iTeh Standards logo
EURUSD
Your shopping cart is empty.
CEN

EN 17799:2023

(Main)

Personal data protection requirements for processing operations

Personal data protection requirements for processing operations

This document specifies baseline requirements for demonstrating processing activities compliance with the European personal data protection normative framework in accordance with EN ISO/IEC 17065. It does not however apply to products or management systems destined for processing personal data.
This document is applicable to all organizations which, as personal data controllers and/or processors, process personal data, and its objective is to provide a set of requirements enabling such organizations to conform effectively with the European personal data protection normative framework.
An organization can decide that the standard is applicable only to a specific subset of its processing activities if such a decision does not involve failure to conform with the European personal data protection normative framework.
This document also provides indications for conformity assessment with the aforementioned requirements.

Anforderungen an den Datenschutz bei Verarbeitungsvorgängen

Dieses Dokument legt die grundlegenden Anforderungen für den Nachweis fest, dass die Verarbeitungs¬tätigkeiten dem europäischen normativen Bezugsrahmen für den Schutz personenbezogener Daten in Über¬einstimmung mit EN ISO/IEC 17065 entsprechen. Es gilt jedoch nicht für Produkte oder Management¬systeme, die für die Verarbeitung personenbezogener Daten vorgesehen sind.
Dieses Dokument gilt für alle Organisationen, die – als für die Datenverarbeitung Verantwortliche („Verantwortlicher“) und/oder Auftragsverarbeiter – personenbezogene Daten verarbeiten, und sein Ziel ist es, eine Reihe von Anforderungen bereitzustellen, die es diesen Organisationen ermöglichen, sich wirksam an den europäischen normativen Bezugsrahmen für den Schutz personenbezogener Daten anzupassen.
Eine Organisation kann beschließen, dass die Norm nur auf eine bestimmte Untergruppe ihrer Verarbei¬tungstätigkeiten anwendbar ist, wenn eine solche Entscheidung nicht die Nichteinhaltung des normativen europäischen Bezugsrahmens für den Schutz personenbezogener Daten beinhaltet.
Dieses Dokument enthält auch Angaben für die Bewertung der Konformität mit den vorgenannten Anforderungen.

Exigences de protection des données à caractère personnel pour les opérations de traitement

Le présent document spécifie des exigences de base pour démontrer la conformité des activités de traitement au cadre normatif européen de protection des données à caractère personnel, conformément à l'EN ISO/IEC 17065. Il ne s'applique cependant pas aux produits ou systèmes de management destinés au traitement des données à caractère personnel.
Le présent document est applicable à tous les organismes qui, en tant que responsables de traitement et/ou sous-traitants, traitent des données à caractère personnel, et son objectif est de fournir un ensemble d'exigences permettant à ces organismes de se conformer efficacement au cadre normatif européen de protection des données à caractère personnel.
Un organisme peut décider que la norme n'est applicable qu'à un sous-ensemble spécifique de ses activités de traitement si une telle décision n'implique pas une non-conformité avec le cadre normatif européen de protection des données à caractère personnel.
Le présent document fournit également des indications pour l'évaluation de la conformité avec les exigences susmentionnées.

Zahteve za varstvo osebnih podatkov za postopke obdelave

Ta dokument določa osnovne zahteve za podpiranje mehanizma potrjevanja za varstvo podatkov, kot ga zahteva 42. člen splošne uredbe o varstvu podatkov za izkazovanje skladnosti s standardom EN ISO/IEC 17065.
Dokument se ne uporablja za izdelke ali sisteme upravljanja, zasnovane za obdelavo osebnih podatkov.
Ta dokument se uporablja za vse organizacije, ki kot upravljavci in/ali obdelovalci osebnih podatkov
obdelujejo osebne podatke, njegov cilj pa je zagotoviti nabor zahtev, ki podpirajo te organizacije pri izkazovanju skladnosti z normativnim okvirom EU na področju varstva osebnih podatkov.
Ta dokument se uporablja za vse dejavnosti obdelave organizacije ali za poseben podsklop teh dejavnosti, če ta odločitev ne vključuje neskladnosti z normativnim okvirom EU na področju varstva osebnih podatkov.
Ta dokument prav tako določa navedbe za ugotavljanje skladnosti z zgoraj navedenimi zahtevami.

General Information

Status
Published
Publication Date
24-Oct-2023
ICS
03.120.20 - Product and company certification. Conformity assessment
03.160 - Law. Administration
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/JTC 13/WG 5 - Data Protection, Privacy and Identity Management
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
25-Oct-2023
Due Date
11-Jul-2022
Completion Date
25-Oct-2023
Ref Project
SIST EN 17799:2024 - Personal data protection requirements for processing operations

Overview

EN 17799:2023 is a CEN European standard that defines baseline personal data protection requirements for processing operations. Intended for organisations acting as personal data controllers and/or processors, it supports demonstration of compliance with the European personal data protection normative framework (notably GDPR) and provides indications for conformity assessment in line with EN ISO/IEC 17065. EN 17799:2023 applies to processing activities (or a subset thereof) but does not apply to products or management systems destined for processing personal data.

