SIST EN 17529:2022

SLOVENSKI STANDARD
SIST EN 17529:2022
01-september-2022
Varstvo podatkov in zasebnosti z načrtovanjem in kot privzeto
Data protection and privacy by design and by default
Datenschutz by Design und als Grundeinstellung
Protection des données et de la vie privée dès la conception et par défaut
Ta slovenski standard je istoveten z: EN 17529:2022
ICS:
35.030 Informacijska varnost IT Security
SIST EN 17529:2022 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 17529:2022

---------------------- Page: 2 ----------------------
SIST EN 17529:2022


EUROPEAN STANDARD EN 17529

NORME EUROPÉENNE

EUROPÄISCHE NORM
May 2022
ICS 35.030

English version

Data protection and privacy by design and by default
Protection des données et de la vie privée dès la Datenschutz by Design und als Grundeinstellung
conception et par défaut
This European Standard was approved by CEN on 5 December 2021.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
























CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2022 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN 17529:2022 E
reserved worldwide for CEN national Members and for
CENELEC Members.

---------------------- Page: 3 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms, definitions and abbreviations . 6
3.1 Terms and definitions . 6
3.2 Abbreviated terms . 7
4 General. 7
4.1 Preparing the grounds for data protection and privacy by design and by default . 7
4.2 Structure for disassembling product and service into applicable categories . 8
4.2.1 Introduction . 8
4.2.2 Product perspectives . 9
4.2.3 Service elements . 9
4.3 Self-declaration and levels of achievement . 10
5 Privacy-aware development of products and services . 12
5.1 Leadership and market intelligence . 12
5.2 Preparation . 13
5.3 Design . 13
5.3.1 Determination of DPPbDD requirements . 13
5.3.2 Development . 14
5.3.3 Production and service provision . 15
5.3.4 Release of products and services . 15
5.4 Performance evaluation . 15
5.5 Improvement . 15
6 Data protection capability requirements on the design of products and services . 15
6.1 Access . 15
6.1.1 Access to data . 15
6.1.2 Copy of data . 16
6.2 Accountability . 16
6.3 Accuracy . 17
6.4 Data de-identification . 18
6.5 Data minimization . 19
6.6 Data portability . 20
6.7 Confidentiality . 21
6.8 Erasure. 23
6.9 Consent and Children . 24
6.9.1 Determination of user age . 24
6.9.2 Configurable children age threshold . 24
6.10 Information security . 25
6.10.1 Unauthorized or unlawful processing . 25
6.10.2 Data loss . 28
6.10.3 Information protection targets . 29
6.10.4 Restore . 29
6.11 Lawfulness . 30
2

---------------------- Page: 4 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
6.11.1 Data disclosure . 30
6.11.2 Consent . 30
6.12 Objection to processing . 31
6.13 Automated decision making . 32
6.14 Restriction of processing . 32
6.15 Storage limitation . 33
6.16 Transparency . 34
6.16.1 Information . 34
6.16.2 Record of processing activities . 37
7 Requirements to the self-declaration of privacy-aware design . 38
7.1 Process requirements . 38
7.1.1 Preparation based on the product perspective and service element requirements . 38
7.1.2 Additional considerations related to DPIAs . 38
7.1.3 Determination of the level of achievement . 38
7.2 Self-declaration statement . 39
Annex A (informative) Applicability mapping between Clause 6 requirements and
perspectives or elements . 41
Annex B (informative) Approach for a specification . 53
Annex C (informative) Guidelines related to EN ISO 9001 . 55
Annex ZA (informative) Relationship between this European Standard and the data
protection by design and by default requirements of Regulation EU 2016/679 aimed
to be covered . 60
Bibliography . 62

3

---------------------- Page: 5 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
European foreword
This document (EN 17529:2022) has been prepared by WG 5 “Data Protection, Privacy and Identity
Management” of the CEN/CENELEC JTC 13 “Cybersecurity and Data Protection”, the secretariat of which
is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by November 2022, and conflicting national standards shall
be withdrawn at the latest by November 2022.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document has been prepared as part of CEN/CLC JTC 13 work programme, not only as the first
deliverable called by mandate M/530 given to CEN and CENELEC by the European Commission, but also
to be generic enough to be applicable to a variety of domains other than the security industry, which was
in focus of the mandate.
For relationship with EU Regulation(s), see informative Annex ZA, which is an integral part of this
document.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United
Kingdom.
4

