SIST-TP CEN/TR 16742:2015
(Main)Privacy aspects in ITS standards and systems in Europe
Privacy aspects in ITS standards and systems in Europe
The proposed Technical Report will help the experts in the TC278 Working Groups to observe the EC-Directives 95/46/EC and 2002/58/EC concerning Data Protection. It will give guidance to the experts on how to deal with personal data and information, how to avoid their use and process, to get a valid consent for processing the data from the Data Subject (e.g. person), what processing comprises, the consequences of transmission of data to third parties and their purpose, the deletion of data and the access of the Data Subject to their data (content of the answer, time frame for the answer, expenses for the Data Subject) and the legal possibility for the Data Subject to object the former processing of their data. This spectrum of rights of the Data Subject and their privacy has to be observed and the proposed guide will give the support to the experts for understanding and solving the legal impacts of the EC Directives
Datenschutz Aspekte in ITS Normen und Systemen in Europa
Aspects de la vie privée dans les normes et les systèmes en Europe
Zasebni vidiki v ITS standardih in sistemih v Evropi
Predlagano tehnično poročilo bo strokovnjakom v delovnih skupinah TC278 v pomoč pri upoštevanju direktiv ES 95/46/ES in 2002/58/ES glede varstva podatkov. Strokovnjakom daje napotke o tem, kako ravnati z osebnimi podatki in informacijami, kako se izogniti njihovi uporabi in obdelavi, kako pridobiti veljavno soglasje za obdelavo podatkov od podatkovnega subjekta (tj. osebe) in kaj zajema obdelava, ter o posledicah prenosa podatkov tretjim osebam in njihovem namenu, o brisanju podatkov in dostopu podatkovnega subjekta do svojih podatkov (vsebina odgovora, časovni okvir za odgovor, stroški za podatkovni subjekt) in o pravni možnosti, da podatkovni subjekt ugovarja obdelavi svojih podatkov. Ta spekter pravic podatkovnega subjekta in njegove zasebnosti je treba upoštevati, predlagani napotki pa so strokovnjakom v pomoč pri razumevanju in razrešitvi pravnih učinkov direktiv ES.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
SIST-TP CEN/TR 16742:2015
01-februar-2015
Zasebni vidiki v ITS standardih in sistemih v Evropi
Privacy aspects in ITS standards and systems in Europe
Datenschutz Aspekte in ITS Normen und Systemen in Europa
Aspects de la vie privée dans les normes et les systèmes en Europe
Ta slovenski standard je istoveten z: CEN/TR 16742:2014
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
transportu in trgovini and trade
SIST-TP CEN/TR 16742:2015 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST-TP CEN/TR 16742:2015
---------------------- Page: 2 ----------------------
SIST-TP CEN/TR 16742:2015
TECHNICAL REPORT
CEN/TR 16742
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
October 2014
ICS 35.240.60
English Version
Intelligent transport systems - Privacy aspects in ITS standards
and systems in Europe
Systèmes de transport intelligents - Aspects de la vie privée Intelligente Transportsysteme - Datenschutz Aspekte in ITS
dans les normes et les systèmes en Europe Normen und Systemen in Europa
This Technical Report was approved by CEN on 23 September 2014. It has been drawn up by the Technical Committee CEN/TC 278.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16742:2014 E
worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
Contents Page
Foreword .3
Introduction .4
1 Scope .5
2 Terms and definitions .5
3 Symbols and abbreviated terms .7
4 Background information .8
4.1 Historical background .8
4.2 Legal background .9
4.3 Fundamental Rights of Data Protection and Privacy . 10
5 Basic elements of data protection and privacy . 12
5.1 Personal information (PI) and its avoidance . 12
5.1.1 General . 12
5.1.2 GPS-Data or GPS-Trajectories . 15
5.2 Sensitive data . 16
5.3 Individual or data subject . 16
5.4 Controller . 17
5.4.1 General . 17
5.4.2 ITS environment . 17
5.5 Processor . 18
5.6 Third Party . 19
5.7 File or filing system (manually or automatically processed) . 19
5.8 Consent . 19
5.9 Withdrawal of consent . 21
5.10 Fairness and legitimacy . 21
5.11 Determination of purpose . 21
5.12 Minimization of PI . 22
5.13 Topicality and correctness of PI . 22
5.14 Time limits to PI . 23
5.15 Security requirements to PI . 23
5.16 Obligation to keep PI secret . 24
5.17 Obligation to inform the data subject (Individual or legal entity) . 24
5.18 Right (access) to PI. 25
5.19 Right to rectification and erasure of PI . 26
5.20 Right to objection . 27
5.21 Video surveillance (VS) . 28
5.22 Shift in the burden of proof . 28
Annex A (informative) Examples of the principle of “cumulative interpretation” . 30
Annex B (informative) Data privacy Framework, Directives and Guidelines . 33
Annex C (informative) Security related International Standards . 34
2
---------------------- Page: 4 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
Foreword
This document (CEN/TR 16742:2014) has been prepared by Technical Committee CEN/TC 278 “Intelligent
transport systems”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
3
---------------------- Page: 5 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
Introduction
This Technical Report is a guide for the developers of both ITS itself and its standards when many types of
data are exchanged during the performance of its tasks, which includes in some cases personal data and
information. Such Personal Data or Personal Information (PI) underlies for their applications special rules
defined in European Union (EU) mandatory directives or a possible EU Regulation concerning the revision of
the EU Directives at Data Protection or at the national level national data protection law. In order to avoid an
incorrect use of PI in any standard or Technical Report, which would cause the application of this standard or
Technical Specification to be banned by legal courts, this Technical Report gives guidelines for the
CEN/TC 278 Working Groups how to deal with PI in compliance with the legal rules.