Key topics and technical requirements

EN 17799 structures requirements across planning, operations and control. Key technical topics include:

  • Records of processing activities (RoPA): documenting data flows, purposes, categories of data subjects, involved information systems and recipients.
  • Legal basis identification: establishing and recording the lawful basis for each processing activity.
  • Data minimization and retention: defining scope, minimisation measures and retention periods for personal data.
  • Roles and responsibilities: internal and external roles (controllers, joint controllers, processors, DPOs) and governance of processing activities.
  • Risk management and DPIA: data protection risk assessment, impact analysis and risk treatment plans.
  • Data protection by design and by default: embedding privacy into services and processes from the outset.
  • Operational controls: notices and consent, data erasure, security measures, breach management and incident response.
  • Data subject rights: procedures for access, rectification, erasure, restriction, portability, objection, automated decisions and complaint handling.
  • Awareness, training and audits: internal audits, periodic reporting, nonconformity handling and corrective actions.
  • Annex A mapping: applicability mapping of clauses to controllers and processors.

Practical applications and who uses it

EN 17799 is designed for:

  • Organisations processing personal data within the EU seeking a baseline framework to demonstrate GDPR conformance.
  • Data protection officers (DPOs), compliance teams and privacy/legal teams preparing for certification under Article 42 GDPR.
  • Process owners and IT/security teams implementing privacy controls such as DPIAs, data flow inventories and breach response. Practical benefits include clearer documentation for audits, consistent treatment of data subject rights, strengthened risk-based controls and a standardized basis for conformity assessment and certification.

Related standards

  • EN ISO/IEC 17065 - conformity assessment for certification schemes (referenced for certification mechanism).
  • ISO/IEC 27000 series - information security management vocabulary and concepts (referenced).
  • ISO/IEC 27701 - privacy information management (complementary management-system focus).

EN 17799 is a practical, actionable European standard to help organisations align processing operations with EU data protection requirements and support certification efforts.

EN 17799:2024EN 17799:2024
PreviousNext
Standard
EN 17799:2024
English language
25 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Frequently Asked Questions

EN 17799:2023 is a standard published by the European Committee for Standardization (CEN). Its full title is "Personal data protection requirements for processing operations". This standard covers: This document specifies baseline requirements for demonstrating processing activities compliance with the European personal data protection normative framework in accordance with EN ISO/IEC 17065. It does not however apply to products or management systems destined for processing personal data. This document is applicable to all organizations which, as personal data controllers and/or processors, process personal data, and its objective is to provide a set of requirements enabling such organizations to conform effectively with the European personal data protection normative framework. An organization can decide that the standard is applicable only to a specific subset of its processing activities if such a decision does not involve failure to conform with the European personal data protection normative framework. This document also provides indications for conformity assessment with the aforementioned requirements.

This document specifies baseline requirements for demonstrating processing activities compliance with the European personal data protection normative framework in accordance with EN ISO/IEC 17065. It does not however apply to products or management systems destined for processing personal data. This document is applicable to all organizations which, as personal data controllers and/or processors, process personal data, and its objective is to provide a set of requirements enabling such organizations to conform effectively with the European personal data protection normative framework. An organization can decide that the standard is applicable only to a specific subset of its processing activities if such a decision does not involve failure to conform with the European personal data protection normative framework. This document also provides indications for conformity assessment with the aforementioned requirements.

EN 17799:2023 is classified under the following ICS (International Classification for Standards) categories: 03.120.20 - Product and company certification. Conformity assessment; 03.160 - Law. Administration. The ICS classification helps identify the subject area and facilitates finding related standards.

You can purchase EN 17799:2023 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CEN standards.

Standards Content (Sample)


