Ti	=	Article 25 - Data protection by design and by default
1.sec	=	Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of {_processing} as well as the risks of varying likelihood and severity for rights and freedoms of {_natural_persons} posed by the {_processing}, the {_controller} shall, both at the time of the determination of the means for {_processing} and at the time of the {_processing} itself, implement appropriate technical and organisational measures, such as {_pseudonymisation}, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the {_processing} in order to meet the requirements of this Regulation and protect the rights of {_data_subjects}.
2.sec	=	The {_controller} shall implement appropriate technical and organisational measures for ensuring that, by default, only {_personal_data} which are necessary for each specific purpose of the {_processing} are processed. That obligation applies to the amount of {_personal_data} collected, the extent of their {_processing}, the period of their storage and their accessibility. In particular, such measures shall ensure that by default {_personal_data} are not made accessible without the individual's intervention to an indefinite number of {_natural_persons}.
3.sec	=	An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
	=	[G/Z/ol/s3]