SIST-TP CEN/TR 16684:2014

SLOVENSKI STANDARD
SIST-TP CEN/TR 16684:2014
01-september-2014
,QIRUPDFLMVNDWHKQRORJLMD3ULJODVLWHYXSRUDEHUDGLRIUHNYHQþQHSUHSR]QDYH5),'
'RGDWQHLQIRUPDFLMHNLMLKPRUDMR]DJRWRYLWLL]YDMDOFL
Information technology - Notification of RFID - Additional information to be provided by
operators
Notifizierung von RFID: Zusätzliche vom Betreiber zur Verfügung zu stellende
Information
Technologies de l’information - Notification d'identification par radiofréquence (RFID) -
Informations complémentaires à fournir par les opérateurs
Ta slovenski standard je istoveten z: CEN/TR 16684:2014
ICS:
03.080.99 Druge storitve Other services
35.020 Informacijska tehnika in Information technology (IT) in
tehnologija na splošno general
SIST-TP CEN/TR 16684:2014 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TP CEN/TR 16684:2014

---------------------- Page: 2 ----------------------

SIST-TP CEN/TR 16684:2014

TECHNICAL REPORT
CEN/TR 16684

RAPPORT TECHNIQUE

TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - Notification of RFID - Additional
information to be provided by operators
Technologies de l'information - Notification d'identification Informationstechnik - Notifizierung von RFID: Zusätzliche
par radiofréquence (RFID) - Informations complémentaires vom Betreiber zur Verfügung zu stellende Information
à fournir par les opérateurs


This Technical Report was approved by CEN on 8 March 2014. It has been drawn up by the Technical Committee CEN/TC 225.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16684:2014 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)
Contents Page
Foreword .3
0 Introduction .4
0.1 General .4
0.2 Overview .4
1 Scope .7
2 Terms and definitions .7
3 CCTV as an Exemplar .7
4 The RFID European Emblem . 10
4.1 General . 10
4.2 Guidelines on the use of the Common European RFID emblem . 11
4.3 Definition of the Common European RFID Notification Sign . 11
4.4 Placement of signs . 12
4.4.1 General . 12
4.4.2 Presence of Readers . 12
4.4.3 Placement of signs notifying the presence of readers . 12
4.4.4 Presence of tags . 12
4.5 Who should place signage on tagged items . 13
4.6 Size of emblem . 14
5 Guidelines on additional information . 14
5.1 General . 14
5.2 Name of the operator of the application . 15
5.2.1 Name . 15
5.2.2 Contact point . 15
5.3 Purpose of the application . 15
5.4 Data processed . 16
5.5 Summary of the privacy impact assessment . 16
5.5.1 PIA report date . 16
5.5.2 RFID application operator . 16
5.5.3 RFID application overview . 16
5.5.4 Data on the RFID tag . 17
5.6 Likely privacy risks . 17
5.7 Measures to mitigate the risks . 17
5.8 Privacy information policy for RFID. 18
5.8.1 General . 18
5.8.2 Consumer and members of the public choice information – promotional material . 18
5.8.3 Consumer and members of the public choice information – sales material and pre-
contract information . 19
5.8.4 Consumer and members of the public choice information – means of conveying the
information . 19
5.8.5 Consumer and members of the public privacy information accessibility . 19
5.8.6 Privacy related contractual and privacy policy information . 20
5.8.7 Consumer and members of the public post sale user privacy information . 20
5.8.8 Consumer and members of the public information – means of conveying the post sale
user privacy information . 21
5.9 Consumer and public information – non application operator RFID privacy information . 21
Annex A (informative) RFID applications in retail . 22
Annex B (informative) RFID applications in library . 25
Annex C (informative) RFID applications in transportation . 26
Annex D (informative) RFID applications in banking . 31
Bibliography . 34

2

---------------------- Page: 4 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)
Foreword
This document (CEN/TR 16684:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2.
The other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology — Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3 Mode 1
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16672, Information technology — Privacy capability features of current RFID technologies
— CEN/TR 16673, Information technology — RFID privacy impact assessment analysis for specific sectors
— CEN/TR 16674, Information technology — Analysis of privacy impact assessment methodologies relevant
to RFID
3

