|Art. 25 introduces two general data protection requirements: data protection by design (Art. 25 para. 1) and data protection by default (Art. 25 para. 2). Data protection by design requires that data controllers adopt appropriate technical and organizational measures and necessary safeguards to implement data protection principles, protect the rights of data subjects, and meet the requirements imposed by the GDPR. Data protection by default requires that data controllers adopt measures to ensure that each processing operation is limited to what is necessary, under normal circumstances, to the purposes of the processing, as long as no justified specific initiative to the contrary is adopted.The two principles are connected; and indeed, data protection by default has been viewed as a specific aspect of a proactive/risk-prevention approach to data protection, often identified under the term “privacy by design.” Such principles are based on the idea that data protection should be built into the very structure of information systems, the latter being understood as sociotechnical systems, in which machines and humans are integrated through organisational arrangements. This explains why the measures at stake may be technical, such as pseudonymisation or anonymisation, as well as organisational, such as the adoption of specific training for personnel involved in processing operations. Both principles are based on the idea that the functioning of an information system – and, in particular, the way in which it affects data subjects – primarily depends on its architecture. Effective protection can only be guaranteed if risk prevention measures are adopted during design and deployment.