Volltext-Downloads (blau) und Frontdoor-Views (grau)

Effective data protection by design through interdisciplinary research methods: The example of effective purpose specification by applying user-Centred UX-design methods

  • While the recent discussion on Art. 25 GDPR often considers the approach of data protection by design as an innovative idea, the notion of making data protection law more effective through requiring the data controller to implement the legal norms into the processing design is almost as old as the data protection debate. However, there is another, more recent shift in establishing the data protection by design approach through law, which is not yet understood to its fullest extent in the debate. Art. 25 GDPR requires the controller to not only implement the legal norms into the processing design but to do so in an effective manner. By explicitly declaring the effectiveness of the protection measures to be the legally required result, the legislator inevitably raises the question of which methods can be used to test and assure such efficacy. In our opinion, extending the legal compatibility assessment to the real effects of the required measures opens this approach to interdisciplinary methodologies. In this paper, we first summarise the current state of research on the methodology established in Art. 25 sect. 1 GDPR, and pinpoint some of the challenges of incorporating interdisciplinary research methodologies. On this premise, we present an empirical research methodology and first findings which offer one approach to answering the question on how to specify processing purposes effectively. Lastly, we discuss the implications of these findings for the legal interpretation of Art. 25 GDPR and related provisions, especially with respect to a more effective implementation of transparency and consent, and provide an outlook on possible next research steps.

Download full text files

Export metadata

Additional Services

Search Google Scholar Check availability


Show usage statistics
Document Type:Article
Author:Max von Grafenstein, Timo Jakobi, Gunnar Stevens
Parent Title (English):Computer Law & Security Review
Article Number:105722
Number of pages:22
Publishing Institution:Hochschule Bonn-Rhein-Sieg
Date of first publication:2022/08/09
Copyright:© 2022 Max von Grafenstein, Timo Jakobi, Gunnar Stevens. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license.
Keyword:Data protection by design; Effective purpose specification; GDPR; HCI; UXD
Departments, institutes and facilities:Fachbereich Wirtschaftswissenschaften
Institut für Verbraucherinformatik (IVI)
Dewey Decimal Classification (DDC):0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten
Entry in this database:2022/09/02
Licence (German):License LogoCreative Commons - CC BY-NC-ND - Namensnennung - Nicht kommerziell - Keine Bearbeitungen 4.0 International