iTeh Standards logo
EURUSD
Your shopping cart is empty.
SIST

SIST ISO 31700-1:2024

(Main)

Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements

Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements

This document establishes high-level requirements for privacy by design to protect privacy throughout the lifecycle of a consumer product, including data processed by the consumer.
This document does not contain specific requirements for the privacy assurances and commitments that organizations can offer consumers nor does it specify particular methodologies that an organization can adopt to design and-implement privacy controls, nor the technology that can be used to operate such controls.

Protection des consommateurs — Respect de la vie privée assuré dès la conception des biens de consommation et services aux consommateurs — Partie 1: Exigences de haut niveau

Varstvo potrošnikov - Vgrajena zasebnost za potrošniško blago in storitve - 1. del: Zahteve na visoki ravni

Ta dokument določa zahteve na visoki ravni za vgrajeno zasebnost za varovanje zasebnosti v celotnem življenjskem ciklu potrošniškega proizvoda, vključno s podatki, ki jih obdeluje potrošnik.
Ta dokument ne vključuje posebnih zahtev za zagotovila in zaveze glede zasebnosti, ki jih lahko organizacije ponudijo potrošnikom, in ne določa posebnih metod, ki jih lahko organizacija sprejme pri načrtovanju in izvajanju nadzora področja spoštovanja zasebnosti, kot tudi ne tehnologije, ki jo je mogoče uporabiti pri upravljanju tovrstnega nadzora.

General Information

Status
Published
Publication Date
19-Mar-2024
ICS
03.080.30 - Services for consumers
03.100.01 - Company organization and management in general
Technical Committee
I12 - Imaginarni 12 Imaginarni TC za ISO področje - vzdrževani privzeti ISO standardi
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
13-Mar-2024
Due Date
18-May-2024
Completion Date
20-Mar-2024
Ref Project
ISO 31700-1:2023 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements
SIST ISO 31700-1:2024SIST ISO 31700-1:2024
PreviousNext
Standard
SIST ISO 31700-1:2024
English language
45 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
ISO 31700-1:2023 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements Released:1/31/2023ISO 31700-1:2023 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements Released:1/31/2023
PreviousNext
Standard
ISO 31700-1:2023 - Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements Released:1/31/2023
English language
37 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


