Privacy management in products and services - Biometric access control products and services

This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’
during the entire lifecycle of biometric access-control products and services, in order to achieve ‘data protection and
privacy by default’.
Biometric facial recognition for access control is covered by this document. Biometric facial recognition for surveillance is
covered by CEN/CLC/JTC 13 TR ‘Video surveillance’.
This document specifies recommendations for the management of data protection and privacy by design in biometricaccess-
control products and services. This document extends ISO/IEC 27552. This document applies to aspects of data
protection and privacy by design. This document is not applicable to non-biometric aspects of access control, or to aspects
not relating to data protection or privacy.

Biometrische Zugangskontrolle mit Gesichtserkennung

Management de la protection de la vie privée dans les produits et services - Produits et services de commande d'accès biométrique

Vodenje zasebnosti pri izdelkih in storitvah - Izdelki in storitve za biometrični nadzor dostopa

General Information

Status
Published
Publication Date
02-Dec-2025
ICS
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/JTC 13/WG 5 - Data Protection, Privacy and Identity Management
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
03-Dec-2025
Due Date
29-Oct-2021
Completion Date
03-Dec-2025
Directive
95/46/EC - Protection of individuals with regard to the processing of personal data and on the free movement of such data
Mandate
M/530 - [C(2015)102] Standardization request on privacy and personal data protection management in the design and development and in the production and service provision and process in the security technologies
Ref Project
SIST-TP CEN/TR 18241:2026 - Privacy management in products and services - Biometric access control products and services

Overview

CEN/TR 18241:2025 provides recommendations for integrating data protection and privacy by design into the full lifecycle of biometric access control products and services. The technical report focuses on biometric facial recognition for access control (not surveillance) and clarifies how to apply higher‑level privacy requirements for this category. It supplements existing frameworks (the source references both EN 17529 and ISO/IEC 27552) and maps privacy‑by‑design controls to biometric specifics under the GDPR (Article 25).

Key topics and technical requirements

  • Lifecycle privacy process: Leadership, preparation, design, development, production, release, performance evaluation and improvement - all tailored to biometric systems.
  • Access and copies of data: Considerations for access requests when biometric raw data, templates or trained models are not human‑readable or are irreversibly transformed.
  • Accuracy: Multiple accuracy aspects must be addressed - capture, enrolment, matching/decision logic, signal processing, trained model performance, presentation‑attack detection (spoofing/deepfakes), and protected/de‑identified data accuracy.
  • Data de‑identification and template protection: Recommendations for irreversible, unlinkable (renewable) transformations using methods described in ISO/IEC 24745 (e.g., hashing, Bloom filters) and guidance on risks of reversible mapping.
  • Data‑minimization & pseudonymisation: Design choices that limit personal data exposure and support GDPR requirements.
  • Security & information protection: Confidentiality, integrity, storage limitation, restore and data loss mitigation for biometric assets and models.
  • Lawfulness & transparency: Guidance on consent, lawful bases, records of processing activities, and handling automated decision‑making or objections to processing.
  • Self‑declaration and levels of achievement: Processes for documenting privacy‑aware design, including when a DPIA (Data Protection Impact Assessment) is required.

Practical applications and who uses it

  • Product manufacturers of facial recognition devices and biometric modules seeking to embed privacy‑by‑default into hardware and firmware.
  • System integrators and service providers deploying access control solutions at workplaces, borders, or mobile services.
  • Security architects and R&D teams designing biometric matching algorithms, template protection and model training pipelines.
  • Data Protection Officers (DPOs) and compliance teams implementing GDPR Article 25 controls and preparing DPIAs.
  • Procurement and risk assessors evaluating vendor claims on biometric privacy features via self‑declaration levels.

Related standards

  • EN 17529 (privacy by design in products/services) - referenced as the broader framework.
  • ISO/IEC 24745 (biometric information protection) - template protection concepts.
  • ISO/IEC 30136 (testing of biometric template protection schemes) - noted for de‑identified data testing.
  • ISO/JTC 1/SC 37 and CEN/TC 224 (biometrics and related committees) - general biometric standards and guidance.

Keywords: biometric access control, privacy by design, data protection, facial recognition, template protection, GDPR, biometric de‑identification.

kTP FprCEN/TR 18241:2025 - Page 3 previewkTP FprCEN/TR 18241:2025 - Page 1 previewkTP FprCEN/TR 18241:2025 - Page 2 previewkTP FprCEN/TR 18241:2025 - Page 4 preview
PreviousNext
Draft

kTP FprCEN/TR 18241:2025

English language
12 pages
Preview
Preview
e-Library read for
1 day

Frequently Asked Questions

CEN/TR 18241:2025 is a draft published by the European Committee for Standardization (CEN). Its full title is "Privacy management in products and services - Biometric access control products and services". This standard covers: This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’ during the entire lifecycle of biometric access-control products and services, in order to achieve ‘data protection and privacy by default’. Biometric facial recognition for access control is covered by this document. Biometric facial recognition for surveillance is covered by CEN/CLC/JTC 13 TR ‘Video surveillance’. This document specifies recommendations for the management of data protection and privacy by design in biometricaccess- control products and services. This document extends ISO/IEC 27552. This document applies to aspects of data protection and privacy by design. This document is not applicable to non-biometric aspects of access control, or to aspects not relating to data protection or privacy.