---------------------- Page: 5 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)
0 Introduction
0.1 General
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM(2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardization work programme identified in the first phase.
This document will provide the additional information of the RFID application that will need to be provided to a
citizen by accessing the source identified on the sign where the RFID application is operating. This information
will be aligned with the details set out in the Recommendation, but some of this might not be available at the
outset, a TR is the preferred form of initial delivery to establish basic requirements.
0.2 Overview
th
On March 15 2007, the European Commission presented to the European Parliament a communication
about the steps towards a Policy Framework for Radio Frequency Identification in Europe. Here below is an
extract:
"COMMISSION RECOMMENDATION of 2009/05/12 on the implementation of privacy and data protection
principles in applications supported by radio-frequency identification {SEC (2009) 585}{SEC (2009) 586}.
Radio frequency identification (RFID) is a technology that allows automatic identification and data capture by
using radio frequencies. The salient features of this technology are that they permit the attachment of a unique
identifier and other information – using a microchip – to any object, animal or even a person, and to read this
information through a wireless device. RFID is not just "electronic tags" or "electronic barcodes". When linked
to databases and communications networks, such as the Internet, this technology provides a very powerful
way of delivering new services and applications, in potentially any environment.
RFID technology is indeed seen as the gateway to a new phase of development of the Information Society,
often referred to as the "internet of things" in which the internet does not only link computers and
communications terminals, but potentially any of our daily surrounding objects – be they clothes, consumer
goods, etc. It is this prospect that provoked the European Council of December 2006 to ask the European
Commission to review the challenges of the next generation of Internet and networks at the 2008 Spring
Council.
RFID is of policy concern because of its potential to become a new motor of growth and jobs, and thus a
powerful contributor to the Lisbon Strategy, if the barriers to innovation can be overcome. The production price
of RFID tags is now approaching a level that permits wide commercial and public sector deployment. With
wider use, it becomes essential that the implementation of RFID takes place under a legal framework that
affords citizens effective safeguards for fundamental values, health, data protection and privacy.
It is for these reasons that the Commission carried out a public consultation on RFID in 2006, which
highlighted the expectations of the technology based on the results of early adopters but also the concerns of
citizens about RFID applications that involve identification and/or tracking of persons.
4

---------------------- Page: 6 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)
Data protection, privacy and security
In the public debate on RFID, there are serious concerns that this pervasive and enabling technology might
endanger privacy: RFID technology may be used to collect information that is directly or indirectly linked to an
identifiable or identified person and is therefore deemed to be personal data; RFID tags may store personal
data such as on passports or medical records; RFID technology could be used to track/trace people's
movements or to profile people's behaviour (e.g., in public places or at the workplace). Indeed, the
Commission’s public consultation underlined the concern of citizens about the potential of RFID to be an
intrusive technology. Adequate privacy safeguards are called for as a condition for wide public acceptance of
RFID. Respondents to the online consultation expect these safeguards to emerge from privacy enhancing
technologies (70%) and awareness raising (67%); specific legislation on RFID was seen as the best solution
by 55%. In addition, views are evenly balanced on whether societal applications are really positive, with about
40% of responses on each side. Stakeholders have raised concerns about potential infringements of
fundamental values, privacy and greater surveillance, especially in the workplace resulting in discrimination,
exclusion victimisation and possible job loss.
It is clear that the application of RFID must be socially and politically acceptable, ethically admissible and
legally allowable. RFID will only be able to deliver its numerous economic and societal benefits if effective
guarantees are in place on data protection, privacy and the associated ethical dimensions that lie at the heart
of the debate on the public acceptance of RFID.
The protection of personal data is an important principle in the EU. Article 6 of the Treaty on the European
Union states that the Union is founded on the principles of liberty, democracy, respect for human rights and
fundamental freedoms; Article 30 requires appropriate provisions on the protection of personal data for the
collection, storage, processing, analysis and exchange of information in the field of police co-operation. The
protection of personal data is set as one of the freedoms in Article 8 of the Charter of Fundamental Rights.
The Community legislation framework on data protection and privacy in Europe was designed to be robust in
the face of innovation. The protection of personal data is covered by the general Data Protection Directive
regardless of the means and procedures used for data processing. The Directive is applicable to all
technologies, including RFID. It defines the principles of data protection and requires that a data controller
implements these principles and ensure the security of the processing of personal data. The general Data
Protection Directive is complemented by the ePrivacy Directive which applies these principles to the
processing of personal data in connection with the provision of publicly available electronic communications
services in public communications networks. Due to this limitation, many RFID applications fall only under the
general Data Protection Directive and are not directly covered by the ePrivacy Directive.
Pursuant to these Directives, public authorities in Member States are charged with the monitoring whether the
provisions adopted by Member States are correctly applied. They will have to ensure that the introduction of
RFID applications complies with privacy and data protection legislation. It may therefore be necessary to
provide detailed guidance on practical implementation of new technologies, such as RFID. For these purposes
both directives foresee the drawing up of specific codes of conduct. This process implies a review of these
codes at national level by the competent data protection authority, and a review at European level through the
"Article 29 Working Party". "
One of the action items contained in the communication was the creation of a Stakeholders Group with the
task to provide an open platform allowing a dialogue between consumers associations, market actors and
National and European authorities in order to support the European Commission in its effort to promote
awareness campaigns at Member state and citizen level about the opportunities and challenges of RFID. The
outcome of the work performed by this Group was the publication of a PIA Framework that was endorsed by
th
Article 29 Working Party on February 11 2010.
th
In parallel, on May 12 2009, the European Commission published a Recommendation on the implementation
of Privacy and Data protection principles supported by Radio frequency Identification (RFID) . This document
provides:
5

