Corporate Social Responsibility (CSR) Project

The Research

Our objective at the European Centre on Privacy & Cybersecurity (ECPC) is to trigger virtuous data protection competition between companies by creating an environment that identifies and promotes data protection as an asset which can be used to help companies to responsibly further their economic targets. This can be accomplished through the development of a new dimension of data protection that goes beyond legal compliance, transforming data protection into a new form of Corporate Social Responsibility (Data Protection as a Corporate Social Responsibility). 

The Project

The Maastricht University Data Protection as a Corporate Social Responsibility (MU DPCSR) Project successfully translates theoretical ethical principles into tangible and practical guidelines to build a solid framework for organizations to apply in order to foster transparency, accountability, fair, secure and sustainable data processing activities that positively contribute to the greater good.

The Project at the European Centre on Privacy & Cybersecurity has a duration of two years (2020-2021) and aims to foster virtuous compliance that goes beyond what is strictly prescribed in the law.

The Outcome

Preliminary research has led to the identification of five key high-level principles of the Maastricht University Data Protection as a Corporate Social Responsibility Framework and a draft Framework consisting of fifteen rules that accompany the five principles.

ECPC is now advancing in the research process and  working to develop further concrete, measurable and translatable guidance for organisations in order to answer the following questions: 

  •  What are the fundamental requirements of socially responsible data processing activities?
  •  How can companies reconstruct Data Protection into an effective CSR framework?
  •  What are the benefits for companies that embrace data protection as a CSR?


The first phase of the Project (Phase 1), going from 5 principles to 15 rules, commenced in January 2020 and ended in December 2020.

The second phase of the Project (Phase 2), going from 5 principles and 15 rules to 25 rules, commenced in January 2021 and ended in December 2021.

On 16 March 2022, the first official output of the UM-DPCSR project was made available on the ECPC website.

Paolo Balboni

This Research Project is the natural continuation of what was anticipated by Professor Paolo Balboni in his inaugural lecture entitled “Personal Data Protection as a New Competitive Edge: Generating Socially Responsible Corporate Behaviour”.

  View the inaugural lecture here

If you are interested – as Stakeholder – in participating in or knowing more about this research project, please contact Prof. Paolo Balboni