CEN/TR 18241:2025
(Main)Privacy management in products and services - Biometric access control products and services
Privacy management in products and services - Biometric access control products and services
This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’
during the entire lifecycle of biometric access-control products and services, in order to achieve ‘data protection and
privacy by default’.
Biometric facial recognition for access control is covered by this document. Biometric facial recognition for surveillance is
covered by CEN/CLC/JTC 13 TR ‘Video surveillance’.
This document specifies recommendations for the management of data protection and privacy by design in biometricaccess-
control products and services. This document extends ISO/IEC 27552. This document applies to aspects of data
protection and privacy by design. This document is not applicable to non-biometric aspects of access control, or to aspects
not relating to data protection or privacy.
Biometrische Zugangskontrolle mit Gesichtserkennung
Management de la protection de la vie privée dans les produits et services - Produits et services de commande d'accès biométrique
Vodenje zasebnosti pri izdelkih in storitvah - Izdelki in storitve za biometrični nadzor dostopa
General Information
- Status
- Published
- Publication Date
- 02-Dec-2025
- Technical Committee
- CEN/CLC/TC 13 - Cybersecurity and Data Protection
- Drafting Committee
- CEN/CLC/JTC 13/WG 5 - Data Protection, Privacy and Identity Management
- Current Stage
- 6060 - Definitive text made available (DAV) - Publishing
- Start Date
- 03-Dec-2025
- Due Date
- 29-Oct-2021
- Completion Date
- 03-Dec-2025
Overview
CEN/TR 18241:2025 provides recommendations for integrating data protection and privacy by design into the full lifecycle of biometric access control products and services. The technical report focuses on biometric facial recognition for access control (not surveillance) and clarifies how to apply higher‑level privacy requirements for this category. It supplements existing frameworks (the source references both EN 17529 and ISO/IEC 27552) and maps privacy‑by‑design controls to biometric specifics under the GDPR (Article 25).
Key topics and technical requirements
- Lifecycle privacy process: Leadership, preparation, design, development, production, release, performance evaluation and improvement - all tailored to biometric systems.
- Access and copies of data: Considerations for access requests when biometric raw data, templates or trained models are not human‑readable or are irreversibly transformed.
- Accuracy: Multiple accuracy aspects must be addressed - capture, enrolment, matching/decision logic, signal processing, trained model performance, presentation‑attack detection (spoofing/deepfakes), and protected/de‑identified data accuracy.
- Data de‑identification and template protection: Recommendations for irreversible, unlinkable (renewable) transformations using methods described in ISO/IEC 24745 (e.g., hashing, Bloom filters) and guidance on risks of reversible mapping.
- Data‑minimization & pseudonymisation: Design choices that limit personal data exposure and support GDPR requirements.
- Security & information protection: Confidentiality, integrity, storage limitation, restore and data loss mitigation for biometric assets and models.
- Lawfulness & transparency: Guidance on consent, lawful bases, records of processing activities, and handling automated decision‑making or objections to processing.
- Self‑declaration and levels of achievement: Processes for documenting privacy‑aware design, including when a DPIA (Data Protection Impact Assessment) is required.
Practical applications and who uses it
- Product manufacturers of facial recognition devices and biometric modules seeking to embed privacy‑by‑default into hardware and firmware.
- System integrators and service providers deploying access control solutions at workplaces, borders, or mobile services.
- Security architects and R&D teams designing biometric matching algorithms, template protection and model training pipelines.
- Data Protection Officers (DPOs) and compliance teams implementing GDPR Article 25 controls and preparing DPIAs.
- Procurement and risk assessors evaluating vendor claims on biometric privacy features via self‑declaration levels.
Related standards
- EN 17529 (privacy by design in products/services) - referenced as the broader framework.
- ISO/IEC 24745 (biometric information protection) - template protection concepts.
- ISO/IEC 30136 (testing of biometric template protection schemes) - noted for de‑identified data testing.
- ISO/JTC 1/SC 37 and CEN/TC 224 (biometrics and related committees) - general biometric standards and guidance.
Keywords: biometric access control, privacy by design, data protection, facial recognition, template protection, GDPR, biometric de‑identification.
Get Certified
Connect with accredited certification bodies for this standard
BSI Group
BSI (British Standards Institution) is the business standards company that helps organizations make excellence a habit.
Bureau Veritas
Bureau Veritas is a world leader in laboratory testing, inspection and certification services.
DNV
DNV is an independent assurance and risk management provider.
Sponsored listings
Frequently Asked Questions
CEN/TR 18241:2025 is a technical report published by the European Committee for Standardization (CEN). Its full title is "Privacy management in products and services - Biometric access control products and services". This standard covers: This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’ during the entire lifecycle of biometric access-control products and services, in order to achieve ‘data protection and privacy by default’. Biometric facial recognition for access control is covered by this document. Biometric facial recognition for surveillance is covered by CEN/CLC/JTC 13 TR ‘Video surveillance’. This document specifies recommendations for the management of data protection and privacy by design in biometricaccess- control products and services. This document extends ISO/IEC 27552. This document applies to aspects of data protection and privacy by design. This document is not applicable to non-biometric aspects of access control, or to aspects not relating to data protection or privacy.
