GDPRArt. 25voice-validated
GDPR Art25: Art. 25
General Data Protection Regulation (EU 2016/679)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, in particular data minimisation, in an effective manner. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose are processed.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1001 | 1. Attackers obfuscate data to evade detection during collection or exfiltration. GDPR Art. 25 requires technical measures to protect data, making obfuscation a counter-measure. | 80% |
| T1003 | 1. Attackers steal credentials to gain unauthorized access to personal data. GDPR Art. 25 mandates appropriate technical measures to prevent such access. | 90% |
| T1005 | 1. Attackers collect personal data directly from local systems. GDPR Art. 25 requires data minimisation and protection by design to limit available data. | 90% |
| T1011 | 1. Attackers exfiltrate personal data using various network channels. GDPR Art. 25 demands technical measures to prevent unauthorized data transfers. | 80% |
| T1012 | 1. Attackers query the registry to discover system configurations relevant to data access. GDPR Art. 25 implies secure configurations as part of data protection by design. | 70% |
| T1016 | 1. Attackers map network configurations to locate systems containing personal data. GDPR Art. 25 requires organisational measures to secure data environments. | 70% |
| T1021 | 1. Attackers use remote services to access systems holding personal data. GDPR Art. 25 mandates secure configurations and access controls to prevent unauthorized remote access. | 80% |
| T1027 | 1. Attackers obfuscate files to hide malicious activity or exfiltrated data. GDPR Art. 25 requires technical measures to detect and prevent such covert operations. | 80% |
| T1033 | 1. Attackers identify system owners and users to target accounts with access to personal data. GDPR Art. 25 requires robust access management. | 70% |
| T1036 | 1. Attackers masquerade as legitimate entities to gain access to personal data. GDPR Art. 25 mandates authentication and authorization controls. | 70% |
| T1041 | 1. Attackers exfiltrate personal data through command and control channels. GDPR Art. 25 requires technical measures to prevent unauthorized data outflow. | 90% |
| T1047 | 1. Attackers use WMI for execution, potentially to collect or exfiltrate personal data. GDPR Art. 25 demands secure system configurations. | 70% |
| T1048 | 1. Attackers exfiltrate personal data using non-standard protocols. GDPR Art. 25 requires comprehensive data outflow prevention. | 80% |
| T1053 | 1. Attackers create scheduled tasks for persistent data collection or exfiltration. GDPR Art. 25 mandates secure system configurations and monitoring. | 70% |
| T1071 | 1. Attackers use application layer protocols for command and control, often for data exfiltration. GDPR Art. 25 requires network security measures to prevent unauthorized data transfer. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1013 | 1. Encryption protects personal data at rest and in transit, directly supporting pseudonymisation and data protection principles as required by GDPR Art. 25. | 90% |
| M1015 | 1. MFA strengthens access controls, preventing unauthorized access to systems containing personal data, aligning with GDPR Art. 25's requirement for appropriate technical measures. | 80% |
| M1017 | 1. Proper user account management ensures only necessary accounts exist with minimal privileges, directly supporting data minimisation and access control as per GDPR Art. 25. | 80% |
| M1026 | 1. Restricting and monitoring privileged accounts limits the risk of unauthorized access to sensitive personal data, fulfilling GDPR Art. 25's security requirements. | 90% |
| M1031 | 1. Segmenting networks isolates systems containing personal data, limiting the scope of potential breaches and supporting data protection by design under GDPR Art. 25. | 80% |
| M1035 | 1. Implementing strict access controls ensures only necessary personnel and systems access personal data, directly enforcing data minimisation as mandated by GDPR Art. 25. | 90% |
| M1040 | 1. DLP solutions prevent unauthorized exfiltration of personal data, providing a critical technical measure to protect data as required by GDPR Art. 25. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. This weakness directly contradicts GDPR Art. 25's requirement for data protection by design and default, leading to unauthorized disclosure of personal data. | 90% |
| CWE-269 | 1. Inadequate privilege management allows unauthorized access to personal data, violating GDPR Art. 25's mandate for appropriate technical and organisational measures. | 80% |
| CWE-284 | 1. Flawed access controls enable unauthorized processing of personal data, directly undermining the data protection principles outlined in GDPR Art. 25. | 90% |
| CWE-311 | 1. Lack of data integrity enforcement can lead to unauthorized alteration of personal data, which GDPR Art. 25 aims to prevent through robust technical measures. | 70% |
| CWE-319 | 1. Transmitting personal data in cleartext fails to implement appropriate technical measures for protection, directly violating GDPR Art. 25. | 90% |
| CWE-522 | 1. Weak credential protection allows attackers to gain access to systems and personal data, directly conflicting with GDPR Art. 25's security requirements. | 80% |
| CWE-922 | 1. Storing personal data insecurely represents a fundamental failure of data protection by design and default, as required by GDPR Art. 25. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0185 compute · voice-rubric self-validated