Even though specific data privacy protection legislation is generally achieved through national legislation and
this varies from country to country there exists a basic set of rules which are common in all European
countries. These common rules are defined in the European Directives 95/46/EC and 2002/58/EC in their
current versions. Countries not members of the European Union (Switzerland, Norway, Island etc.) have
issued national data protection laws, which are very closely aligned to the European Directives. It should also
be noted that the European Directives on the protection of individuals (95/46/EC and 2002/58/EC) are
regarded as the strongest legal rules around the world.
This Technical Report builds on the content of ISO/TR 12859:2009 but extends the rules and
recommendations in order to be as compliant as is reasonable with the European Directives and some of the
national data protection laws. This means it is more specific and includes some recent developments and it
tries to include some intentions of what the European Commission is preparing to include in a revised and
enforced version of the Directive 95/46/EC (the proposed EU proposal of a Regulation of data protection
COM(2012)11 final, 2012/0011 (COD)).
4
---------------------- Page: 6 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
1 Scope
This Technical Report gives general guidelines to developers of intelligent transport systems (ITS) and its
standards on data privacy aspects and associated legislative requirements. It is based on the EU-Directives
valid at the end of 2013. It is expected that planned future enhancements of the Directives and the proposed
“General Data Protection Regulation” including the Report of the EU-Parliament of 2013-11-22
(P7_A(2013)0402) will not change the guide significantly.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
accountability
principle that individuals, organizations or the community are liable and responsible for their actions and may
be required to explain them to the data subject and others and their actions shall comply with measures and
making compliance evident, and the associated required disclosures
[SOURCE: ISO/IEC 24775:2011 Edition:2]
2.2
anonymity
characteristic of information, which prevents the possibility to determine directly or indirectly the identity of the
data subject
[SOURCE: ISO/IEC 29100:2011]
2.3
anonymisation
process by which personal information (PI) is irreversibly altered in such a way that an Individual or a legal
entity can no longer be identified directly or indirectly either by the controller alone or in collaboration with any
other party
[SOURCE: ISO/IEC 29100:2011]
2.4
anonymised PI
PI that has been subject to a process of anonymisation and that by any means can no longer be used to
identify an Individual or legal entity
[SOURCE: ISO/IEC 29100:2011]
2.5
committing of PI
transfer of PI from the controller to a processor in the context of a commissioned work
2.6
consent
individual's or legal entity's (data subject) explicitly or implicitly freely given agreement to the processing of its
PI in the course of which the data subject has been in advance completely informed about the purpose, the
legal basis and the third parties, receiving data subject’s PI, and all these in a comprehensible form
5
---------------------- Page: 7 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
2.7
controller
any natural or legal person, public authority, agency or any other body which alone or jointly with others collect
and/or process and determine the purposes and means of the processing of PI, independently whether or not
a person uses the PI by themselves or assigns the tasks to a processor; where the purposes and means of
processing are determined by national or Community laws or regulations, the controller or the specific criteria
for his nomination may be designated by national or Community law
[SOURCE: EU-Dir 95/46/EU Art 2 lit d]
2.8
data subject
any natural or legal person or association of persons whose PI is processed and is not identical to the
controller or processor or third party
Note 1 to entry: ISO/IEC 29100 uses this definition for the person of which personal data are used the Principal. The
above definition is that one that is used in EU-Directives.
2.9
identifiability
conditions which result in a data subject being identified, directly or indirectly, on the basis of a given set of PI
2.10
identify
establishes the link between a data subject and its PI or a set of PI
2.11
identity
set of attributes which makes it possible to identify, contact or locate the data subject
[SOURCE: ISO/IEC 29100:2011]
2.12
personal information PI
any data or information related to an individual or legal entity or an association of person or individuals by
which the individual or legal entity or association of persons could be identified
Note 1 to entry: The EU-Dir 95/48/EC names in its Art 2 lit. (a) the personal information as “personal data” and defines
it as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one
who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic, cultural or social identity”.
