Skip to main content

Article 16 — Data Protection by Design and by Default

  1. Taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures designed to implement the data protection principles set out in this Code in an effective manner and to integrate the necessary safeguards into the processing.
  2. Such measures shall include, but are not limited to:
    1. pseudonymisation and, where feasible, anonymisation of personal data at the earliest possible stage of processing;
    2. minimisation of the personal data collected and processed, so that only data which is necessary for the specific purpose is obtained;
    3. the application of access controls that restrict the processing of personal data to authorised personnel on a need-to-know basis;
    4. the separation of personal data from other categories of data where such separation enhances the protection of data subjects.
  3. The controller shall, by default, ensure that only personal data which is necessary for each specific purpose of the processing is processed. That obligation applies to:
    1. the amount of personal data collected;
    2. the extent of processing carried out;
    3. the period for which personal data is stored;
    4. the accessibility of personal data, including ensuring that personal data is not made accessible without the individual's intervention to an indefinite number of natural persons.
  4. Given the digital-first nature of the Principality of Kaharagia and the absence of a physical territory, encryption of personal data and the use of secure communication protocols shall constitute the presumptive standard for all processing. A controller who does not employ encryption at rest and in transit shall bear the burden of demonstrating that an equivalent or superior level of protection is achieved by alternative measures.
  5. An approved certification mechanism pursuant to this Code may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1, 2, and 3 of this Article.