EN 17799:2023
(Main)Personal data protection requirements for processing operations
Personal data protection requirements for processing operations
This document specifies baseline requirements for demonstrating processing activities compliance with the European personal data protection normative framework in accordance with EN ISO/IEC 17065. It does not however apply to products or management systems destined for processing personal data.
This document is applicable to all organizations which, as personal data controllers and/or processors, process personal data, and its objective is to provide a set of requirements enabling such organizations to conform effectively with the European personal data protection normative framework.
An organization can decide that the standard is applicable only to a specific subset of its processing activities if such a decision does not involve failure to conform with the European personal data protection normative framework.
This document also provides indications for conformity assessment with the aforementioned requirements.
Anforderungen an den Datenschutz bei Verarbeitungsvorgängen
Dieses Dokument legt die grundlegenden Anforderungen für den Nachweis fest, dass die Verarbeitungs¬tätigkeiten dem europäischen normativen Bezugsrahmen für den Schutz personenbezogener Daten in Über¬einstimmung mit EN ISO/IEC 17065 entsprechen. Es gilt jedoch nicht für Produkte oder Management¬systeme, die für die Verarbeitung personenbezogener Daten vorgesehen sind.
Dieses Dokument gilt für alle Organisationen, die – als für die Datenverarbeitung Verantwortliche („Verantwortlicher“) und/oder Auftragsverarbeiter – personenbezogene Daten verarbeiten, und sein Ziel ist es, eine Reihe von Anforderungen bereitzustellen, die es diesen Organisationen ermöglichen, sich wirksam an den europäischen normativen Bezugsrahmen für den Schutz personenbezogener Daten anzupassen.
Eine Organisation kann beschließen, dass die Norm nur auf eine bestimmte Untergruppe ihrer Verarbei¬tungstätigkeiten anwendbar ist, wenn eine solche Entscheidung nicht die Nichteinhaltung des normativen europäischen Bezugsrahmens für den Schutz personenbezogener Daten beinhaltet.
Dieses Dokument enthält auch Angaben für die Bewertung der Konformität mit den vorgenannten Anforderungen.
Exigences de protection des données à caractère personnel pour les opérations de traitement
Le présent document spécifie des exigences de base pour démontrer la conformité des activités de traitement au cadre normatif européen de protection des données à caractère personnel, conformément à l'EN ISO/IEC 17065. Il ne s'applique cependant pas aux produits ou systèmes de management destinés au traitement des données à caractère personnel.
Le présent document est applicable à tous les organismes qui, en tant que responsables de traitement et/ou sous-traitants, traitent des données à caractère personnel, et son objectif est de fournir un ensemble d'exigences permettant à ces organismes de se conformer efficacement au cadre normatif européen de protection des données à caractère personnel.
Un organisme peut décider que la norme n'est applicable qu'à un sous-ensemble spécifique de ses activités de traitement si une telle décision n'implique pas une non-conformité avec le cadre normatif européen de protection des données à caractère personnel.
Le présent document fournit également des indications pour l'évaluation de la conformité avec les exigences susmentionnées.
Zahteve za varstvo osebnih podatkov za postopke obdelave
Ta dokument določa osnovne zahteve za podpiranje mehanizma potrjevanja za varstvo podatkov, kot ga zahteva 42. člen splošne uredbe o varstvu podatkov za izkazovanje skladnosti s standardom EN ISO/IEC 17065.
Dokument se ne uporablja za izdelke ali sisteme upravljanja, zasnovane za obdelavo osebnih podatkov.
Ta dokument se uporablja za vse organizacije, ki kot upravljavci in/ali obdelovalci osebnih podatkov
obdelujejo osebne podatke, njegov cilj pa je zagotoviti nabor zahtev, ki podpirajo te organizacije pri izkazovanju skladnosti z normativnim okvirom EU na področju varstva osebnih podatkov.
Ta dokument se uporablja za vse dejavnosti obdelave organizacije ali za poseben podsklop teh dejavnosti, če ta odločitev ne vključuje neskladnosti z normativnim okvirom EU na področju varstva osebnih podatkov.