2.13
processor
natural person or legal entity or organization that processes PI on behalf of and in accordance with the
instructions of a PI controller and if it use PI only for the commissioned work
2.14
sub-processor
privacy stakeholder that processes PI on behalf of and in accordance with the instructions of a PI processor
2.15
privacy
right of a natural person or legal entity or association of persons acting on its own behalf, to determine the
degree to which the confidentiality of its personal information (PI) is maintained or disclosed to others
[SOURCE: ISO/IEC 24775:2011]
6
---------------------- Page: 8 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
2.16
processing of PII
any operation or set of operations which is performed upon personal data, whether or not by automatic
means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,
blocking, erasure or destruction
[SOURCE: EU-Dir 95/48/EC Art 2 lit(b)]
2.17
sensitive data
any personal information related to a natural person revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership, health data or sex life; its processing is prohibited
except for closing circumstances
2.18
use of PI
action that circumvents all kinds of operations with the set of PI or certain elements of it meaning both
processing of PI and transmission of PI to a third party
2.19
processing PI
collecting, recording, storing, sorting, comparing, modification, interlinking, reproduction, consultation, output,
utilisation, committing, blocking, erasure or destruction, disclosure or any kind of operation with PI except the
transmission of PI to a third party
2.20
third party
any person or legal entity receiving PI of a data subject other than the data subject itself or the controller or
the processor
2.21
transmitting PI
transfer of PI to recipients other than the data subject, the controller or a processor, in particular publishing of
data as well as the use of data for another application purpose of the controller
3 Symbols and abbreviated terms
The following abbreviations are common to this document:
APEC Asia-Pacific Economic Cooperation
Art Article (clause in an EU Directive or similar document)
C-ITS Cooperative ITS
CoE Council of Europe
Dir Directive (as in EU Directive)
EC European Council
EU European Union
ITS Intelligent Transport Service
OECD Organization for Economic Co-operation and Development
para paragraph
PI Personal Information
7
---------------------- Page: 9 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
RDB relational databases
UN United Nations
VS Video Surveillance
4 Background information
4.1 Historical background
At the time of first codifications of rights (e.g. ancient Hammurabi’s-Stone (1770 BC), ancient Grecian
Drakon’s law (621 BC, codification of existing law, abolition of vendetta), Solon’s law reform (593 BC, general
discharge of debts, abolition of bonded labour, personal freedom of citizens and structured in four classes),
Kleistenes’ law reform (507 BC, one homogenous citizen class, extension of political participation), the ancient
Roman Twelve-Table-Law (450 BC) and Justinian’s Corpus Iuris Civilis (534 AD)) the basic rights of a person
like dignity were seldom subject to regulation. The codifications served mainly the written declaration and
determination of basic rules for possession and property, related human actions, solving conflicts, the balance
of interests between different positions of persons or rights of domination of a sovereign and some criminal
law for severe criminal acts.
The first written declaration of freedom rights happened in the “Magna Carta Libertatum” on June 15th 1215
AD in England, by which Jonathan Landless (1199 – 1216) granted the Church of England and the nobility
some privileges. This document contains additionally (par 39) the freedom for all free citizens. However, this
freedom of citizens was in reality performed about some hundred years later. The “Magna Carta Libertatum” is
valid constitutional law in Great Britten today.
The written rights of freedom of all citizens was confirmed indirectly in the “Habeas Corpus Act” (1679) and
the possibility of a fair defence of them before a court by the “Bill of Rights of England” (1689) which was
model for the US Constitution.
The right of freedom and the dignity of a person were intensively discussed during the age of Enlightenment
by Montesquieu, Rousseau, Voltaire, d’Alembert and Diderot to mention the best known. However, the
sovereigns did not convert their ideas in law, because these ideas would cut back their power.
Nevertheless, these ideas were written down in the “Virginia Declaration of Rights” 1776 when the USA was
founded. It was followed by the “United States Bill of Rights” (1789) and “Declaration of the Rights of Man and
of the Citizens” at the French Revolution on August 26, 1789. Their performance and distribution is well
known.
The following decades during the 19th and 20th centuries were characterized by revolutions and not
evolutions of these ideas. However, it is worth mentioning that the Austrian General Civil Code (ABGB) of
1812 in its Clause 16 already declares: “All human beings have inborn rights convincing by sense and
therefore to be considered as a person.” At this time, this clause had constitutional character for the Habsburg
Empire and is a central law in the Austrian legal system.
The two World Wars and especially the Nazi Regime forced the General Assembly of the United Nations to
proclaim on December 10, 1948 the “Universal Declaration of Human Rights”. Its Article 1 states:
“All human beings are born free and equal in dignity and rights. They are endowed with reason and
conscience and should act towards one another in a spirit of brotherhood.”
In 1949, the Federal Republic of Germany followed it in their Basic Law (constitution), of which Article 1
paragraph 1 declares:
“The dignity of man is untouchable. It to respect and to protect is the obligation of all state authority.”
8
---------------------- Page: 10 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
In November 1950, the Council of Europe by its Declaration of the “Convention to protect Human Rights and
basic Freedom” achieved a further progress. Some states enhanced it to constitutional rights (Austria,
Liechtenstein, Norway, Switzerland, and United Kingdom).
The European Charter of Fundamental Rights achieved the last step in the development of the law on this
subject. This came into force at December 1st, 2009 and is now immediate applicable right in all European
Member States. Article 1 of the Charter uses similar wording to the German Basic Law:
“The dignity of man is untouchable. It is to respect and to protect.”