SLOVENSKI STANDARD
01-april-2024
Zahteve za varstvo osebnih podatkov za postopke obdelave
Personal data protection requirements for processing operations
Anforderungen an den Datenschutz bei Verarbeitungsvorgängen
Exigences de protection des données à caractère personnel pour les opérations de
traitement
Ta slovenski standard je istoveten z: EN 17799:2023
ICS:
03.160 Pravo. Uprava Law. Administration
35.020 Informacijska tehnika in Information technology (IT) in
tehnologija na splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 17799
NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2023
ICS 03.120.20; 03.160
English version
Personal data protection requirements for processing
operations
Exigences de protection des données à caractère Anforderungen an den Datenschutz bei
personnel pour les opérations de traitement Verarbeitungsvorgängen
This European Standard was approved by CEN on 4 September 2023.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN 17799:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 Overview . 7
5 Planning . 7
5.1 General. 7
5.2 Understanding the needs and expectations of interested parties . 7
5.3 Scope of personal data processing activities . 7
5.3.1 General. 7
5.3.2 Records of data processing activities . 8
5.3.3 Identification of the legal basis . 8
5.3.4 Data minimization . 9
5.3.5 Retention periods . 9
5.4 Policy for personal data protection . 9
5.5 Roles and responsibilities . 10
5.5.1 General. 10
5.5.2 Internal roles . 11
5.5.3 External roles . 11
5.6 Risk management . 12
5.6.1 General. 12
5.6.2 Data protection risk assessment and impact analysis . 12
5.6.3 Evaluation of the impact on data protection . 13
5.6.4 Risk treatment and treatment plan . 14
5.7 Personal data protection by design and by default . 14
6 Operational activities . 15
6.1 General. 15
6.2 Data protection notices and consent . 15
6.2.1 Data protection notices . 15
6.2.2 Consent . 15
6.3 Update of roles . 16
6.4 Personal data protection . 16
6.4.1 Erasure of data . 16
6.4.2 Implementation and maintenance of security measures . 16
6.4.3 Management of personal data breaches . 17
6.5 Data subjects’ requests for the application of their rights. 18
6.5.1 General. 18
6.5.2 Data access . 18
6.5.3 Correction . 18
6.5.4 Erasure. 19
6.5.5 Restriction of processing . 19
6.5.6 Data portability . 19
6.5.7 Objections . 19
6.5.8 Automated decisions, including profiling . 20
6.5.9 Complaints and appeals . 20
6.6 Training and awareness . 20
7 Control . 20
7.1 General . 20
7.2 Internal audits . 20
7.3 Periodical report. 21
7.4 Nonconformities and corrective actions . 22
Annex A (informative) Controllers and processors requirements mapping . 23
Bibliography . 25
European foreword
This document (EN 17799:2023) has been prepared by Technical Committee CEN/CLC/JTC 13
“Cybersecurity and Data Protection”, the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by April 2024, and conflicting national standards shall be
withdrawn at the latest by April 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the United
Kingdom.
Introduction
Personal data protection is regulated throughout European Union according to laws, the most important
of which is the EU Regulation 2016/679 (hereafter referred to as “Regulation” or “GDPR”). This regulates
the protection of natural persons with regard to the processing of personal data but does not
contextualise it in a set of consequential or related activities.
Moreover, the Regulation refers to the establishment of data protection certification mechanisms and of
data protection seals and marks, for the purpose of demonstrating compliance with the regulation of
processing operations by controllers and processors.
Those efforts will also provide a solid basis for GDPR conformance and alignment of the European data
protection landscape with global standards. The focus of those standards is fundamentally different since
they are aimed to a management system and not to services and processes as the current document is.
ISO/IEC 27701 has been adopted as an EN, and CEN/CLC JTC 13 is undertaking a new work item on its
“Refinements in European context”. Those efforts will also provide a solid support for GDPR conformance
and alignment of the European data protection landscape with global norms. The focus of those standards
is however fundamentally different since they are aimed at a management system and not to services and
processes as the current document.
1 Scope
This document specifies baseline requirements intended to support the data protection certification
mechanism requested by Article 42 of the GDPR to demonstrate compliance in accordance with
EN ISO/IEC 17065.
It does not however apply to products or management systems destined for processing personal data.
This document is applicable to all organizations which, as personal data controllers and/or processors,
process personal data, and its objective is to provide a set of requirements supporting such organizations
in demonstrating compliance with the EU personal data protection normative framework
This document is applicable to all of an organization’s processing activities or to a specific subset of these
if such a decision does not involve failure to conform with the EU personal data protection normative
framework.
This document also provides indications for conformity assessment with the aforementioned
requirements.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2020, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000:2020 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1
impact
data protection impact
anything that has an effect on the protection of a data subject and/or group of data subjects
[SOURCE: ISO/IEC 27557]
3.2
consequence
outcome of an event affecting organizational objectives
[SOURCE: ISO/IEC 27557]
4 Overview
This document specifies baseline requirements for the processing of personal data so that an
organization, whether controller or processor, is effectively supported when demonstrating compliance
with EU and applicable national personal data protection normative framework. The separation between
controller and processor activities is based on the requirements within the aforementioned normative
framework.
This document is completed by Annex A which summarizes the applicability of the document clauses to
controllers and processors.
NOTE This document can’t provide direct coverage of all the requirements within EU and applicable national
personal data protection normative framework but is structured to contribute establishing a baseline to allow their
effective fulfilment.
5 Planning
5.1 General
This clause sets out the activities which a controller or processor shall perform, in order to carry out
processing activities aiming at the protection of personal data in a systematic and organized way. Those
activities shall be performed periodically or after relevant changes such as modifications to the applicable
legislation or corporate organization, structural changes in information technology or its characteristics.
NOTE All seven principles listed within article 5 of the Regulation are considered within this and following
chapters, inside dedicated paragraphs or spread in other.
5.2 Understanding the needs and expectations of interested parties
The controller or, where applicable and consistent with the circumstances of the data processing, the
processor shall determine:
a) all interested parties involved in personal data processing activities, including data subjects,
processors and controllers; and
b) the requirements of such interested parties related to personal data processing activities;
c) the mandatory requirements of any applicable legislation and the contractual obligations.
5.3 Scope of personal data processing activities
5.3.1 General
The controller shall determine the limits and applicability of the personal data processing, documenting:
records of data processing activities, their legal basis, the physical locations, organizational structure
(including all interested parties identified in 5.2), information systems and other relevant involved
supporting assets.
5.3.2 Records of data processing activities
The controller or processor shall, to the extent of their applicable responsibilities, identify the personal
data and their flow related to each processing and shall keep them updated in personal data processing
activity records. In particular, the controller or processor shall establish and maintain up-to-date records
of data processing activities identifying:
1) the name and contact details of the controller of the processing and, where applicable, of the joint
controller and the data protection officer;
2) the processes which use personal data;
3) the sources from which personal data originate (only applicable to controllers);
4) the categories of data subjects and personal data being processed (only applicable to controllers);
5) the categories of processing carried out on behalf of each controller (only applicable to processors);
6) the identified legal basis for the processing (see 5.3.3) (only applicable to controllers);
7) the purposes of the processing (only applicable to controllers);
8) the categories of recipients of personal data, including categories of third parties;
10) the information systems involved in the storage of personal data;
11) the general description of technical and organisational security measures used to protect personal
data (ensuring the existence of this description is not itself a security hazard);
12) any transfers of personal data to third parties, international organizations or other countries;
13) the retention period of personal data or the criteria used for determining such period and the type
of measures taken at the end of the period;
14) the physical locations where processing takes place.
NOTE This section is intended to support article 30of the Regulation.
5.3.3 Identification of the legal basis
The controller shall identify the legal basis for the processing of personal data and communicate them to
the data subjects. The controller shall document the legal basis.
NOTE 1 Article 6 of the Regulation specifies the acceptable legal basis for processing personal data.
When special categories of personal data are processed, the controller shall identify, communicate and
document the legal basis for the processing of personal data.
NOTE 2 Article 9 of the Regulation specifies the acceptable legal basis for processing special categories of
personal data.
5.3.4 Data minimization
The controller shall, for all processing, always ensure that:
a) the organization processes the minimum quantity of personal data necessary to fulfil its legitimate
purposes;
b) any other personal data which is not relevant are not gathered unless the provision of such
information is optional and only processed with the consent of the data subject;
c) new systems and processes involving processing of personal data are reviewed as early as during the
design phase in order to guarantee that the processed information is relevant, adequate and limited
to what is necessary in relation to the purposes for which they are processed;
d) any processing activity and the relevant purposes are only performed according to the data
protection notice (see 6.2.1).
5.3.5 Retention periods
Retention periods of personal data, or, where not possible, the criteria used to determine those periods,
shall be:
a) defined by the controller considering the effective need for the purposes of processing and the
periods indicated in the applicable requirements and in the purposes of the processing; and
b) declared in the relevant data protection notices.
The controller shall keep documentation regarding the justifications leading to the definition of such
periods.
NOTE ISO/IEC 27555 “Guidelines on personally Identifiable Information deletion” contains guidance on how
to select and implement retention periods
5.4 Policy for personal data protection
The controller’s or processor’s top management shall establish a policy for personal data protection
which:
a) is consistent with the purposes of the organization;
b) provides a reference framework for setting objectives for the protection of personal data;
c) includes a commitment to fulfil applicable requirements for the protection of personal data in
compliance with the present document and with the reference personal data protection normative
framework;
d) includes a commitment to continuously improve the protection of personal data;
e) is suitable for the organization and its geographical location, the architecture and connection of the
networks and IT systems and the existing policies concerning the exchange of data.
The policy for personal data protection shall:
— be documented;
— be communicated within the organization;
— be made available possibly in a summary form to all relevant interested parties, external and internal,
involved in the processing of personal data; and
— be periodically reviewed and updated if necessary.
The policy for personal data protection shall address the coverage of all processing of personal data of
data subjects (see applicable legislation for additional information).
5.5 Roles and responsibilities
5.5.1 General
The controller’s or processor’s top management shall ensure that the responsibilities and authority of the
relevant roles are assigned and communicated.
The controller’s or processor’s top management shall assign the responsibilities and authority in order
to:
a) ensure that the activities regarding the processing of personal data conform with this document and
with the personal data protection normative framework ; and
b) report the results of such activities to the top management.
Responsibilities shall be duly assigned for:
c) monitoring the compliance of the policy for personal data protection with the personal data
protection normative framework (see applicable legislation for additional information);
d) implementing the objectives for the protection of personal data, including those defined in the
practice regarding the processing of personal data set out or specified in any code of conduct
applicable to the organization;
e) managing the training program and creating awareness;
f) assigning authorizations for the processing of personal data;
g) defining and approving the following documented procedures for processing personal data:
1) gathering and processing of personal data;
2) management and communication of information regarding personal data protection;
3) processing of requests made by data subjects;
4) management of complaints;
5) management of personal data breaches;
6) management of suppliers and other third parties;
7) controls and any transfers of personal data to third parties or international organizations; and
8) monitoring of normative updates and legal developments concerning personal data protection.
5.5.2 Internal roles
5.5.2.1 Data protection manager
At least one member of the controller’s or processor’s management shall be designated as person in
charge of data protection matters for personal data processing activities within the organization to
manage compliance with the data protection requirements and best practices.
prEN 17740 defines competence requirements applicable to the profile and its main characteristics.
5.5.2.2 Data protection officer
If a controller or a processor is required to nominate a data protection officer (article 37 of the
Regulation) or decides to do so owing to specific organizational needs, it shall nominate an adequately
qualified person.
NOTE 1 The assignment of the person’s role is described in article 38 of the Regulation.
NOTE 2 The data protection officer can be internal or external to the organization which nominates it.
The contact details of the data protection officer shall be communicated to the competent supervisory
authority and included in the data protection notices (see 6.2.1).
The data protection officer, or if such figure does not exist, an adequately qualified person, shall ensure
the execution of the assigned tasks.
NOTE Data protection officer’s fundamental tasks are set out in article 39 of the Regulation.
prEN 17740 defines competence requirements applicable to the profile and its main characteristics.
5.5.2.3 Persons authorized to process personal data
Persons authorized to process personal data within a controller’s or processor’s organization shall be
made aware of their role in the processing of this personal data, and of the appropriate procedures that
they need to work within. They shall also be made aware of the consequences of of non-compliance with
the organization’s data protection policies and of not implementing these procedures.
5.5.3 External roles
5.5.3.1 Processors
Interested parties, as defined in 5.2 a), including suppliers or partners, undertaking processing on behalf
of the controller or of another processor without, however, determining the purposes and means of
processing of personal data, shall:
a) demonstrate their capacity to ensure the implementation of technical and organizational measures
which are adequate for the personal data protection (see the following paragraph) and of their
respect for the personal data protection normative framework;
b) possess a contract or other legal act with the organization (controller and processor, as the case may
be), conforming at least with the following clauses:
1) processing the personal data only on documented instructions from the controller;
2) ensuring that persons authorized to process the personal data are committed to respect data
confidentiality;
3) not engaging another processor without written authorization by the controller;
4) applying the same data protection obligations set out in the contract or other legal act to their
processors;
5) assisting the controller in ensuring compliance with the obligations on data breach notification,
communication, data protection impact assessment and prior consultation as applicable;
6) deleting or returning all the personal data to the controller after the end of the contract or legal
act unless retention is required by law;
7) making available to the controller all information necessary to demonstrate compliance with
their obligations, also allowing and contributing to audits and inspections by the controller.
NOTE Article 28 of the Regulation defines the processor’s role.
5.6 Risk management
5.6.1 General
The controller or processor shall consider the requirements set out in 5.2 and shall periodically
determine the risks and opportunities that they face in order to prevent or reduce undesired impact on
the rights and freedoms of natural persons.
5.6.2 Data protection risk assessment and impact analysis
The controller or processor shall define risk assessment and impact analysis o
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