---------------------- Page: 7 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)
— guidance to Member States on the design and operation of RFID applications in a lawful, ethical and
socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal
data,
— guidance on measures to be taken for the deployment of RFID applications to ensure that national
legislation implementing Directives 95/46/EC, 99/5/EC and 2002/58/EC is, where applicable, respected
when such applications are deployed, and
— defines the scope of this Technical Report (see Clause 1).
The RFID Recommendation underlines the risks linked with the RFID technology and the obligations of the
RFID operators to deal with the associated risks in its introduction through the bullet points (4), (5), (6), (8) and
(13):
"(4) RFID technology enables the processing of data, including personal data, over short distances without
physical contact or visible interaction between the reader or writer and the tag, such that this interaction
can happen without the individual concerned being aware of it.
(5) RFID applications hold the potential to process data relating to an identified or identifiable natural person,
a natural person being identified directly or indirectly. They can process personal data stored on the tag
such as a person's name, birth date or address or biometric data or data connecting a specific RFID item
number to personal data stored elsewhere in the system. Furthermore, the potential exists for this
technology to be used to monitor individuals through their possession of one or more items that contain
an RFID item number.
(6) Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and
data protection issues is required in the deployment of RFID. Consequently, privacy and information
security features should be built into RFID applications before their widespread use (principle of ‘security
and privacy by design’).
(8) Member States and stakeholders should, especially in this initial phase of RFID implementation, make
further efforts to ensure that RFID applications are monitored and the rights and freedoms of individuals
are respected.
(13) RFID application operators should take all reasonable steps to ensure that data does not relate to an
identified or identifiable natural person through any means likely to be used by either the RFID application
operator or any other person, unless such data is processed in compliance with the applicable principles
and legal rules on data protection."
It also gives clear instruction linked with Public awareness of RFID applications in paragraph 8:
"Member States should ensure that operators take steps to inform individuals of the presence of readers on
the basis of a common European sign, developed by European Standardisation Organisations, with the
support of concerned stakeholders. The sign should include the identity of the operator and a point of contact
for individuals to obtain the information policy for the application."
th
On December 8 2008 the European Commission Enterprise & industry Directorate-General issued a
Standardization Mandate to the European Standardization Organizations CEN/CENELEC and ETSI applied to
RFID, which was divided in two phases.
st
— Phase 1 consisting in a gap analysis in terms of standardization started in 2009 and ended on 31 May
2011. The deliverable was the ETSI/TR 187020.
— This deliverable has been accepted by the European Commission (Directorate General Information and
nd
Society, and Directorate General Enterprises) in 2011, and Phase 2 was initiated on January 2 2012
with the signature of a contract with CEN Technical Committee 225 to develop a Standardization
programme as set for in the ETSI/TR 187020.
6

---------------------- Page: 8 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)
1 Scope
This Technical Report is to assist operators of applications in areas where radio frequency interrogators are
deployed, to identify the types of information that are called for in the recommendation.
The Technical Report provides all the current information to assist operators to develop and publish a concise
accurate and easy to understand information policy for each of their applications.
The policy should at least include:
— the identity and address of the operators;
— the purpose of the application;
— what data are to be processed by the application, in particular if personal data will be processed, and
whether the location of tags will be monitored;
— a summary of the privacy and data protection impact assessment;
— the likely privacy risks, if any, relating to the use of tags in the application and the measures that
individuals can take to mitigate these risks.
2 Terms and definitions
For the purposes of this document the terms and definitions given in CEN/TS 16685:2014 apply.
3 CCTV as an Exemplar
This Technical Report points to the practicality of using the well established, and publicly accepted, practice of
signage in Europe relating to the use of CCTV cameras in both public and private (but accessible to the
public) spaces to capture still and moving images for protection of public safety and private property as a
model for RFID notification signage
Although not standardized, CCTV signs are already in widespread use in public places across Europe,
relating to the use of cameras in both public and private (but accessible to the public) spaces to capture still
and moving images for protection of public safety and private property.
Typical locations are airports, train and bus stations and retail shops. This signage displays three elements:
an emblem, the purpose of the application, and an address where to get additional information. This signage
appears to be acceptable to the general public and to the operators, and its full logo/text implementation also
appears to satisfy the concerns of the privacy lobby.
Some examples of CCTV signage of UK/Ireland are shown below:
7