Article 8 is of special interest for this Technical Report:
“Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person
concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which
has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”
It is obviously clear according to the above declarations of constitutional rights and the EU-Charter, that the
dignity of man is a central protected value. The protection of personal information is derived as a further value
out of dignity. It is protected by precautions like the principle of equal treatment, ban of torture, and the
prohibition of discrimination (based on gender, descent, race, language, origin, faith, political opinion,
handicap or disability). However, the protection of personal information is not possible by usual means;
therefore, new means have been developed for it.
The very fast evolution of the information technology compared to other developments brought up the need to
protect personal information and prevent its abuse. The reaction to this was a call for privacy principles which
was early formulated by the US Department of Health, Education and Welfare Advisory Committee on
Automated Personal Data Systems Report (July 1973). The report defined eight principles “Fair Information
Practice Principles (FIPPs)”.
This report became the foundation for the US Privacy Act of 1974, which regulates the handling of personal
data in US federal government databases. Hessen/Germany, Sweden, Austria and France formulated similar
principles in national privacy acts. These legal acts led later on to the international guidelines promulgated by
the OECD, the Council of Europe, and the International Labour Organization, the United Nations, the
European Union and APEC.
4.2 Legal background
All Member States of the European Union have transformed the EU-Dir 48/95 and 2002/58 and their
amendments by Dir 2006/24/EC and Dir 2009/136/EC to their national laws. Therefore, data protection law is
harmonized in the EU but is used according to the traditional national law system, which creates differences in
the results for the same circumstances. The members of the standardization working groups have to observe
these differences.
The international rules are mainly
— the UN Universal Declaration of Human Rights (1948, binding for all member states);
— the European Convention for the Protection of Human Rights and Fundamental Freedoms (1950), now
renamed to “European Convention on Human Rights (ECHR)” binding for all member states, especially
Art 8 for Privacy);
9
---------------------- Page: 11 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
— the OECD Recommendation concerning Protection of Privacy and Transborder Flow of Personal Data
(1980, not binding, only recommended);
— the CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal
Data (28/1/1981 published and entry into force 1/10/1985, binding for the CoE member states);
— the EU-Dir 48/95/EC amended by EU-Dir 1882/2003, EU-Dir 2002/58/EC amended by Dir 2006/24/EC
and Dir 2009/136/EC;
— the EU-Charter of Fundamental Rights of the European Union (2000/C 364/01, in force since Dec.1th,
2009 and binding all member states), and
— the APEC Privacy Framework (2005, not binding recommendation).
All these international rules are the basis for the ITS Directive EU Dir 2010/40/EU, Art 10, “Rules on privacy,
security and re-use of information” which requests:
“1. Member States shall ensure that the processing of personal data in the context of the operation of ITS
applications and services is carried out in accordance with Union rules protecting fundamental rights and
freedoms of individuals, in particular Directive 95/46/EC and Directive 2002/58/EC.
2. In particular, Member States shall ensure that personal data are protected against misuse, including
unlawful access, alteration or loss.
3. Without prejudice to paragraph 1, in order to ensure privacy, the use of anonymous data shall be
encouraged, where appropriate, for the performance of the ITS applications and services. Without prejudice to
Directive 95/46/EC personal data shall only be processed insofar as such processing is necessary for the
performance of ITS applications and services.
4. With regard to the application of Directive 95/46/EC and in particular where special categories of personal
data are involved, Member States shall also ensure that the provisions on consent to the processing of such
personal data are respected.
5. Directive 2003/98/EC shall apply.”
This is the legal basis for any work on ITS standards that include the use of personal data and has to be taken
in account not only for the development of the standards but also for the implementation of the standards in
services and products.
4.3 Fundamental Rights of Data Protection and Privacy
Ten principles for data protection and privacy summarize the fundamental rights. They should be included in
the work of development any standards that involve the use of personal data.
1)
The following principles are based on the eight Fair Information Practice Principles (FIPPs) accepted in
most parts of the world. In addition, experiences from the past have led to the inclusion of two more principles;
the first (“Avoidance”) and the last principle (“Deletion”) and the eight principles are enhanced by adding the
controller to organizations due to the fact, that not only organizations process data. A further change is the
replacement of “individual” by “data subject” and “PII” by “PI”
1)
Rooted in the United States Department of Health, Education and Welfare's seminal 1973 report entitled Records,
Computers and the Rights of Citizens (1973), these principles are at the core of the U.S. Privacy Act of 1974 and are mirrored
in the laws of many U.S. states, as well as many foreign nations and international organizations. A number of private and non-
profit organizations have also incorporated these principles into their privacy policies.
10
---------------------- Page: 12 ----------------------
SIST-TP CEN/TR 16742:2015
CEN/TR 16742:2014 (E)
In order to truly enhance privacy in the conduct of all IT and ITS-transactions, these 10 principles of
Information Practice Principles (TCIPPs) shall be universally and consistently adopted and applied in any
system which collects and uses PI from the very beginning up to the deletion of PI when it is no longer
needed. The way that PI is processed shall be considered as a chain of commands and not as single
commands applied in isolation from each other. “Privacy by Design” should be the dominating principle.
