In some GDPR provisions, the applicability of the provision or measures of the controller depend on the state of the art or available technology:

Art. 17 II: “Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology […], shall take reasonable steps […].

 

Art. 25 I: “Taking into account the state of the art […] the controller shall […] implement appropriate technical and organisational measures […].”

 

Art. 32 I: “Taking into account the state of the art […] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […].” [see Rec. 83 (2)]

 

Rec. 26 (4): On the question of whether a person is identifiable “the available technology at the time of the processing and technological developments” have to be taken into consideration.

 

Rec. 78 (4): “When developing, designing, selecting and using applications, services and products […] producers of the products, services and applications should be encouraged to take into account the right to data protection […] and with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.”

 

Rec. 84 (3): “Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.” [see also Rec. 94 (1)]

In German national law, the state of the art may be taken into account according to §§ 22 II 2 BDSG (German Data Protection Act).