표준 EN 17799:2023은 유럽 개인정보 보호 규범에 따라 처리 활동이 준수하는 것을 증명하기 위한 기본 요구 사항을 규정하고 있습니다. 이 문서는 개인정보 관리자 및/또는 처리자로서 개인 데이터를 처리하는 모든 조직에 적용될 수 있으며, 조직들이 유럽 개인정보 보호 규범에 효과적으로 준수할 수 있도록 요구 사항을 제공합니다. 표준의 주요 강점 중 하나는 조직이 특정 처리 활동에만 적용하기로 결정할 수 있다는 유연성입니다. 이 결정은 유럽 개인정보 보호 규범에 대한 준수 실패를 포함하지 않을 경우에 가능한데, 이는 각 조직의 특성에 맞는 맞춤형 접근을 허용합니다. 또한 EN 17799:2023은 요구 사항에 대한 준수 평가 방법에 대한 지침도 제공하여, 조직들이 요구 사항을 충족하는지를 객관적으로 확인할 수 있는 기반을 마련합니다. 이러한 점에서 표준은 법적 책임을 최소화하고 데이터 보호를 극대화할 수 있도록 지원합니다. 결론적으로, EN 17799:2023 표준은 유럽 개인정보 보호 규범에 부합하는 강력한 프레임워크를 제공하여, 개인정보를 처리하는 조직들이 신뢰성 있는 데이터 관리 관행을 채택할 수 있도록 돕는 매우 중요한 문서입니다.