The 10 principles should be a widely accepted framework to be used in the evaluation and consideration of
systems, processes, or programs that affect individual privacy.
Articulated briefly, the 10 principles of Information Practice Principles (TFIPP) are:
Avoidance: Organizations or the controller should avoid all PI related to a data subject as far as possible, and
if avoidance is not possible, the collected data should be anonymised before processing. The collection and
usage should be covered by a free consent by the individual or a valid contract with the data subject, or a
legal act, or a valid not appealable judgment of an accepted and legally defined court.
Transparency: Organizations or the controller should be transparent and provide notice to the data subject
regarding collection, use, dissemination, and maintenance of PI.
Individual Parti
...
SLOVENSKI STANDARD
kSIST-TP FprCEN/TR 16742:2014
01-julij-2014
Zasebni vidiki v ITS standardih in sistemih v Evropi
Privacy aspects in ITS standards and systems in Europe
Datenschutz Aspekte in ITS Normen und Systemen in Europa
Aspects de la vie privée dans les normes et les systèmes en Europe
Ta slovenski standard je istoveten z: FprCEN/TR 16742
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
transportu in trgovini and trade
kSIST-TP FprCEN/TR 16742:2014 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
kSIST-TP FprCEN/TR 16742:2014
---------------------- Page: 2 ----------------------
kSIST-TP FprCEN/TR 16742:2014
TECHNICAL REPORT
FINAL DRAFT
FprCEN/TR 16742
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
May 2014
ICS 35.240.60
English Version
Privacy aspects in ITS standards and systems in Europe
Aspects de la vie privée dans les normes et les systèmes Datenschutz Aspekte in ITS Normen und Systemen in
en Europe Europa
This draft Technical Report is submitted to CEN members for Technical Committee Approval. It has been drawn up by the Technical
Committee CEN/TC 278.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.
Warning : This document is not a Technical Report. It is distributed for review and comments. It is subject to change without notice and
shall not be referred to as a Technical Report.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. FprCEN/TR 16742:2014 E
worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
Contents Page
1 Scope .5
2 Terms and definitions .5
3 Symbols and abbreviated terms .7
4 Background information .8
4.1 Historical background .8
4.2 Legal background .9
4.3 Fundamental Rights of Data Protection and Privacy . 10
5 Basic elements of data protection and privacy . 11
5.1 Personal information (PI) and its avoidance . 11
5.1.1 GPS-Data or GPS-Trajectories . 14
5.2 Sensitive data . 15
5.3 Individual or data subject . 16
5.4 Controller . 17
5.4.1 ITS environment . 17
5.5 Processor . 17
5.6 Third Party . 18
5.7 File or filing system (manually or automatically processed) . 19
5.8 Consent . 19
5.9 Withdrawal of consent . 20
5.10 Fairness and legitimacy . 20
5.11 Determination of purpose . 21
5.12 Minimisation of PI . 21
5.13 Topicality and correctness of PI . 21
5.14 Time limits to PI . 22
5.15 Security requirements to PI . 22
5.16 Obligation to keep PI secret . 23
5.17 Obligation to inform the data subject (Individual or legal entity) . 23
5.18 Right (access) to PI. 24
5.19 Right to rectification and erasure of PI . 25
5.20 Right to objection . 26
5.21 Video surveillance (VS) . 27
5.22 Shift in the burden of proof . 27
Annex A (informative) Examples of the principle of “cumulative interpretation” . 29
Annex B (informative) Data privacy Framework, Directives and Guidelines . 32
Annex C (informative) Security related International Standards . 33
2
---------------------- Page: 4 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
Foreword
This document (FprCEN/TR 16742:2014) has been prepared by Technical Committee CEN/TC 278
“Intelligent transport systems”, the secretariat of which is held by NEN.
This document is currently submitted to the Technical Committee Approval.
3
---------------------- Page: 5 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
Introduction
This Technical Report is a guide for the developers of both ITS itself and its standards when many types of
data are exchanged during the performance of its tasks, which includes in some cases personal data and
information. Such Personal Data or Personal Information (PI) underlies for their applications special rules
defined in European Union (EU) mandatory directives or a possible EU Regulation concerning the revision of
the EU Directives at Data Protection or at the national level national data protection law. In order to avoid an
incorrect use of PI in any standard or Technical Report, which would cause the application of this standard or
Technical Specification to be banned by legal courts, this Technical Report gives guidelines for the CEN
TC278 Working Groups how to deal with PI in compliance with the legal rules.
Even though specific data privacy protection legislation is generally achieved through national legislation and
this varies from country to country there exists a basic set of rules which are common in all European
countries. These common rules are defined in the European Directives 95/46/EC and 2002/58/EC in their
current versions. Countries not members of the European Union (Switzerland, Norway, Island etc.) have
issued national data protection laws, which are very closely aligned to the European Directives. It should also
be noted that the European Directives on the protection of individuals (95/46/EC and 2002/58/EC) are
regarded as the strongest legal rules around the world.
