 45M — security flaws in web portal
- Allium UPI: EUR 3M — basic cybersecurity failures, repeated unauthorized access (750k+)

GDPR:ART35 — DPIA¶

MANDATORY_WHEN:
- systematic extensive automated evaluation (profiling) with legal/similar effects
- large-scale special category data (Art. 9) or criminal data (Art. 10)
- systematic monitoring of publicly accessible area at large scale

REQUIRED_FOR_WEB_APPS:
- automated credit scoring / loan decisioning
- AI-powered recruitment or HR scoring
- behavioral profiling for advertising
- health data processing platforms
- large-scale user tracking and analytics
- ANY use of AI/ML processing personal data

DUTCH_DPA_MANDATORY_LIST (not exhaustive):
- large-scale monitoring of employee activities
- profiling/forecasting based on personal characteristics
- website visitor tracking used to create profiles

DUTCH_DPA (Autoriteit Persoonsgegevens)¶

BUDGET: EUR 49M/year (2025), 320 FTE
MONITORS: ~10,000 Dutch websites annually for cookie compliance

ENFORCEMENT_PRIORITIES_2024_2026:
1. algorithms / AI
2. Big Tech
3. data trading / brokering
4. digital government
5. unlawful online tracking

MAJOR_FINES:
Uber: EUR 290M (2024) — EU-US transfers without adequate safeguards
Uber: EUR 10M (2024) — driver data handling
Clearview AI: EUR 30.5M (2024) — illegal facial recognition
Experian: EUR 2.7M (2025) — transparency, lack of legal basis
10 Dutch municipalities: EUR 250K total (Feb 2026) — various failures
Dutch Tax Admin: formal criticism (Feb 2026) — shadow apps lacking security

COOKIE_CONSENT¶

LEGAL_BASIS: ePrivacy Directive (2002/58/EC) + Dutch Telecommunicatiewet
NOTE: ePrivacy Regulation was withdrawn Feb 2025 — Directive remains law

MANDATORY:
CHECK: no cookies set before consent — zero exceptions
CHECK: granular categories — analytics separate from marketing
CHECK: accept and reject buttons equally prominent — no dark patterns
CHECK: no pre-checked checkboxes
CHECK: consent logged with timestamp + policy version + specific categories
CHECK: withdrawal as easy as giving consent
CHECK: no cookie wall — site functional without consent (CJEU Planet 49)
CHECK: Google Consent Mode = Basic Mode only (Advanced Mode legality uncertain)
CHECK: third-party scripts blocked until relevant category consented
CHECK: no dark patterns in banner (misleading colors, sizes, language)

ENFORCEMENT:
- Dutch DPA warned 50 organizations April 2025
- plans to warn 500/year
- SHEIN: EUR 150M — ad cookies before consent
- Google France: EUR 100M — rejection harder than acceptance
- 97% of EU apps still had dark patterns in 2024

INTERNATIONAL_TRANSFERS¶

MECHANISMS:
1. adequacy decisions — no additional safeguards (US via DPF, UK, Japan, South Korea, Canada commercial, others)
2. SCCs (2021 version) — MUST pair with TIA
3. BCRs — intra-group only
4. Art. 49 derogations — explicit consent, contractual necessity (narrow)

TIA_MANDATORY_WITH_SCCs:
- signing SCCs alone is NOT enough (Schrems II ruling)
- assess if destination country laws could compel disclosure violating EU rights
- document specific risk-mitigation steps
- CNIL published detailed TIA guidance Jan 2025

DPF_UNDER_THREAT:
- NOYB announced intent to challenge before CJEU
- lack of PCLOB quorum raises oversight concerns
- IF invalidated ("Schrems III") THEN revert to SCCs with enhanced measures
- Uber EUR 290M fine was specifically for inadequate US transfer safeguards

EDPB_GUIDELINES¶

4/2019 on Art. 25: Data Protection by Design = binding obligation
1/2024 on Legitimate Interest: NOT valid for cookie-related marketing
02/2023 on Art. 5(3) ePrivacy: almost every form of tracking requires consent
Opinion 22/2024 on Processors: increased documentation and auditing
Opinion 28/2024 on AI Models: legitimate interest CAN be basis for AI training but requires three-step assessment
Recommendations 2/2025: legal basis requirements for mandatory user accounts

COMMON_VIOLATIONS¶

MOST_FINED: insufficient legal basis, data minimization failure, insufficient security, insufficient privacy notices, insufficient DSR fulfillment
SOFTWARE_SPECIFIC: dark patterns (97% of EU apps 2024), cookie consent failures, web portal security, bundled consent

READ_ALSO: domains/eu-regulation/index.md, domains/security/index.md