---------------------- Page: 6 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
Introduction
0.1 General
This document provides the component and subsystems developers with an early formalized process for
identification of privacy objectives and requirements, as well as the necessary guidance on associated
assessment. It further provides support for understanding the cascaded liability and obligation of
manufacturers and service providers (Reference to GDPR and as applicable reference to Article 25, as
well as to rules applicable to governmental applications).
The General Data Protection Regulation, in its Art. Twenty-five charges data controllers, and implicitly
manufacturers, with implementing Data Protection by design and by default.
The aim of this document is to give requirements to manufacturers and/or service providers to
implement Data protection and Privacy by Design and by Default (DPPbDD) early in the development of
their products and services, i.e. before (or independently of) any specific application integration, to make
sure that they are as privacy ready as possible with regard to the anticipated markets.
The quality management system of EN ISO 9001 provides a process framework through which products
and services can incorporate Data protection and privacy by design. Annex C shows how EN ISO 9001 can
be interpreted and extended for use in this domain where necessary. Control objectives and requirements
have been derived from the General Data Protection Regulation, which the component manufacturer or
software sub-systems or sub-service provider may choose to address. These clauses are applicable to the
B2B market, since manufacturers composing these sub-components in larger systems will need to
understand the limits and capabilities of each component, as part of their system design. Finally, a self-
declaration mechanism is specified which can be used by component manufacturers and service
providers as part of their attestation to system integrators of the capabilities, protections and limitations
of that component or service.
For some purposes of processing and for some categories of personal data, a data protection impact
assessment (DPIA) according to EN ISO/IEC 29134 needs to be conducted and in addition to the
requirements given in this document, the treatment plan resulting from the DPIA needs to be fulfilled as
well.
This document is intended to be used by manufacturers, suppliers, hard- and software developers
providing products and services to system integrators who themselves intend to offer products and
services to be used by data controllers and data processors. It allows system integrators to select and
correctly use the offerings of sub-system and component suppliers and manufacturers when developing
systems that may have data protection requirements.
0.2 Compatibility with management system standards
This document applies the framework developed by CEN/CENELEC and ISO to improve alignment among
its Management System Standards. However, this document itself does not represent a Management
System standard.
This document supports an organization to align or integrate its development considerations on data
protection with the requirements of Management System standards.
5

---------------------- Page: 7 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
1 Scope
This document specifies requirements for manufacturers and/or service providers to implement Data
protection and Privacy by Design and by Default (DPPbDD) early in their development of their products
and services, i.e. before (or independently of) any specific application integration, to make sure that they
are as privacy ready as possible. This document is applicable to all business sectors, including the security
industry.
2 Normative references
There are no normative references in this document.
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the following term and definitions apply.
— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1.1
data protection by design
technical and organizational measures designed to implement data protection principles
Note 1 to entry: The measures shall be implemented in an effective manner and to integrate the necessary
safeguards into the processing.
3.1.2
data protection by default
technical and organizational measures for ensuring that only personal data which are necessary for each
specific purpose of the processing are processed
Note 1 to entry: Such measures should cover at least the amount of personal data collected, the extent of their
processing, the period of their storage and their accessibility.
3.1.3
data protection impact assessment
DPIA
overall process of identifying, analysing, evaluating, consulting, communicating and planning the
treatment of potential privacy impacts with regard to the processing of personal data, framed within an
organization’s broader risk management framework
Note 1 to entry: Adapted from ISO/IEC 29134:2017, 3.7.
3.1.4
privacy-aware
attribute of a product or service for the processing of personal data, meaning that data protection
requirements were considered in the design and pre-configuration and that privacy adverse functional
requirements were only made as far as necessary for the intended purpose of the product or service
6

---------------------- Page: 8 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
3.1.5
special categories of personal data
data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person's sex life or sexual orientation
[SOURCE: GDPR Article 9, Clause 1]
3.2 Abbreviated terms
DPPbDD Data protection and Privacy by Design and by Default
DPIA Data protection impact assessment
GDPR EU General Data Protection Regulation 679/2016
GSMA Global system of mobile communication association
ISACA Information Systems Audit and Control Association
LoA Level of Achievement
4 General
4.1 Preparing the grounds for data protection and privacy by design and by default
Alongside the broadly formulated expectations in terms of protecting personal data during data
processing procedures, data protection and privacy by design and by default relate to the ability of the
intended technical systems and components to be able to support this protection. Reference is made to
consideration reason 78, sentence 4 for adopting of the GDPR. Yet, manufacturers do not have an
obligation under the GDPR. Other instruments are therefore required to guide them in a process through
which their products or services are designed to be data protection and privacy by design and default
friendly for a maximum of use cases, as per the anticipated market. An underlying set of requirements
consistent with the company’s quality process is detailed hereafter. Anticipated benefits are for the end-
users (customers/data controllers) ease to implement their privacy duties and for the manufacturer a
competitive edge.
The GDPR contains many legal provisions for consideration by data controllers and processors; such
provisions rely largely on the diverse functional and operational conditions in which it is anticipated that
the product or service will be used. In this context and to support the providers of products and services
in their assessment, the obligations of data controllers were generically analysed to determine whether
they contain, explicitly or implicitly, the need for functional capabilities in support of data controllers’
obligations.
The following principles are expected for data protection and privacy by design and by default:
1) DPPbDD should be proactive and preventative, not reactive and remedial.
2) Default settings and configuration should be secure and privacy-aware.
3) Data protection and privacy should be incorporated into design.
4) DPPbDD seeks full functionality in accommodation of legitimate interests and objectives, no trade-
offs.
5) DPPbDD should concern the entire data lifecycle.
7