---------------------- Page: 9 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)

NOTE
1) CCTV logo with text reinforcement ‘CCTV’;
2) Statement of system intent;
3) Operator of system;
4) Contact details;
5) Operator logo separate from CCTV logo.
Figure 1 — CCTV logo, Bus Station Northern Ireland
8

---------------------- Page: 10 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)

NOTE
1) CCTV logo with text reinforcement ‘CCTV in operation’;
2) Statement of system intent (automatic number palate recognition) and warning;
3) Operator of system NOT indicated: where this is indicated, often it says contact station manager, reflecting that many
filling stations are franchised. So signage maybe standard Texaco format, but station is run by Malthurst;
4) Signage in stack with disability assistance, handling information and credit card information.
Figure 2 — CCTV logo, Filling Station in Scotland

NOTE A commonly seen warning sign, which is on a white background, is the Speed Safety Camera sign used in the
UK and Eire and some other European countries.
Figure 3 — Speed Safety Camera signs
9

---------------------- Page: 11 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)

NOTE Speed camera logo: seen in Scotland. No operator declared. 1930’s design of camera.
Figure 4 — Speed Safety Camera signs
4 The RFID European Emblem
4.1 General
The concept of the easily recognizable Emblem used by the CCTC signage is applied for the selection of a
RFID emblem, and it can be seen that the emblem can be highly stylised yet be instantly recognizable,
especially if a text ‘prompt’ such as RFID is included in the emblem.
Such an emblem has already been developed and standardized as ISO/IEC 29160:2012. This standard has
th
been published on May 30 2012.
The ISO/IEC 29160 Standard has been adopted as a European Standard and will be published as
EN 16656:2014 with specific informative content to this signage requirement within Europe. In particular it
provides clarification regarding the minimum size of the emblem in relation to legibility as opposed to physical
size.

Figure 5 — RFID Emblem
It is therefore recommended that the generic version be adopted as the Common European RFID
Notification Emblem as it combines the simple strong graphic with the reinforcing text “RFID” which will
greatly assist in educating the citizen during the rollout period.
10

---------------------- Page: 12 ----------------------

SIST-TP CEN/TR 16684:2014
CEN/TR 16684:2014 (E)
4.2 Guidelines on the use of the Common European RFID emblem
Bullet point 24 on page 4, clauses 15 and 16 of the Recommendation on the implementation of privacy and
th
data protection principles in applications supported by radio-frequency identification of May 12 2009, calls for
raising awareness among the public and the enterprises about the features and capabilities of RFID, and for
the mitigation of the associated risks for Privacy, so that it will enhance its acceptability. The implementation of
a signage policy is one of the mitigating solutions to raise awareness.
In line with the above, the European Commission’s Directorate General “Information Society and Media” has
th
published on January 15 2012, a document called “Guidelines on the Use of the Common European RFID
Sign” prepared under the RFID in Europe project funded by the ICT Pol
...

SLOVENSKI STANDARD
kSIST-TP FprCEN/TR 16684:2014
01-januar-2014
,QIRUPDFLMVNDWHKQRORJLMD3ULJODVLWHYXSRUDEHUDGLRIUHNYHQþQHSUHSR]QDYH5),'
'RGDWQHLQIRUPDFLMHNLMLKPRUDMR]DJRWRYLWLL]YDMDOFL
Information technology - Notification of RFID - Additional information to be provided by
operators
Notifizierung von RFID: Zusätzliche vom Betreiber zur Verfügung zu stellende
Information
Technologies de l’information - Notification d'identification par radiofréquence (RFID) -
Informations complémentaires à fournir par les opérateurs
Ta slovenski standard je istoveten z: FprCEN/TR 16684
ICS:
03.080.99 Druge storitve Other services
35.020 Informacijska tehnika in Information technology (IT) in
tehnologija na splošno general
kSIST-TP FprCEN/TR 16684:2014 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
kSIST-TP FprCEN/TR 16684:2014