This Technical Report builds on the content of ISO/TR 12859:2009 but extends the rules and
recommendations in order to be as compliant as is reasonable with the European Directives and some of the
national data protection laws. This means it is more specific and includes some recent developments and it
tries to include some intentions of what the European Commission is preparing to include in a revised and
enforced version of the Directive 95/46/EC (the proposed EU proposal of a Regulation of data protection
COM(2012)11 final, 2012/0011 (COD)).
4
---------------------- Page: 6 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
1 Scope
This Technical Report gives general guidelines to developers of intelligent transport systems (ITS) and its
standards on data privacy aspects and associated legislative requirements. It is based on the EU-Directives
valid at the end of 2013. It is expected that planned future enhancements of the Directives and the proposed
“General Data Protection Regulation” including the Report of the EU-Parliament of 2013-11-22
(P7_A(2013)0402) will not change the guide significantly.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
accountability
principle that individuals, organizations or the community are liable and responsible for their actions and may
be required to explain them to the data subject and others and their actions shall comply with measures and
making compliance evident, and the associated required disclosures
[SOURCE: ISO/IEC 24775:2011 Edition:2]
2.2
anonymity
characteristic of information, which prevents the possibility to determine directly or indirectly the identity of the
data subject
[SOURCE: ISO/IEC 29100:2011]
2.3
anonymisation
process by which personal information (PI) is irreversibly altered in such a way that an Individual or a legal
entity can no longer be identified directly or indirectly either by the controller alone or in collaboration with any
other party
[SOURCE: ISO/IEC 29100:2011]
2.4
anonymised PI
PI that has been subject to a process of anonymisation and that by any means can no longer be used to
identify an Individual or legal entity
[SOURCE: ISO/IEC 29100:2011]
2.5
committing of PI
the transfer of PI from the controller to a processor in the context of a commissioned work
2.6
consent
an individual's or legal entity's (data subject) explicitly or implicitly freely given agreement to the processing of
its PI in the course of which the data subject has been in advance completely informed about the purpose, the
legal basis and the third parties, receiving data subject’s PI, and all these in a comprehensible form
5
---------------------- Page: 7 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
2.7
controller
any natural or legal person, public authority, agency or any other body which alone or jointly with others collect
and/or process and determine the purposes and means of the processing of PI, independently whether or not
a person uses the PI by themselves or assigns the tasks to a processor; where the purposes and means of
processing are determined by national or Community laws or regulations, the controller or the specific criteria
for his nomination may be designated by national or Community law
[SOURCE: EU-Dir. 95/46/EU Art 2 lit d]
2.8
data subject
any natural or legal person or association of persons whose PI is processed and is not identical to the
controller or processor or third party
Note 1 to entry: ISO/IEC 29100 uses this definition for the person of which personal data are used the Principal. The
above definition is that one that is used in EU-Directives.
2.9
identifiability
conditions which result in a data subject being identified, directly or indirectly, on the basis of a given set of PI
2.10
identify
establishes the link between a data subject and its PI or a set of PI
2.11
identity
set of attributes which makes it possible to identify, contact or locate the data subject
[SOURCE: ISO/IEC 29100:2011]
2.12
personal information PI
any data or information related to an individual or legal entity or an association of person or individuals by
which the individual or legal entity or association of persons could be identified
Note 1 to entry: The EU-Dir 95/48/EC names in its Art 2 lit. (a) the personal information as “personal data” and defines
it as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one
who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic, cultural or social identity”;
2.13
processor
natural person or legal entity or organization that processes PI on behalf of and in accordance with the
instructions of a PI controller and if it use PI only for the commissioned work
2.14
sub-processor
privacy stakeholder that processes PI on behalf of and in accordance with the instructions of a PI processor
2.15
privacy
the right of a natural person or legal entity or association of persons acting on its own behalf, to determine the
degree to which the confidentiality of its personal information (PI) is maintained or disclosed to others
[SOURCE: ISO/IEC 24775:2011]
6
---------------------- Page: 8 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
2.16
processing of PII
any operation or set of operations which is performed upon personal data, whether or not by automatic
means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,
blocking, erasure or destruction
[SOURCE: EU-Dir 95/48/EC Art 2 lit(b)]
2.17
sensitive data
any personal information related to a natural person revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership, health data or sex life; its processing is prohibited
except for closing circumstances
2.18
use of PI
an action that circumvents all kinds of operations with the set of PI or certain elements of it meaning both
processing of PI and transmission of PI to a third party
2.19
processing PI
collecting, recording, storing, sorting, comparing, modification, interlinking, reproduction, consultation, output,
utilisation, committing, blocking, erasure or destruction, disclosure or any kind of operation with PI except the
transmission of PI to a third party
2.20
third party
any person or legal entity receiving PI of a data subject other than the data subject itself or the controller or
the processor
2.21
transmitting PI
the transfer of PI to recipients other than the data subject, the controller or a processor, in particular publishing
of data as well as the use of data for another application purpose of the controller
3 Symbols and abbreviated terms
The following abbreviations are common to this document:
APEC Asia-Pacific Economic Cooperation
Art Article (clause in an EU Directive or similar document)
C-ITS Cooperative ITS
Dir Directive (as in EU Directive)
EC European Council
EU European Union
ITS Intelligent Transport Service
OECD Organization for Economic Co-operation and Development
para paragraph
PI Personal Information
RDB relational databases
7
---------------------- Page: 9 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
UN United Nations
VS Video Surveillance
4 Background information
4.1 Historical background
At the time of first codifications of rights (e.g. ancient Hammurabi’s-Stone, ancient Grecian Drakon’s and
Solon’s law, the ancient Roman Twelve-Table-Law, Justinian’s CIC) the basic rights of a person like dignity or
freedom were seldom subject to regulation. The codifications served mainly the written declaration and
determination of basic rules for possession and property, related human actions, solving conflicts, the balance
of interests between different positions of persons or rights of domination of a sovereign and some criminal
law for severe criminal acts.