Ta dokument prav tako določa navedbe za ugotavljanje skladnosti z zgoraj navedenimi zahtevami.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-april-2024
Zahteve za varstvo osebnih podatkov za postopke obdelave
Personal data protection requirements for processing operations
Anforderungen an den Datenschutz bei Verarbeitungsvorgängen
Exigences de protection des données à caractère personnel pour les opérations de
traitement
Ta slovenski standard je istoveten z: EN 17799:2023
ICS:
03.160 Pravo. Uprava Law. Administration
35.020 Informacijska tehnika in Information technology (IT) in
tehnologija na splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN 17799
NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2023
ICS 03.120.20; 03.160
English version
Personal data protection requirements for processing
operations
Exigences de protection des données à caractère Anforderungen an den Datenschutz bei
personnel pour les opérations de traitement Verarbeitungsvorgängen
This European Standard was approved by CEN on 4 September 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN 17799:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 Overview . 7
5 Planning . 7
5.1 General. 7
5.2 Understanding the needs and expectations of interested parties . 7
5.3 Scope of personal data processing activities . 7
5.3.1 General. 7
5.3.2 Records of data processing activities . 8
5.3.3 Identification of the legal basis . 8
5.3.4 Data minimization . 9
5.3.5 Retention periods . 9
5.4 Policy for personal data protection . 9
5.5 Roles and responsibilities . 10
5.5.1 General. 10
5.5.2 Internal roles . 11
5.5.3 External roles . 11
5.6 Risk management . 12
5.6.1 General. 12
5.6.2 Data protection risk assessment and impact analysis . 12
5.6.3 Evaluation of the impact on data protection . 13
5.6.4 Risk treatment and treatment plan . 14
5.7 Personal data protection by design and by default . 14
6 Operational activities . 15
6.1 General. 15
6.2 Data protection notices and consent . 15
6.2.1 Data protection notices . 15
6.2.2 Consent . 15
6.3 Update of roles . 16
6.4 Personal data protection . 16
6.4.1 Erasure of data . 16
6.4.2 Implementation and maintenance of security measures . 16
6.4.3 Management of personal data breaches . 17
6.5 Data subjects’ requests for the application of their rights. 18
6.5.1 General. 18
6.5.2 Data access . 18
6.5.3 Correction . 18
6.5.4 Erasure. 19
6.5.5 Restriction of processing . 19
6.5.6 Data portability . 19
6.5.7 Objections . 19
6.5.8 Automated decisions, including profiling . 20
6.5.9 Complaints and appeals . 20
6.6 Training and awareness . 20
7 Control . 20
7.1 General . 20
7.2 Internal audits . 20
7.3 Periodical report. 21
7.4 Nonconformities and corrective actions . 22
Annex A (informative) Controllers and processors requirements mapping . 23
Bibliography . 25
European foreword
This document (EN 17799:2023) has been prepared by Technical Committee CEN/CLC/JTC 13
“Cybersecurity and Data Protection”, the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by April 2024, and conflicting national standards shall be
withdrawn at the latest by April 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the United
Kingdom.
Introduction
Personal data protection is regulated throughout European Union according to laws, the most important
of which is the EU Regulation 2016/679 (hereafter referred to as “Regulation” or “GDPR”). This regulates
the protection of natural persons with regard to the processing of personal data but does not
contextualise it in a set of consequential or related activities.
Moreover, the Regulation refers to the establishment of data protection certification mechanisms and of
data protection seals and marks, for the purpose of demonstrating compliance with the regulation of
processing operations by controllers and processors.
Those efforts will also provide a solid basis for GDPR conformance and alignment of the European data
protection landscape with global standards. The focus of those standards is fundamentally different since
they are aimed to a management system and not to services and processes as the current document is.
ISO/IEC 27701 has been adopted as an EN, and CEN/CLC JTC 13 is undertaking a new work item on its
“Refinements in European context”. Those efforts will also provide a solid support for GDPR conformance
and alignment of the European data protection landscape with global norms. The focus of those standards
is however fundamentally different since they are aimed at a management system and not to services and
processes as the current document.
1 Scope
This document specifies baseline requirements intended to support the data protection certification
mechanism requested by Article 42 of the GDPR to demonstrate compliance in accordance with
EN ISO/IEC 17065.
It does not however apply to products or management systems destined for processing personal data.
This document is applicable to all organizations which, as personal data controllers and/or processors,
process personal data, and its objective is to provide a set of requirements supporting such organizations
in demonstrating compliance with the EU personal data protection normative framework
This document is applicable to all of an organization’s processing activities or to a specific subset of these
if such a decision does not involve failure to conform with the EU personal data protection normative
framework.
This document also provides indications for conformity assessment with the aforementioned
requirements.
2 Normative
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.