Privacy by Design, or the Principle of Designed Privacy (Art.25 GDPR) – is there an article, but there was no sanction?



As a rule, violation of the principle of designed privacy when creating an application entails other violations: for example, the rights of subjects or the principle of data minimization, and this is subject to serious penalties. And it turned out that the Supervisory authorities did not refer to article 25.

A year ago, the first precedent was discovered, where the national Supervisory authority for the protection of personal data in Romania referred to paragraph 1 of Аrticle 25. They accused the Unicredit Bank’s branch in Romania of violating the principles of Privacy by Design. They designed the payment system in such a way that they disclosed the personal data of hundreds of thousands of their customers.




The Romanian Supervisory authority said that 337 thousand personal data subjects who made payments from Unicredit, or payments where this Bank acted as an intermediary, actually shared unnecessary information with the recipients.

For example, you make a transfer via online banking to an individual and, of course, you would not want to disclose your residential address or mobile phone number to the recipient (i.e., excessive personal data).

The identification number was disclosed in the statements – this information was received by all beneficiaries of these payments. As a result, there was a disclosure of personal data, which means that Аrticle 5 – the principle of data minimization-was violated. However, the Supervisory authority came to the conclusion that here, first of all, the engineers and system administrators who designed this system and passed on unnecessary information to the beneficiaries didn’t work well.

The fine of 130,000 euros is not two percent of the turnover of the Romanian unit of Unicredit, but it is quite a serious warning to financial organizations, IT companies that act as contractors developing software for such institutions.

You can’t ignore the principles of Privacy by Design. The 2014 manual developed by the European Agency for information and network security, as well as the Norwegian Supervisory authority’s checklists, can provide guidance on this issue.

For those who do not have enough time to implement such privacy solutions, it is better not to wait for technical specialists to understand this topic well on their own, but to send them to the appropriate training.

We are preparing the second training Privacy by Design on November 17-18, 2020 (the first was held in November 2019). Strategic Privacy by Design is a unique master class by world-class privacy star Jason Cronk (USA).

Thanks to the master class, you will:

  • meet the world star in the field of privacy Jason Cronk;
  • learn how to apply the designed privacy methodology to your products and services;
  • learn about complex concepts through simple terms and examples;
  • get a card game to train with your colleagues;
  • understand how to make Privacy by Design a competitive advantage;
  • get a certificate of completion of training on designed privacy.

We have prepared a video in which we talk in detail about the GDPR fines for violating Privacy by Design.


Learn more

Palina Bertash
Palina Bertash
Marketing and Communications Manager
Siarhei Varankevich CIPP/E, CIPM, MBA
Siarhei Varankevich CIPP/E, CIPM, MBA, FIP
Certified Information Privacy Professional / Europe (CIPP/E) certification Certified Information Privacy Manager (CIPM) certification MBA IGC Bremen University of Applied Sciences
Founder of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
The course is loading, wait a few seconds