The first written declaration of freedom rights happened in the “Magna Carta Libertatum” at June 15th 1215 in
England, by which Jonathan Landless (1199 – 1216) granted the Church of England and the nobility some
privileges. This document contains additionally (par 39) the freedom for all free citizens. However, this
freedom of citizens was in reality performed about some hundred years later. The “Magna Carta Libertatum” is
valid constitutional law in Great Britten today.
The written rights of freedom of all citizens was confirmed indirectly in the “Habeas Corpus Act” (1679) and
the possibility of a fair defence of them before a court by the “Bill of Rights of England” (1689) which was
model for the US Constitution.
The right of freedom and the dignity of a person were intensively discussed during the age of Enlightenment
by Montesquieu, Rousseau, Voltaire, d’Alembert and Diderot to mention the best known. However, the
sovereigns did not convert their ideas in law, because these ideas would cut back their power.
Never the less these ideas were written down in the “Virginia Declaration of Rights” 1776 when the USA was
founded. It was followed by the “United States Bill of Rights” (1789) and “Declaration of the Rights of Man and
of the Citizens” at the French Revolution at August 26, 1789. Their performance and distribution is well known.
The following decades during the 19th and 20th centuries were characterized by revolutions and not
evolutions of these ideas. However, it is worth mentioning that the Austrian General Civil Code (ABGB) of
1812 in its Clause 16 already declares: “All human beings have inborn rights convincing by sense and
therefore to be considered as a person.” This clause had at this time constitutional character for the Habsburg
Empire and is a central law in the Austrian legal system.
The two World Wars and especially the Nazi Regime forced the General Assembly of the United Nations to
proclaim on December 10, 1948 the “Universal Declaration of Human Rights”. Its article 1 states:
“All human beings are born free and equal in dignity and rights. They are endowed with reason and
conscience and should act towards one another in a spirit of brotherhood.”
In 1949, the Federal Republic of Germany followed it in their Basic Law (constitution), of which Article 1
paragraph 1 declares:
“The dignity of man is untouchable. It to respect and to protect is the obligation of all state authority.”
In November 1950, the Council of Europe by its Declaration of the “Convention to protect Human Rights and
basic Freedom” achieved a further progress. Some states enhanced it to constitutional rights (Austria,
Liechtenstein, Norway, Switzerland, and United Kingdom).
8
---------------------- Page: 10 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
The European Charter of Fundamental Rights achieved the last step in the development of the law on this
subject. This came into force at December 1st. 2009 and is now immediate applicable right in all European
Member States. Article 1 of the Charter uses similar wording to the German Basic Law:
“The dignity of man is untouchable. It is to respect and to protect.”
Article 8 is of special interest for this Technical Report:
“Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person
concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which
has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”
It is obviously clear according to the above declarations of constitutional rights and the EU-Charter, that the
dignity of man is a central protected value. The protection of personal information is derived as a further value
out of dignity. It is protected by precautions like the principle of equal treatment, ban of torture, and the
prohibition of discrimination (based on gender, descent, race, language, origin, faith, political opinion,
handicap or disability). However, the protection of personal information is not possible by usual means;
therefore, new means have been developed for it.
The very fast evolution of the information technology compared to other developments brought up the need to
protect personal information and prevent its abuse. The reaction to this was a call for privacy principles which
was early formulated by the US Department of Health, Education and Welfare Advisory Committee on
Automated Personal Data Systems Report (July 1973). The report defined eight principles “Fair Information
Practice Principles (FIPPs)”.
This report became the foundation for the US Privacy Act of 1974, which regulates the handling of personal
data in US federal government databases. Hessen/Germany, Sweden, Austria and France formulated similar
principles in national privacy acts. These legal acts led later on to the international guidelines promulgated by
the OECD, the Council of Europe, and the International Labour Organization, the United Nations, the
European Union and APEC.
4.2 Legal background
All Member States of the European Union have transformed the EU-Dir. 48/95 and 2002/58 and their
amendments by Dir. 2006/24/EC and Dir. 2009/136/EC to their national laws. Therefore, data protection law is
harmonized in the EU but is used according to the traditional national law system, which creates differences in
the results for the same circumstances. The members of the standardization working groups have to observe
these differences.