This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’ during the entire lifecycle of biometric access-control products and services, in order to achieve ‘data protection and privacy by default’. Biometric facial recognition for access control is covered by this document. Biometric facial recognition for surveillance is covered by CEN/CLC/JTC 13 TR ‘Video surveillance’. This document specifies recommendations for the management of data protection and privacy by design in biometricaccess- control products and services. This document extends ISO/IEC 27552. This document applies to aspects of data protection and privacy by design. This document is not applicable to non-biometric aspects of access control, or to aspects not relating to data protection or privacy.

CEN/TR 18241:2025 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.

CEN/TR 18241:2025 is associated with the following European legislation: EU Directives/Regulations: 95/46/EC; Standardization Mandates: M/530. When a standard is cited in the Official Journal of the European Union, products manufactured in conformity with it benefit from a presumption of conformity with the essential requirements of the corresponding EU directive or regulation.

You can purchase CEN/TR 18241:2025 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CEN standards.

Standards Content (Sample)


SLOVENSKI STANDARD
kSIST-TP FprCEN/TR 18241:2025
01-oktober-2025
Vodenje zasebnosti pri izdelkih in storitvah - Izdelki in storitve za biometrični
nadzor dostopa
Privacy management in products and services - Biometric access control products and
services
Biometrische Zugangskontrolle mit Gesichtserkennung
Management de la protection de la vie privée dans les produits et services - Produits et
services de commande d'accès biométrique
Ta slovenski standard je istoveten z: FprCEN/TR 18241
ICS:
35.030 Informacijska varnost IT Security
35.240.15 Identifikacijske kartice. Čipne Identification cards. Chip
kartice. Biometrija cards. Biometrics
kSIST-TP FprCEN/TR 18241:2025 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

kSIST-TP FprCEN/TR 18241:2025
kSIST-TP FprCEN/TR 18241:2025
TECHNICAL REPORT FINAL DRAFT
FprCEN/TR 18241
RAPPORT TECHNIQUE
TECHNISCHER REPORT
July 2025
ICS
English version
Privacy management in products and services - Biometric
access control products and services
Management de la protection de la vie privée dans les Biometrische Zugangskontrolle mit Gesichtserkennung
produits et services - Produits et services de
commande d'accès biométrique
This draft Technical Report is submitted to CEN members for Vote. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a Technical Report. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a Technical Report.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. FprCEN/TR 18241:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
kSIST-TP FprCEN/TR 18241:2025
FprCEN/TR 18241:2025 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 General. 6
4.1 Preparing the grounds for data protection and privacy by design and by default . 6
4.2 Structure for disassembling product and service into applicable categories . 6
4.2.1 Introduction . 6
4.2.2 Product layers . 6
4.2.3 Service layers . 7
4.3 Self-declaration and levels of achievement . 7
5 Process for a privacy aware development of products and services . 7
5.1 Leadership and market intelligence . 7
5.2 Preparation . 7
5.3 Design . 7
5.3.1 Determination of DPbPP requirements . 7
5.3.2 Development . 7
5.3.3 Production and service provision . 7
5.3.4 Release of products and services . 7
5.4 Performance evaluation . 7
5.5 Improvement . 7
6 Basic requirements on the design of products and services . 8
6.1 Access . 8
6.1.1 Access to data . 8
6.1.2 Copy of data . 8
6.2 Accountability . 8
6.3 Accuracy . 8
6.4 Data de-identification . 8
6.5 Data minimization . 9
6.6 Data portability . 9
6.7 Confidentiality . 9
6.8 Erasure. 9
6.9 Fairness . 9
6.9.1 Determination of user age . 9
6.9.2 Configurable children age threshold . 9
6.10 Information security . 9
6.10.1 Unauthorized or unlawful processing . 9
6.10.2 Data loss . 9
6.10.3 Information protection targets . 9
6.10.4 Restore . 10
6.11 Lawfulness . 10
6.11.1 Data disclosure . 10
6.11.2 Consent . 10
kSIST-TP FprCEN/TR 18241:2025
FprCEN/TR 18241:2025 (E)
6.12 Objection to processing . 10
6.13 Automated decision making . 10
6.14 Restriction of processing . 10
6.15 Storage limitation . 10
6.16 Transparency . 10
6.16.1 Information . 10
6.16.2 Record of processing activities . 10
7 Requirements to the self-declaration of privacy aware design . 11
7.1 Process requirements . 11
7.2 Preparation based on the product and service layer requirements . 11
7.3 Preparation additionally based on conduction of a DPIA . 11
7.4 Determination of the level of achievement . 11
7.5 Self-declaration statement . 11
Bibliography . 12

kSIST-TP FprCEN/TR 18241:2025
FprCEN/TR 18241:2025 (E)
European foreword
This document (FprCEN/TR 18241:2025) has been prepared by Technical Committee CEN-
CENELEC/JTC 13 “Cybersecurity and Data Protection”, the secretariat of which is held by DIN.
This document is currently submitted to the Vote on TR.
This document has been prepared under a Standardization Request given to CEN by the European
Commission and the European Free Trade Association, and supports essential requirements of
EU Directive(s) / Regulation(s).
kSIST-TP FprCEN/TR 18241:2025
FprCEN/TR 18241:2025 (E)
Introduction
EN 17529 applies to all products and services in general, in order to achieve data protection and privacy
by design and by default. Its scope includes biometric access-control products and services. For this
specific category of products and services, this document adds information that explains how industry
can use EN 17529 in the case of biometric access-control pro
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...