These two principles are newly introduced by the GDPR. Essentially, they require that data protection issues have to be considered when conceptualising a new product or service or other envisaged processing activity (“Privacy by Design”) and that the default settings given by a producer or provider are generally data protection friendly (“Privacy by Default”).