SLOVENSKI STANDARD
01-maj-2024
Varstvo potrošnikov - Vgrajena zasebnost za potrošniško blago in storitve - 1. del:
Zahteve na visoki ravni
Consumer protection — Privacy by design for consumer goods and services — Part 1:
High-level requirements
Protection des consommateurs — Respect de la vie privée assuré dès la conception des
biens de consommation et services aux consommateurs — Partie 1: Exigences de haut
niveau
Ta slovenski standard je istoveten z: ISO 31700-1:2023
ICS:
03.080.30 Storitve za potrošnike Services for consumers
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO
STANDARD 31700-1
First edition
2023-01
Consumer protection — Privacy
by design for consumer goods and
services —
Part 1:
High-level requirements
Protection des consommateurs — Respect de la vie privée assuré
dès la conception des biens de consommation et services aux
consommateurs —
Partie 1: Exigences de haut niveau
Reference number
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword . vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General . 8
4.1 Overview . 8
4.2 Designing capabilities to enable consumers to enforce their privacy rights . 9
4.2.1 Requirement . 9
4.2.2 Explanation . 9
4.2.3 Guidance . 10
4.3 Developing capability to determine consumer privacy preferences . 10
4.3.1 Requirement . 10
4.3.2 Explanation . 11
4.3.3 Guidance . 11
4.4 Designing human computer interface (HCI) for privacy . 11
4.4.1 Requirement . 11
4.4.2 Explanation .12
4.4.3 Guidance .12
4.5 Assigning relevant roles and authorities .12
4.5.1 Requirement .12
4.5.2 Explanation . 12
4.5.3 Guidance .12
4.6 Establishing multi-functional responsibilities . 13
4.6.1 Requirement .13
4.6.2 Explanation . 13
4.6.3 Guidance .13
4.7 Developing privacy knowledge, skill and ability . 13
4.7.1 Requirement .13
4.7.2 Explanation . 14
4.7.3 Guidance . 14
4.8 Ensuring knowledge of privacy controls . 14
4.8.1 Requirement . 14
4.8.2 Explanation . 14
4.8.3 Guidance .15
4.9 Documentation and information management . 15
4.9.1 Requirement .15
4.9.2 Explanation . 15
4.9.3 Guidance . 16
5 Consumer communication requirements .16
5.1 Overview . 16
5.2 Provision of privacy information . 17
5.2.1 Requirement . 17
5.2.2 Explanation . 17
5.2.3 Guidance . 17
5.3 Accountability for providing privacy information . 18
5.3.1 Requirement . 18
5.3.2 Explanation . 19
5.3.3 Guidance . 19
5.4 Responding to consumer inquiries and complaints . 19
5.4.1 Requirement . 19
5.4.2 Explanation . 19
iii
5.4.3 Guidance . 19
5.5 Communicating to diverse consumer population . 19
5.5.1 Requirement . 19
5.5.2 Explanation . 19
5.5.3 Guidance . 20
5.6 Prepare data breach communications . 20
5.6.1 Requirement .20
5.6.2 Explanation . 20
5.6.3 Guidance . 20
6 Risk management requirements .21
6.1 Overview . 21
6.2 Conducting a privacy risk assessment . 21
6.2.1 Requirement . 21
6.2.2 Explanation . 21
6.2.3 Guidance .22
6.3 Assessing privacy capabilities of third parties . 22
6.3.1 Requirement .22
6.3.2 Explanation . 23
6.3.3 Guidance .23
6.4 Establishing and documenting requirements for privacy controls .23
6.4.1 Requirement: .23
6.4.2 Explanation . 23
6.4.3 Guidance . 24
6.5 Monitoring and updating risk assessment . 24
6.5.1 Requirement . 24
6.5.2 Explanation . 24
6.5.3 Guidance . 24
6.6 Including privacy risks in cybersecurity resilience design . 25
6.6.1 Requirement . 25
6.6.2 Explanation . 25
6.6.3 Guidance . 25
7 Developing, deploying and operating designed privacy controls .25
7.1 Overview . 25
7.2 Integrating the design and operation of privacy controls into the product
development and management lifecycles . 26
7.2.1 Requirement .26
7.2.2 Explanation . 26
7.2.3 Guidance . 26
7.3 Designing privacy controls . 27
7.3.1 Requirement . 27
7.3.2 Explanation . 27
7.3.3 Guidance . 27
7.4 Implementing privacy controls . . 27
7.4.1 Requirement . 27
7.4.2 Explanation . 27
7.4.3 Guidance . 27
7.5 Designing privacy control testing .28
7.5.1 Requirement .28
7.5.2 Explanation .28
7.5.3 Guidance .28
7.6 Managing the transition of privacy controls .29
7.6.1 Requirement .29
7.6.2 Explanation .29
7.6.3 Guidance .29
7.7 Managing the operation of privacy controls .30
7.7.1 Requirement .30
7.7.2 Explanation . 30
iv
7.7.3 Guidance . 30
7.8 Preparing for and managing a privacy breach.30
7.8.1 Requirement .30
7.8.2 Explanation . 31
7.8.3 Guidance . 31
7.9 Operating privacy controls for the processes and products upon which the
product in scope depends throughout the PII lifecycle . 31
7.9.1 Requirement . 31
7.9.2 Explanation . 31
7.9.3 Guidance . 31
8 End of PII lifecycle requirements .32
8.1 Overview . 32
8.2 Designing privacy controls for retirement and end of use . 32
8.2.1 Requirement . 32
8.2.2 Explanation . 32
8.2.3 Guidance . 32
Bibliography .34
v
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Project Committee ISO/PC 317, Consumer protection: privacy by design
for consumer goods and services.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
vi
Introduction
Consumers’ trust and how well individual privacy needs are met are defining concerns for the digital
economy. This includes how consumers' personally identifiable information (PII) and other data are
processed (collected, used, accessed, stored, and deleted) — or intentionally not collected or processed
— by the organization and by the digital goods and services within that digital economy. If PII has
been compromised because of lax, outdated, or non-existent privacy practices, the consequences for
the individual can be severe. In addition, consumers' trust of the digital product can be damaged with
potentially legal or reputational impacts to the organization providing that consumer product.
“Privacy by Design” was originally used by the Information and Privacy Commissioner of Ontario,
Canada. with the goal that the individual need not bear the burden of striving for protection when using
a consumer product.
Privacy by design refers to several methodologies for product, process, system, software and service
development, e.g. References [1], [2], [3], [4], [5] and [6]. These methodologies take into account the
privacy of a consumer throughout the design and development of a product, considering the entire
product lifecycle - from before it is placed on the market, through purchase and use by consumers, to
the expected time when all instances of that product finally stop being used. It means that a product
has default consumer-oriented privacy controls and settings that provide appropriate levels of privacy,