Die Norm EN 17799:2023 ist ein wesentlicher Leitfaden für Organisationen, die personenbezogene Daten verarbeiten. Ihr Anwendungsbereich ist klar definiert: Sie legt grundlegende Anforderungen fest, um die Übereinstimmung mit dem europäischen Normenrahmen zum Datenschutz nach EN ISO/IEC 17065 nachzuweisen. Dies ist besonders relevant, da die Erwartungen an den Schutz personenbezogener Daten kontinuierlich steigen, und Organisationen sowohl als Datenverantwortliche als auch als Datenverarbeiter agieren. Ein herausragendes Merkmal dieser Norm ist ihre Flexibilität. Organisationen können entscheiden, dass die Norm nur für spezifische Teilbereiche ihrer Verarbeitungsaktivitäten gilt, solange dies nicht zu einem Versagen bei der Konformität mit dem europäischen Datenschutzrahmen führt. Diese Option ermöglicht es den Unternehmen, die Anforderungen gezielt auf die relevantesten Bereiche anzupassen, was die Implementierung der Vorgaben erleichtert. Die Stärke der Norm liegt auch in den klaren Richtlinien für die Konformitätsbewertung. Diese Guidance ermöglicht es, die entsprechenden Anforderungen nachzuvollziehen und sicherzustellen, dass alle verarbeiteten personenbezogenen Daten angemessen geschützt sind. Dadurch wird nicht nur das Vertrauen der Kunden gestärkt, sondern auch das Risiko von Datenschutzverletzungen minimiert. Darüber hinaus ist die Norm besonders relevant im Kontext der sich ständig weiterentwickelnden datenschutzrechtlichen Landschaft in Europa. Sie adressiert die Bedürfnisse der Organisationen und bietet eine strukturierte Herangehensweise, um sicherzustellen, dass die Datenschutzanforderungen wirksam in die Geschäftsprozesse integriert werden. Insgesamt stellt die EN 17799:2023 ein bedeutendes Instrument für Organisationen dar, die sich den Herausforderungen des Datenschutzes stellen und gleichzeitig die Anforderungen der europäischen Normen erfüllen möchten. Die Norm bietet nicht nur Klarheit und Struktur, sondern trägt auch maßgeblich zur Sicherstellung des Schutzes personenbezogener Daten bei.