---------------------- Page: 2 ----------------------
kSIST-TP FprCEN/TR 16684:2014

TECHNICAL REPORT
FINAL DRAFT
FprCEN/TR 16684
RAPPORT TECHNIQUE

TECHNISCHER BERICHT

November 2013
ICS 35.240.60
English Version
Information technology - Notification of RFID - Additional
information to be provided by operators
Technologies de l'information - Notification d'identification Notifizierung von RFID: Zusätzliche vom Betreiber zur
par radiofréquence (RFID) - Informations complémentaires Verfügung zu stellende Information
à fournir par les opérateurs


This draft Technical Report is submitted to CEN members for Technical Committee Approval. It has been drawn up by the Technical
Committee CEN/TC 225.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.

Warning : This document is not a Technical Report. It is distributed for review and comments. It is subject to change without notice and
shall not be referred to as a Technical Report.


EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2013 CEN All rights of exploitation in any form and by any means reserved Ref. No. FprCEN/TR 16684:2013 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)
Contents
Page
Foreword .3
0 Introduction .4
0.1 General .4
0.2 Overview .4
1 Scope .7
2 Terms and definitions .7
3 CCTV as an Exemplar .7
4 The RFID European Emblem . 10
4.1 General . 10
4.2 Guidelines on the use of the Common European RFID emblem . 11
4.3 Definition of the Common European RFID Notification Sign . 11
4.4 Placement of signs . 12
4.4.1 General . 12
4.4.2 Presence of Readers . 12
4.4.3 Placement of signs notifying the presence of readers . 12
4.4.4 Presence of tags . 12
4.5 Who should place Signage on tagged items . 13
4.6 Size of emblem . 14
5 Guidelines on additional information . 14
5.1 General . 14
5.2 Name of the operator of the application . 15
5.2.1 Name . 15
5.2.2 Contact point . 15
5.3 Purpose of the application . 15
5.4 Data processed . 16
5.5 Summary of the privacy impact assessment . 16
5.6 Likely privacy risks . 17
5.7 Measures to mitigate the risks . 17
5.8 Privacy information policy for RFID. 18
5.8.1 General . 18
5.9 Consumer and public information – non application operator RFID privacy information . 21
Annex A (informative) RFID applications in retail . 22
Annex B (informative) RFID applications in library . 25
Annex C (informative) RFID applications in transportation . 26
Annex D (informative) RFID applications in banking . 30
Bibliography . 33


2

---------------------- Page: 4 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)
Foreword
This document (FprCEN/TR 16684:2013) has been prepared by Technical Committee CEN/TC 225 “AIDC
technologies”, the secretariat of which is held by NEN.
This document is currently submitted to the Formal Vote.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2.
The other deliverables are:
 FprEN 16656, Information technology – Radio frequency identification for item management – RFID
Emblem
 prEN 16570, Information technology – Notification of RFID – The information sign and additional
information to be provided by operators of RFID application systems
 FprCEN/TS 16685, Information technology – Notification of RFID – The information sign to be displayed
in areas where RFID interrogators are deployed
 prCEN/TR 16684, Information technology – Notification of RFID – Additional information to be provided
by operators
 prCEN/TR 16672, Information technology – Privacy capability features of current RFID technologies
 prEN 16571, Information technology – RFID privacy impact assessment process
 prCEN/TR 16674, Information technology – Analysis of privacy impact assessment methodologies
relevant to RFID
 prCEN/TR 16670, Information technology – RFID threat and vulnerability analysis
 prCEN/TR 16671, Information technology – Authorisation of mobile phones when used as RFID
interrogators
 prCEN/TR 16669, Information technology – Device interface to support ISO/IEC 18000-3
3