This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’ during the entire lifecycle of biometric access-control products and services, in order to achieve ‘data protection and privacy by default’. Biometric facial recognition for access control is covered by this document. Biometric facial recognition for surveillance is covered by CEN/CLC/JTC 13 TR ‘Video surveillance’. This document specifies recommendations for the management of data protection and privacy by design in biometricaccess- control products and services. This document extends ISO/IEC 27552. This document applies to aspects of data protection and privacy by design. This document is not applicable to non-biometric aspects of access control, or to aspects not relating to data protection or privacy.
CEN/TR 18241:2025 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
CEN/TR 18241:2025 is associated with the following European legislation: EU Directives/Regulations: 95/46/EC; Standardization Mandates: M/530. When a standard is cited in the Official Journal of the European Union, products manufactured in conformity with it benefit from a presumption of conformity with the essential requirements of the corresponding EU directive or regulation.
CEN/TR 18241:2025 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.
Standards Content (Sample)
SLOVENSKI STANDARD
01-februar-2026
Vodenje zasebnosti pri izdelkih in storitvah - Izdelki in storitve za biometrični
nadzor dostopa
Privacy management in products and services - Biometric access control products and
services
Biometrische Zugangskontrolle mit Gesichtserkennung
Management de la protection de la vie privée dans les produits et services - Produits et
services de commande d'accès biométrique
Ta slovenski standard je istoveten z: CEN/TR 18241:2025
ICS:
35.030 Informacijska varnost IT Security
35.240.15 Identifikacijske kartice. Čipne Identification cards. Chip
kartice. Biometrija cards. Biometrics
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL REPORT CEN/TR 18241
RAPPORT TECHNIQUE
TECHNISCHER REPORT
December 2025
ICS 35.030
English version
Privacy management in products and services - Biometric
access control products and services
Management de la protection de la vie privée dans les Biometrische Zugangskontrolle mit Gesichtserkennung
produits et services - Produits et services de
commande d'accès biométrique
This Technical Report was approved by CEN on 17 November 2025. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. CEN/TR 18241:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 General. 6
4.1 Preparing the grounds for data protection and privacy by design and by default . 6
4.2 Structure for disassembling product and service into applicable categories . 6
4.2.1 Introduction . 6
4.2.2 Product layers . 6
4.2.3 Service layers . 7
4.3 Self-declaration and levels of achievement . 7
5 Process for a privacy aware development of products and services . 7
5.1 Leadership and market intelligence . 7
5.2 Preparation . 7
5.3 Design . 7
5.3.1 Determination of DPbPP requirements . 7
5.3.2 Development . 7
5.3.3 Production and service provision . 7
5.3.4 Release of products and services . 7
5.4 Performance evaluation . 7
5.5 Improvement . 7
6 Basic requirements on the design of products and services . 8
6.1 Access . 8
6.1.1 Access to data . 8
6.1.2 Copy of data . 8
6.2 Accountability . 8
6.3 Accuracy . 8
6.4 Data de-identification . 8
6.5 Data minimization . 9
6.6 Data portability . 9
6.7 Confidentiality . 9
6.8 Erasure. 9
6.9 Fairness . 9
6.9.1 Determination of user age . 9
6.9.2 Configurable children age threshold . 9
6.10 Information security . 9
6.10.1 Unauthorized or unlawful processing . 9
6.10.2 Data loss . 9
6.10.3 Information protection targets . 9
6.10.4 Restore . 10
6.11 Lawfulness . 10
6.11.1 Data disclosure . 10
6.11.2 Consent . 10
6.12 Objection to processing . 10
6.13 Automated decision making . 10
6.14 Restriction of processing . 10
6.15 Storage limitation . 10
6.16 Transparency . 10
6.16.1 Information . 10
6.16.2 Record of processing activities . 10
7 Requirements to the self-declaration of privacy aware design . 11
7.1 Process requirements . 11
7.2 Preparation based on the product and service layer requirements . 11
7.3 Preparation additionally based on conduction of a DPIA . 11
7.4 Determination of the level of achievement . 11
7.5 Self-declaration statement . 11
Bibliography . 12
European foreword
This document (CEN/TR 18241:2025) has been prepared by Technical Committee CEN-CENELEC/JTC 13
“Cybersecurity and Data Protection”, the secretariat of which is held by DIN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a Standardization Request given to CEN by the European
Commission and the European Free Trade Association, and supports essential requirements of
EU Directive(s) / Regulation(s).
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
Introduction
EN 17529 applies to all products and services in general, in order to achieve data protection and privacy
by design and by default. Its scope includes biometric access-control products and services. For this
specific category of products and services, this document adds information that explains how industry
can use EN 17529 in the case of biometric access-control products and services.
Results
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...