SIST EN 17799:2024は、個人データの処理に関する要件を定めた基準文書であり、欧州の個人データ保護のノルマティブフレームワークに沿った処理活動のコンプライアンスを示すための基本要件を明確にしています。この基準は、EN ISO/IEC 17065に基づいており、個人データを処理するための製品や管理システムには適用されない点が特徴です。 この文書は、個人データのコントローラーまたはプロセッサーであるすべての組織に適用可能であり、理解しやすい要件のセットを提供することで、組織が欧州の個人データ保護のノルマティブフレームワークに効果的に準拠できるように設計されています。特に、基準が求める要件に対する適合評価の指針も含まれており、組織が自身の処理活動の範囲内で基準を適用するか否かを柔軟に決定できることも大きな強みです。 この基準の強みは、組織のニーズに応じた柔軟性を提供しつつ、個人データ保護の要件を遵守するための具体的な手順を明示している点にあります。また、基準は欧州の法律に基づいており、国際的なデータ保護のベストプラクティスに沿った安心感を提供します。 全体として、SIST EN 17799:2024は、個人データの処理を行うすべての組織が抱えるコンプライアンスの課題に対し、明確で実用的なガイドラインを提供しており、欧州の個人データ保護ノルマティブフレームワークとの整合性を確保するために必須の基準と言えるでしょう。

The standard EN 17799:2023 establishes a comprehensive framework for personal data protection requirements specifically tailored for processing operations. It delineates baseline requirements essential for organizations to demonstrate compliance with the European personal data protection normative framework. This alignment with EN ISO/IEC 17065 further enhances its credibility and applicability. One of the primary strengths of this standard is its wide applicability; it caters to all organizations acting as personal data controllers and/or processors. This inclusiveness ensures that a diverse range of entities can adopt the standard, thereby increasing overall compliance with European data protection laws. By providing a clear set of requirements, EN 17799:2023 enables organizations to effectively navigate the complexities of personal data processing while adhering to legal obligations. The document also empowers organizations with the flexibility to apply these requirements selectively to specific subsets of processing activities, allowing for practical implementation without compromising compliance. This consideration for diverse operational scales and contexts enhances its relevance in real-world applications. Additionally, the standard offers guidance on conformity assessment, which is crucial for organizations seeking to validate their compliance with the outlined requirements. This feature not only promotes transparency but also facilitates external audits and assessments, thereby reinforcing trust in the organization's data protection practices. In conclusion, EN 17799:2023 stands out as a robust standard that addresses the critical need for personal data protection in processing operations. Its focus on compliance with the European personal data protection normative framework, combined with its practical applicability and guidance on conformity assessment, makes it an invaluable resource for organizations committed to safeguarding personal data.

Le document SIST EN 17799:2024 fournit des exigences claires et détaillées concernant la protection des données personnelles lors des opérations de traitement. La portée de la norme est essentielle, car elle établit des exigences de base pour démontrer la conformité des activités de traitement avec le cadre normatif européen en matière de protection des données personnelles, conformément à la norme EN ISO/IEC 17065. Cela en fait un outil précieux pour toutes les organisations qui agissent en tant que responsables ou sous-traitants des données personnelles. L'un des principaux points forts de cette norme réside dans sa capacité à s'adapter aux divers types d'organisations. Que ce soit pour une grande entreprise ou une petite structure, chaque organisation a la possibilité d'appliquer les exigences de la norme uniquement à un sous-ensemble spécifique de ses activités de traitement, à condition que cela ne compromette pas la conformité avec le cadre normatif européen. Cette flexibilité permet d'ajuster l'application de la norme en fonction des besoins spécifiques de l'organisation et de son niveau de maturité en matière de protection des données. En outre, le document offre des directives claires pour l'évaluation de la conformité avec les exigences spécifiées. Cela contribue à renforcer la transparence et la responsabilité au sein des organisations qui traitent des données personnelles, en leur permettant d’établir des pratiques de traitement conformes et sécurisées. Cela est particulièrement pertinent dans le contexte actuel où la protection des données est une priorité pour les consommateurs et les régulateurs. Dans l'ensemble, SIST EN 17799:2024 constitue une référence pertinente et nécessaire pour toute organisation souhaitant s'assurer qu'elle respecte les exigences en matière de protection des données personnelles. Sa pertinence dans le paysage actuel des réglementations sur la protection des données en Europe renforce son importance pour les acteurs du secteur.