---------------------- Page: 5 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)
0 Introduction
0.1 General
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM(2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardisation work programme identified in the first phase.
This document will provide the additional information of the RFID application that will need to be provided to a
citizen by accessing the source identified on the sign where the RFID application is operating. This information
will be aligned with the details set out in the Recommendation, but some of this might not be available at the
outset, a TR is the preferred form of initial delivery to establish basic requirements.
0.2 Overview
th
On March 15 2007, the European Commission presented to the European Parliament a communication
about the steps towards a Policy Framework for Radio Frequency Identification in Europe. Here below is an
extract:
"COMMISSION RECOMMENDATION of 2009/05/12 on the implementation of privacy and data protection
principles in applications supported by radio-frequency identification {SEC (2009) 585}{SEC (2009) 586}.
Radio frequency identification (RFID) is a technology that allows automatic identification and data capture by
using radio frequencies. The salient features of this technology are that they permit the attachment of a unique
identifier and other information – using a microchip – to any object, animal or even a person, and to read this
information through a wireless device. RFID is not just "electronic tags" or "electronic barcodes". When linked
to databases and communications networks, such as the Internet, this technology provides a very powerful
way of delivering new services and applications, in potentially any environment.
RFID technology is indeed seen as the gateway to a new phase of development of the Information Society,
often referred to as the "internet of things" in which the internet does not only link computers and
communications terminals, but potentially any of our daily surrounding objects – be they clothes, consumer
goods, etc. It is this prospect that provoked the European Council of December 2006 to ask the European
Commission to review the challenges of the next generation of Internet and networks at the 2008 Spring
Council.
RFID is of policy concern because of its potential to become a new motor of growth and jobs, and thus a
powerful contributor to the Lisbon Strategy, if the barriers to innovation can be overcome. The production price
of RFID tags is now approaching a level that permits wide commercial and public sector deployment. With
wider use, it becomes essential that the implementation of RFID takes place under a legal framework that
affords citizens effective safeguards for fundamental values, health, data protection and privacy.
It is for these reasons that the Commission carried out a public consultation on RFID in 2006, which
highlighted the expectations of the technology based on the results of early adopters but also the concerns of
citizens about RFID applications that involve identification and/or tracking of persons.
4

---------------------- Page: 6 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)
Data protection, privacy and security
In the public debate on RFID, there are serious concerns that this pervasive and enabling technology might
endanger privacy: RFID technology may be used to collect information that is directly or indirectly linked to an
identifiable or identified person and is therefore deemed to be personal data; RFID tags may store personal
data such as on passports or medical records; RFID technology could be used to track/trace people's
movements or to profile people's behaviour (e.g., in public places or at the workplace). Indeed, the
Commission’s public consultation underlined the concern of citizens about the potential of RFID to be an
intrusive technology. Adequate privacy safeguards are called for as a condition for wide public acceptance of
RFID. Respondents to the online consultation expect these safeguards to emerge from privacy enhancing
technologies (70%) and awareness raising (67%); specific legislation on RFID was seen as the best solution
by 55%. In addition, views are evenly balanced on whether societal applications are really positive, with about
40% of responses on each side. Stakeholders have raised concerns about potential infringements of
fundamental values, privacy and greater surveillance, especially in the workplace resulting in discrimination,
exclusion victimisation and possible job loss.
It is clear that the application of RFID must be socially and politically acceptable, ethically admissible and
legally allowable. RFID will only be able to deliver its numerous economic and societal benefits if effective
guarantees are in place on data protection, privacy and the associated ethical dimensions that lie at the heart
of the debate on the public acceptance of RFID.
The protection of personal data is an important principle in the EU. Article 6 of the Treaty on the European
Union states that the Union is founded on the principles of liberty, democracy, respect for human rights and
fundamental freedoms; Article 30 requires appropriate provisions on the protection of personal data for the
collection, storage, processing, analysis and exchange of information in the field of police co-operation. The
protection of personal data is set as one of the freedoms in Article 8 of the Charter of Fundamental Rights.
The Community legislation framework on data protection and privacy in Europe was designed to be robust in
the face of innovation. The protection of personal data is covered by the general Data Protection Directive
regardless of the means and procedures used for data processing. The Directive is applicable to all
technologies, including RFID. It defines the principles of data protection and requires that a data controller
implements these principles and ensure the security of the processing of personal data. The general Data
Protection Directive is complemented by the ePrivacy Directive which applies these principles to the
processing of personal data in connection with the provision of publicly available electronic communications
services in public communications networks. Due to this limitation, many RFID applications fall only under the
general Data Protection Directive and are not directly covered by the ePrivacy Directive.
Pursuant to these Directives, public authorities in Member States are charged with the monitoring whether the
provisions adopted by Member States are correctly applied. They will have to ensure that the introduction of
RFID applications complies with privacy and data protection legislation. It may therefore be necessary to
provide detailed guidance on practical implementation of new technologies, such as RFID. For these purposes
both directives foresee the drawing up of specific codes of conduct. This process implies a review of these
codes at national level by the competent data protection authority, and a review at European level through the
"Article 29 Working Party". "
One of the action items contained in the communication was the creation of a Stakeholders Group with the
task to provide an open platform allowing a dialogue between consumers associations, market actors and
National and European authorities in order to support the European Commission in its effort to promote
awareness campaigns at Member state and citizen level about the opportunities and challenges of RFID. The
outcome of the work performed by this Group was the publication of a PIA Framework that was endorsed by
th
Article 29 Working Party on February 11 2010.
th
In parallel, on May 12 2009, the European Commission published a Recommendation on the implementation
of Privacy and Data protection principles supported by Radio frequency Identification (RFID) . This document
provides:
 guidance to Member States on the design and operation of RFID applications in a lawful, ethical and
socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal
data,
5