The international rules are mainly
— the UN Universal Declaration of Human Rights (1948, binding for all member states),
— the European Convention for the Protection of Human Rights and Fundamental Freedoms (1950), now
renamed to “European Convention on Human Rights (ECHR)” binding for all member states, especially
Art 8 for Privacy)
— the OECD Recommendation concerning Protection of Privacy and Transborder Flow of Personal Data
(1980, not binding, only recommended),
9
---------------------- Page: 11 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
— the CoE “Convention for the Protection of Individuals with regard to Automatic Processing of Personal
Data (1981. binding for the CoE member states)
— the EU Dir. 48/95/EC amended by EU-Dir. 1882/2003, EU-Dir. 2002/58/EC amended by Dir. 2006/24/EC
and Dir. 2009/136/EC,
— the EU-Charter of Fundamental Rights of the European Union (2000/C 364/01, in force since Dec.1th,
2009), and
— the APEC Privacy Framework (2005, not binding recommendation).
All these international rules are the basis for the ITS Directive EU Dir 2010/40/EU,
Art 10, “Rules on privacy, security and re-use of information” which requests:
“1. Member States shall ensure that the processing of personal data in the context of the operation of ITS
applications and services is carried out in accordance with Union rules protecting fundamental rights and
freedoms of individuals, in particular Directive 95/46/EC and Directive 2002/58/EC.
2. In particular, Member States shall ensure that personal data are protected against misuse, including
unlawful access, alteration or loss.
3. Without prejudice to paragraph 1, in order to ensure privacy, the use of anonymous data shall be
encouraged, where appropriate, for the performance of the ITS applications and services. Without
prejudice to Directive 95/46/EC personal data shall only be processed insofar as such processing is
necessary for the performance of ITS applications and services.
4. With regard to the application of Directive 95/46/EC and in particular where special categories of personal
data are involved, Member States shall also ensure that the provisions on consent to the processing of
such personal data are respected.
5. Directive 2003/98/EC shall apply.”
This is the legal basis for any work on ITS standards that include the use of personal data and has to be taken
in account not only for the development of the standards but also for the implementation of the standards in
services and products.
4.3 Fundamental Rights of Data Protection and Privacy
Ten principles for data protection and privacy summarize the fundamental rights. They should be included in
the work of development any standards that involve the use of personal data.
*
The following principles are based on the eight Fair Information Practice Principles (FIPPs) accepted in
most parts of the world. In addition, experiences from the past have led to the inclusion of two more principles;
the first (“Avoidance”) and the last principle (“Deletion”) and the eight principles are enhanced by adding the
controller to organizations due to the fact, that not only organizations process data. A further change is the
replacement of “individual” by “data subject” and “PII” by “PI”
In order to truly enhance privacy in the conduct of all IT and ITS-transactions, these 10 principles of
Information Practice Principles (TCIPPs) shall be universally and consistently adopted and applied in any
system which collects and uses PI from the very beginning up to the deletion of PI when it is no longer
∗
Rooted in the United States Department of Health, Education and Welfare's seminal 1973 report entitled Records,
Computers and the Rights of Citizens (1973), these principles are at the core of the U.S. Privacy Act of 1974 and are mirrored
in the laws of many U.S. states, as well as many foreign nations and international organizations. A number of private and non-
profit organizations have also incorporated these principles into their privacy policies.
10
---------------------- Page: 12 ----------------------
kSIST-TP FprCEN/TR 16742:2014
FprCEN/TR 16742:2014 (E)
needed. The way that PI is processed shall be considered as a chain of commands and not single commands
applied in isolation from each other. “Privacy by Design” should be the dominating principle. The 10
principles should be a widely accepted framework to be used in the evaluation and consideration of systems,
processes, or programs that affect individual privacy.
Articulated briefly, the 10 principles of Information Practice Principles (TFIPP) are:
Avoidance: Organizations or the controller should avoid all PI related to a data subject as far as possible, and
if avoidance is not possible, the collected data should be anonymised before processing. The collection and
usage should be covered by a free consent by the individual or a valid contract with the data subject, or a
legal act, or a valid not appealable judgment of an accepted and legally defined court.
Transparency: Organizations or the controller should be transparent and provide notice to the data subject
regarding collection, use, dissemination, and maintenance of PI.
Individual Participation: Organizations or the controller should involve the data subject in the process of
using PI and, to the extent practicable, seek individual consent for the collection, use, dissemination, and
maintenance of PI. Organizations or the controller should also provide mechanisms for appropriate easy
access, information, correction, deletion and redress regarding use of PI.
Purpose Specification: Organizations or the controller should specifically articulate the authority that permits
the collection of PI and specifically articulate the purpose or purposes for which the PI is intended to be used
and to whom they are disseminated.
Data Minimization: Organizations or the controller should only collect PI that is directly relevant and
necessary to accomplish the specified purpose(s) and only retain PI for as long as is necessary to
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.