This May Also Interest You

CEN
EN ISO 23696-2:2025(Main)
Water quality - Determination of nitrate in water using small-scale sealed tubes - Part 2: Chromotropic acid colour reaction (ISO 23696-2:2023)
oSIST prEN ISO 23696-2:2025

This document specifies a method for the determination of nitrate as NO3-N in water of various origin such as natural water (including groundwater, surface water and bathing water), drinking water and wastewater, in a measuring range of concentration between 0,20 mg/l and 30 mg/l of NO3-N using the small-scale sealed tube method. Different measuring ranges of small-scale sealed tube methods can be required.
The measuring ranges can vary depending on the type of the small-scale sealed tube method of different manufacturers.
It is up to the user to choose the small-scale sealed tube test with the appropriate application range or to adapt samples with concentrations exceeding the measuring range of a test by preliminary dilution.
NOTE 1   The results of a small-scale sealed tube test are most precise in the middle of the application range of the test.
Manufacturers' small-scale sealed tube methods are based on chromotropic colour reaction, depending on the typical operating procedure of the small-scale sealed tube used, see Clause 9.
NOTE 2      Laws, regulations or standards can require that the data is expressed as NO3 after conversion with the stoichiometric conversion factor 4,426 81 in Clause 11.
NOTE 3   In the habitual language, use of sewage treatment and on the displays of automated sealed-tube test devices, NO3 without indication of the negative charge has become the common notation for the parameter nitrate and especially for the parameter nitrate-N. This notation is adopted in this document even though not being quite correct chemical nomenclature.

  • Draft
    13 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO 18243:2025(Main)
Electrically propelled mopeds and motorcycles - Test specifications and safety requirements for lithium-ion battery systems (ISO 18243:2025)
kSIST FprEN ISO 18243:2025

This document specifies the test procedures for lithium-ion battery packs and systems used in electrically propelled mopeds and motorcycles.
The specified test procedures enable the user of this document to determine the essential characteristics on performance and safety of lithium-ion battery packs and systems. It is also possible to compare the test results achieved for different battery packs or systems.
This document enables setting up a dedicated test plan for an individual battery pack or system subject to an agreement between customer and supplier. If required, the relevant test procedures and/or test conditions of lithium-ion battery packs and systems are selected from the standard tests provided in this document to configure a dedicated test plan.
NOTE 1        Electrically power-assisted cycles (EPAC) cannot be considered as mopeds. The definition of electrically power-assisted cycles can differ from country to country. An example of definition can be found in Reference [7].
NOTE 2        Testing on cell level is specified in the IEC 62660 series.

  • Draft
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 71-20:2025(Main)
Safety of toys - Part 20: Microbiological safety of toys containing accessible aqueous media
kSIST FprEN 71-20:2025

This document specifies microbiological cleanliness and preservative efficacy requirements for accessible aqueous media in toys.
The requirements in this document apply to all toys that are, contain or are supplied with accessible aqueous materials (e.g. paste, putty, finger paint, liquid or gel).
The cleanliness and preservation effectiveness requirements are applicable to a toy as it is initially received by the consumer, in an unopened and undamaged container. This document does not apply to a toy that has been used, has had its packaging opened or is otherwise compromised in a way that would introduce microbiological contamination.
This document does not apply to toys and samples which are post-consumer use, since the microbiological limits are inappropriate given, there is no way to establish what conditions the toys have been subject to before testing.
This document does not apply to:
-   materials that are inaccessible during normal use or after reasonably foreseeable abuse;
-   food;
-   cosmetics;
-   components of toys covered by EN 71-13 where;
-   the component is in scope of the Cosmetic Products Regulation (i.e. Regulation (EC) No 1223/2009 [13];
-   the component comprises only recognized food flavours and food ingredients (see relevant legislation, for example Regulation (EC) No 178/2002 [16] ("general food law"), Regulation (EC) No 1334/2008 [15] (flavours), Regulation (EC) No 1333/2008 [14], Commission Regulation (EU) No 231/2012 [18] (food additives) and Regulation (EU) No 1169/2011 (food information to consumers)[17]);
-   experimental sets covered by EN 71-4.
NOTE   Play cosmetics, that are only for use on the toy (e.g. makeup products only for a doll), are not excluded.

  • Draft
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 4315:2025(Main)
Aerospace series - Heat-resisting alloy X6NiCrTiMoV26-15 (1.4980) - Consumable electrode remelted - Solution treated and precipitation treated - Bars and sections - a or D ≤ 100 mm - Rm ≥ 900 MPa
kSIST FprEN 4315:2025

This document specifies the requirements relating to:
Heat-resisting alloy X6NiCrTiMoV26-15 (1.4980)
Consumable electrode remelted
Solution treated and precipitation treated
Bars and sections
a or D ≤ 100 mm
Rm ≥ 900 MPa
for aerospace applications.
W.nr: 1.4980.
ASD-STAN designation: FE-PA2601.