---------------------- Page: 7 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)
 guidance on measures to be taken for the deployment of RFID applications to ensure that national
legislation implementing Directives 95/46/EC, 99/5/EC and 2002/58/EC is, where applicable, respected
when such applications are deployed, and
 defines the scope of this Technical Report (see the Section 1).
The RFID Recommendation underlines the risks linked with the RFID technology and the obligations of the
RFID operators to deal with the associated risks in its introduction through the bullet points (4), (5), (6), (8) and
(13):
"(4) RFID technology enables the processing of data, including personal data, over short distances without
physical contact or visible interaction between the reader or writer and the tag, such that this interaction
can happen without the individual concerned being aware of it.
(5) RFID applications hold the potential to process data relating to an identified or identifiable natural person,
a natural person being identified directly or indirectly. They can process personal data stored on the tag
such as a person's name, birth date or address or biometric data or data connecting a specific RFID item
number to personal data stored elsewhere in the system. Furthermore, the potential exists for this
technology to be used to monitor individuals through their possession of one or more items that contain an
RFID item number.
(6) Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and
data protection issues is required in the deployment of RFID. Consequently, privacy and information
security features should be built into RFID applications before their widespread use (principle of ‘security
and privacy by design’).
(8) Member States and stakeholders should, especially in this initial phase of RFID implementation, make
further efforts to ensure that RFID applications are monitored and the rights and freedoms of individuals
are respected.
(13) RFID application operators should take all reasonable steps to ensure that data does not relate to an
identified or identifiable natural person through any means likely to be used by either the RFID application
operator or any other person, unless such data is processed in compliance with the applicable principles
and legal rules on data protection."
It also gives clear instruction linked with Public awareness of RFID applications in paragraph 8:
"Member States should ensure that operators take steps to inform individuals of the presence of readers on
the basis of a common European sign, developed by European Standardisation Organisations, with the
support of concerned stakeholders. The sign should include the identity of the operator and a point of contact
for individuals to obtain the information policy for the application."
th
On December 8 2008 the European Commission Enterprise & industry Directorate-General issued a
Standardization Mandate to the European Standardization Organisations CEN/CENELEC and ETSI applied to
RFID, which was divided in two phases.
st
 Phase 1 consisting in a gap analysis in terms of standardization started in 2009 and ended on 31 May
2011. The deliverable was the ETSI TR 187020.
 This deliverable has been accepted by the European Commission (Directorate General Information and
nd
Society, and Directorate General Enterprises) in 2011, and Phase 2 was initiated on January 2 2012
with the signature of a contract with CEN Technical Committee 225 to develop a Standardisation
programme as set for in the ETSI TR 187020.
6

---------------------- Page: 8 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)
1 Scope
This Technical Report is to assist operators of applications in areas where radio frequency interrogators are
deployed, to identify the types of information that are called for in the recommendation.
The Technical Report provides all the current information to assist operators to develop and publish a concise
accurate and easy to understand information policy for each of their applications.
The policy should at least include:
 the identity and address of the operators;
 the purpose of the application;
 what data are to be processed by the application, in particular if personal data will be processed, and
whether the location of tags will be monitored;
 a summary of the privacy and data protection impact assessment;
 the likely privacy risks, if any, relating to the use of tags in the application and the measures that
individuals can take to mitigate these risks.
2 Terms and definitions
For the purposes of this document the terms and definitions given in FprCEN/TS 16685:2013 apply.
3 CCTV as an Exemplar
This Technical Report points to the practicality of using the well established, and publicly accepted, practice of
signage in Europe relating to the use of CCTV cameras in both public and private (but accessible to the
public) spaces to capture still and moving images for protection of public safety and private property as a
model for RFID notification signage
Although not standardized, CCTV signs are already in widespread use in public places across Europe,
relating to the use of cameras in both public and private (but accessible to the public) spaces to capture still
and moving images for protection of public safety and private property.
Typical locations are airports, train and bus stations and retail shops. This signage displays three elements:
an emblem, the purpose of the application, and an address where to get additional information. This signage
appears to be acceptable to the general public and to the operators, and its full logo/text implementation also
appears to satisfy the concerns of the privacy lobby.
Some examples of CCTV signage of UK/Ireland are shown below:


7

---------------------- Page: 9 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)

NOTE
1) CCTV logo with text reinforcement ‘CCTV’
2) Statement of system intent
3) Operator of system
4) Contact details
5) Operator logo separate from CCTV logo
Figure 1 — CCTV logo, Bus Station Northern Ireland
8

---------------------- Page: 10 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)

NOTE
1) CCTV logo with text reinforcement ‘CCTV in operation’
2) Statement of system intent (automatic number palate recognition) and warning
3) Operator of system NOT indicated: where this is indicated, often it says contact station manager, reflecting that
many filling stations are franchised. So signage maybe standard Texaco format, but station is run by Malthurst.
4) Signage in stack with disability assistance, handling information and credit card information
Figure 2 — CCTV logo, Filling Station in Scotland


NOTE A commonly seen warning sign, which is on a white background, is the Speed Safety Camera sign used in the
UK and Eire and some other European countries.
Figure 3 — Speed Safety Camera signs
9

---------------------- Page: 11 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)

NOTE Speed camera logo: seen in Scotland. No operator declared. 1930’s design of camera.
Figure 4 — Speed Safety Camera signs

4 The RFID European Emblem
4.1 General
The concept of the easily recognisable Emblem used by the CCTC signage is applied for the selection of a
RFID emblem, and it can be seen that the emblem can be highly stylised yet be instantly recognisable,
especially if a text ‘prompt’ such as RFID is included in the emblem.
Such an emblem has already been developed and standardised as ISO/IEC 29160:2012. This standard has
th
been published on May 30 2012.
The ISO/IEC 29160 Standard has been adopted as a European Standard and will be published as
FprEN 16656:2013 with specific informative content to this signage requirement within Europe. In particular it
provides clarification regarding the minimum size of the emblem in relation to legibility as opposed to physical
size.


Figure 5 — RFID Emblem
It is therefore recommended that the generic version be adopted as the Common European RFID
Notification Emblem as it combines the simple strong graphic with the reinforcing text “RFID” which will
greatly assist in educating the citizen during the rollout period.

10

---------------------- Page: 12 ----------------------
kSIST-TP FprCEN/TR 16684:2014
FprCEN/TR 16684:2013 (E)
4.2 Guidelines on the use of the Common European RFID emblem
Bullet point 24 on page 4, clauses 15 and 16 of the Recommendation on the implementation of privacy and
th
data protection principles in applications supported by radio-frequency identification of May 12 2009, calls for
raising awareness among the public and the enterprises about the features and capabilities of RFID, and for
the mitigation of the associated risks for Privacy, so that it will enhance its acceptability. The implementation of
a signage policy is one of the mitigating solutions to raise awareness.
In line with the above, the European Commission’s Directorate General “Information Society and Media” has
th
2012, a document called “Guidelines on the Use of the Common European RFID
published on January 15
Sign” prepared under the RFID in Europe project funded by the ICT Policy Support Programme (ICTPSP-CIP)
and, that gives guidelines to RFID operators for the use of a common European Sign. This document has
received the endorsement of Unit "ICT for Competitiveness and Industrial Innovation" of the European
Commission's Directorate General "Enterprise and Industry".
Unlikely the logo´s that serve the purpose of communicating a trademark of a proprietary system or a
business application, the Common European RFID emblem shall be utilized as a generic emblem to
indicate the presence of an RFID application for the notification of citizens about the RFID technology
utilization either in public areas such as shops, public transport locations or libraries or directly embedded in
products. The Common European RFID emblem will also provide more visibility to the Signage System which
enables the citizens to access additional information about the data capture application and the operator.
4.3 Definition of the Common European RFID Notification Sign
This definition should be read in the context of the completion of a Privacy Impact Assessment (PIA) of the
RFID application and conforming to prEN 16571:2013.
The Common European RFID Notification Sign consists of three elements:
a) a graphic emblem derived from the generic emblem defined in FprEN 16656:2013;
b) a textual description of the purpose of the RFID application being notified, together with the legal name of
the RFID application operator and the
...