---------------------- Page: 9 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
6) DPPbDD should be visible and transparent and subject to independent verification.
7) The interests of the individual should be kept uppermost by offering strong defaults, appropriate
notice and be kept user-centric by offering user-friendly options, even if such provisions appear as
less privacy-friendly.
8) DPPbDD controls should be effective.
9) DPPbDD measures should be designed to be robust and be able to scale up in accordance with
increases in risk of breach of the data protection principles.
10) DPPdDD measures should be regularly assessed.
When understanding data protection by design in the utmost possible way, consideration needs to be
given not only to the moment of supplying and providing. The whole lifecycle of both, the personal data
and the product and/or service needs to be considered as well.
Special attention should be drawn to maintenance activities as well as to the general conditions, under
which a reuse of products could happen. Furthermore, the service includes the operation of processing
as a processor on data controllers behalf. Some requirements of this document will draw attention to this
scenarios.
If the service provider needs to be seen as a data controller, additional organizational and technical
measures should be put into place and be governed by an appropriated Management system, e.g.
EN ISO/IEC 27701. These organizational and technical measures will be out of scope for this document.
This document provides in 4.2 a structure for splitting up integrated products and services into layers,
which may be used to modulate them into building blocks that need to fulfil the same set of requirements.
Any reasonable approach may be taken to describing the system architecture, provided it allows a
mapping of the data protection concerns onto the architecture. When designing a major component from
sub-systems and services, it may be necessary for the overarching system architecture decomposition to
leverage the descriptions of the included components. Such approaches may draw on opaque or
transparent models for the component elements. In 4.3 the conformity scheme for a self-declaration is
provided.
In Clause 5, the requirements for an exemplar process of privacy-aware development of products and
services are provided.
In Clause 6, there are basic requirements on the design of products and services provided. Application is
specified to the respective product perspectives and service elements specified in 4.2 and control
objectives give reference to the GDPR.
Clause 7 provides guidelines to the process of self-declaration and the requirements to determine the
level of achievement.
In the Annexes A, B and C, detailed information is given on the mapping of basic requirements to product
perspectives or service elements on the definition of privacy by design and on guidance for applying
EN ISO 9001 as a management system to the development. Additionally, the Annex ZA contains the
conformity statement for EU Mandate M/530.
4.2 Structure for disassembling product and service into applicable categories
4.2.1 Introduction
As it does not seem practical to build requirements directly for products and for services, that can highly
differ in submodule assembly, architecture and bundling, a set of module categories is specified in the
next two clauses. Any complex product or service under this document can be decomposed into
8

---------------------- Page: 10 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
component parts or layers. These can be used to represent products and services. The structural
decomposition is divided into product and service issues for ease of description.
4.2.2 Product perspectives
The module categories, of which a product can consist, are specified as follows:
1) Component perspective — mainly physical submodules like microprocessors and microcontrollers,
DRAM-Modules, Interface controllers, media drives, physical storage media, sensors, actuators or
power supply. This perspective can include connectivity drivers and small programs as e.g. for
upgrading or dynamic connection.
2) Device perspective — bare bone with chassis, shielding, display, keyboards and casing. The device
perspective integrates components from the component perspective and is adding programs for
BIOS and boot capabilities.
3) Operating system perspective — software perspective with programs supporting the configuration
of the device, the basic interaction with the user, like keyboard input and output via display or
printer, the support of user authentication, the administration of the device itself and its
interconnectivity with networks and with tools supporting local activities on the device.
4) Communication perspective — Connectivity components emulating physical links (wired or
wireless) for the purpose of information transmission. This perspective is similar to the component
perspective, but differs regarding specific concerns related with the aspect of the network it builds.
5) Storage perspective — logical perspective for the management of storage locations on connected
physical storage media via the component perspective. This includes locally or remotely connected
media, raid or cluster architectures, NAS or SAN concepts as well as fileservers and cloud storage.
6) User Interface perspective — logical perspective for the management of user interaction with a
device or service, which is not on Operating system perspective. This perspective also includes
portals and, up to a certain degree, content management systems.
7) Integrated system perspective — this perspective applies, when a product is an integration of more
than one device. It requires a communication model between the devices with specified protocols
and transmission management. Integrated systems are expected to demonstrate the capabilities and
default settings for an appropriate network security.
8) Application perspective — software perspective providing the expected functionality of a device or
an integrated system.
9) Business process perspective — logical perspective above the application perspective that is
managing information exchange between many devices, integrated systems or even organizations.
10) System management perspective — logical perspective for the management of Operation and
information security regarding the devices, integrated systems, applications, Storages and/or
communication flows.
4.2.3 Service elements
The module categories, of which a service can consist, are specified as follows:
1) Service management element — human based service of configuration, operation control and
incident response.
9

---------------------- Page: 11 ----------------------
SIST EN 17529:2022
EN 17529:2022 (E)
2) Self-service element — application service to provide the customer or the user with tools to configure
other product or service elements.
3) Integration service element — customer specific service of making subsystems interoperable,
normally organized within a dedicated project under a customer specified management framework.
4) Transmission service element — service that interconnects tra
...