  • Draft
    9 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 13126-10:2025(Main)
Building hardware - Hardware for windows and door height windows - Requirements and test methods - Part 10: Arm-balancing systems
kSIST FprEN 13126-10:2025

This document specifies requirements and test methods for durability, strength, security and function for arm-balancing systems for windows and door height windows - see Annex C.

  • Draft
    14 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 4318:2025(Main)
Aerospace series - Heat-resisting alloy X6NiCrTiMoV26-15 (1.4980) - Consumable electrode remelted - Solution treated and precipitation treated - Bars and sections - De ≤ 100 mm - Rm ≥ 960 MPa
kSIST FprEN 4318:2025

This document specifies the requirements relating to:
Heat-resisting alloy X6NiCrTiMoV26-15 (1.4980)
Consumable electrode remelted
Solution treated and precipitation treated
Bars and sections
De ≤ 100 mm
Rm ≥ 960 MPa
for aerospace applications.
W.nr: 1.4980.
ASD-STAN designation: FE-PA2601.

  • Draft
    9 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 9276:2025(Main)
Aerospace series - Programme management - Recommendations for the implementation of the integrated logistic support
kSIST FprEN 9276:2025

The purpose of this document is to:
—   identify and describe, in a structured way, the principles of the integrated logistic support (ILS) activities and tasks for the main types of stakeholders in the system life cycle, from the expression of need to disposal;
—   place the activities, tasks and ILS deliverables within the programme execution;
—   identify the main selection and sizing of activities and tasks criteria according to the nature and the requirements of the programme;
—   control the relations with the other aspects of programme management.
This document covers the following subjects:
—   management of ILS (definition, implementation and running of the processes);
—   expression of the support requirements;
—   elaboration of the contracts (e.g. for development, maintenance, supply);
—   implementation of the tasks and processes.
This document is also related to the following subjects:
—   relations with costs and lead times control, configuration management, performance and RAMS management, quality assurance, documentation management;
—   regulations (e.g. information system security, export controls, safety at work);
—   human and organizational factors (HOF);
—   environment (e.g. RoHS, REACh);
—   information systems (IS) and the links between them;
—   logistics information systems (LIS);
—   in-service support (ISS) activities;
—   configuration management of ILS objects;
—   life cycle.
The following stakeholders are concerned by ILS:
—   users in the broadest sense: operators, maintenance operators, administrators, dismantlers of the system, trainers;
—   the customer, who:
—   prepares technical and contractual specifications of need with which the system will comply;
—   sets up the funding of the programme;
—   oversees the realization and commissioning of the main system and of the support system;
—   facilitates the feedback.
NOTE 1   At the highest level of the system, the customer can also be referred to as the “project owner”.
NOTE 2   The “main system” can also be referred to as the “system of interest”.
—   the supplier(s) who deliver a system (main and support) to the customer, which meets the performance specifications on time and for the agreed cost, throughout the system life cycle;
NOTE 3   At the highest level of the system, the supplier can also be referred to as the “industrial prime contractor”.
—   the regulatory authorities that supervise and approve the support processes and equipment, as needed.
The principles laid down in this document can be applied, after adaptation, to all the customer/supplier relations resulting from the breakdown of the main contract into sub-contracts.

  • Draft
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 4314:2025(Main)
Aerospace series - Heat-resisting alloy X4NiCrTiMoV26-15 (1.4680) - Consumable electrode remelted - Not heat treated - Forging stock - a or D ≤ 250 mm
kSIST FprEN 4314:2025

This document specifies the requirements relating to:
Heat-resisting alloy X4NiCrTiMoV26-15 (1.4680)
Consumable electrode remelted
Not heat treated
Forging stock
a or D ≤ 250 mm
for aerospace applications.
W.nr: 1.4680.
ASD-STAN designation: FE-PA2602.

  • Draft
    9 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 13126-12:2025(Main)
Building hardware - Hardware for windows and door height windows - Requirements and test methods - Part 12: Side hung projecting reversible hardware
kSIST FprEN 13126-12:2025

This document specifies requirements and test methods for durability, strength, security and function for side hung projecting reversible hardware for windows and door height windows.
NOTE   This document is applicable to side hung projecting reversible hardware whether fitted with integral restrictors or not. Where any restrictor is used it is intended to be tested in accordance with EN 13126-5.

  • Draft
    16 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18097:2025(Main)
Hydrometry - Measurement of precipitation intensity - Metrological requirements and test methods for non-catching type rain gauges
kSIST FprEN 18097:2025

This document considers liquid atmospheric precipitation (rain) and defines the procedures and equipment to perform laboratory tests, in steady-state conditions, for the calibration, check and metrological confirmation of non-catching rainfall measurement instruments. This document is not applicable to field performance.
It provides a classification of non-catching measurement instruments based on their laboratory performance. The classification does not relate to the physical principle used for the measurement, nor does it refer to the technical characteristics of the instrument assembly but is solely based on the instrument calibration.
Attribution of a given class to an instrument is not intended as a high/low ranking of its quality but rather as a quantitative standardized method to declare the achievable measurement accuracy to provide guidance on the suitability for a particular purpose, while meeting the user’s requirements.

  • Draft
    14 pages
    English language
    sale 10% off
    e-Library read for
    1 day