With few exceptions the GDPR has been adopted identicallly throughout Europe. In Spain, the Spanish Privacy Authority has had its say on the general principle of data protection by default, a concept in the abstract clear but difficult to decline in practice:
According to the Spanish Privacy Authority the data controller (the company) must, by default, process only the data necessary for each specific processing purpose. Exactly the opposite of when, in the online form, you see that the box for receiving the newsletter is "preflagged".
The Spanish Privacy Guarantor's guide [https://www.aepd.es/sites/default/files/2020-10/guia-proteccion-datos-por-defecto.pdf] offers a practical vision to help apply this principle to data processing in accordance with the provisions of the GDPR and the guidelines adopted by the European Data Protection Committee.
The addressees of this document are data controllers, DPOs but also developers or providers, insofar as they provide products and services to data controllers and seek to ensure that they comply with the requirements of the GDPR.
The concept of privacy by default imposes the need to segment the use of the set of data between different processing operations and between the different stages of processing, so that not all operations carried out as part of a processing operation are performed on all data, but only on those that are necessary and at times when it is strictly necessary.
The treatment must be minimally intrusive (minimum amount of personal data, minimum extent of treatment, minimum storage period and minimum accessibility to personal data) and without the need for intervention of the person whose data are processed.
The execution of these measures focuses on optimization, configurability and limitation strategies.
The objective of optimization is to analyze the processing from the point of view of data protection, which means applying measures in relation to the amount of data collected, the extent of processing, their storage and accessibility.
The second strategy is the configuration of services, systems or applications, which must make it possible to establish parameters or options that determine how the processing is to be carried out, and which are likely to be modified by the company and also by the user.
Finally, the limitation ensures that, by default, the processing is as respectful of privacy as possible, so that the configuration options are adequate, to those parameters that limit the amount of data collected, the extent of processing, its storage and its accessibility.
The guide also contains an operational and editable document with the measures to be adopted for the implementation of the default data protection strategies in Spanish and also includes a chapter on documentation and auditing, necessary to demonstrate compliance with the standard.
The principle of privacy by default does not derive from the result of an analysis of the risks to rights and freedoms, but are measures and guarantees that must be established every time there is a processing of personal data.