Privacy by default requires that protection of personal data be a default for all an organisation's systems and services. The essence of this concept is that only personal data which are necessary for each specific purpose of the processing are processed and data controllers must structure their systems and processes to meet the concept of data minimisation (Article 25(2), GDPR).