without placing undue burden on the consumer.
NOTE This document provides references in the bibliography to other existing standards and resources,
that provide more detailed requirements and guidance on privacy (e.g. identification of PII, PII access and
privacy controls, consumer consent, notification of privacy breach, secure disposal of PII, interactions with third
party processors) for common functions within the organization (e.g. Corporate Governance; Data and Privacy
Governance; IT Operations and IT Services Management; Security and Security Management; Data Management
and Database Administration; Marketing, Product Management; Web and mobile application development,
systems development; Systems administration, network administration).
In this document, the benefits of privacy by design can be viewed through three guiding principles as
outlined below.
Empowerment and transparency
There is growing demand for accurate privacy assertions, systematic methods of privacy due diligence,
and greater transparency and accountability in the design and operation of consumer products that
process PII. The goal is to promote wider adoption of privacy-aware design, earn consumer trust and
satisfy consumer needs for robust privacy and data protection. In addition, the intent is to create
and promote innovative solutions that protect and manage consumers' privacy: a) by analysing and
implementing privacy controls based on the consumer’s perspective, context, and needs, and b) by
succinctly documenting and communicating directly to consumers how privacy considerations were
approached.
Institutionalization and responsibility
In today’s digital world of shared platforms, interconnected devices, cloud applications and
personalization, it is increasingly important to delineate and distinguish the responsibilities and
perspectives of the consumer of the products that process PII from those of product design, business
and other stakeholders in the ecosystems in which the product operates.
Privacy by design focuses on the consumer perspective when institutionalizing robust privacy norms
throughout the ecosystem including privacy protection and data handling practices. With privacy
by design, the consumer’s behavioural engagement with the product(s) and their privacy needs
are considered early and throughout the product lifecycle process. This way, decisions concerning
consumer privacy needs will be more consistent and systematic and become a functional requirement
alongside the interests of product design, business and other stakeholders.
Privacy by design also focuses on accountability, responsibility, and leadership. These aspects are
essential to successfully operationalizing and institutionalizing the privacy by design process.
vii
A demonstrated leadership commitment to privacy by design is essential to operationalize and
institutionalize privacy in the product design process of an organization.
Ecosystem and lifecycle
A privacy by design approach can be applied to the broader information ecosystems in which both
technologies and organizations operate and function. Privacy and consumer protection benefit from
taking a holistic, integrative approach that considers as many contextual factors as possible (e.g. the
type of consumer, their goal and intent in using a product, and the data the product will process for
that consumer) – even (or especially) when these factors lie outside the direct control of any particular
actor, organization, or component in the system. [see 5.5.3 a)].
Privacy by design applies to all products that use PII, whether physical goods, or intangible services
such as software as a service, or a mixture of both. It is intended to be scalable to the needs of all types
of organizations in different countries and different sectors, regardless of organization size or maturity.
It is possible that additional privacy issues and a need for related controls are identified at any point
in the product lifecycle, including during development or after use by consumers. Privacy by design
methodologies support iterative approaches to product development, with supplementary privacy
enhancements designed and deployed long after the initial design phase.
Audience for this document
The primary audiences for this document are those staff of organizations and third parties, who
are responsible for the concept, design, manufacturing, management, testing, operation, service,
maintenance and disposal of consumer goods and services.
viii
INTERNATIONAL STANDARD ISO 31700-1:2023(E)
Consumer protection — Privacy by design for consumer
goods and services —
Part 1:
High-level requirements
1 Scope
This document establishes high-level requirements for privacy by design to protect privacy throughout
the lifecycle of a consumer product, including data processed by the consumer.
This document does not contain specific requirements for the privacy assurances and commitments that
organizations can offer consumers nor does it specify particular methodologies that an organization
can adopt to design and-implement privacy controls, nor the technology that can be used to operate
such controls.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
consumer
individual member of the general public purchasing or using property, products for private purposes
Note 1 to entry: “Consumer” (including elderly, children, and persons with disabilities) covers both consumers
and potential consumers. Consumer products can be one-time purchases or long-term contracts or obligations.
Note 2 to entry: This term only applies to natural persons, not legal entities.
Note 3 to entry: Property, products or services (3.3) purchased or used by consumers can be used for professional
purposes and not only private ones (e.g. Bring Your Own Device).
[SOURCE: ISO/IEC Guide 14:2018, 3.2, modified — "or serviced" has been removed from the definition,
Note 1 to entry has been modified, Notes 2 and 3 to entry have been added.]
3.2
personally identifiable information
PII
personal information
information that a) can be used to establish a link between the information and the natural person to
whom such information relates or b) is or can be directly or indirectly linked to a natural person
Note 1 to entry: To determine whether a PII principal is identifiable, account should be taken of all the means
which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the
link between the set of PII and the natural person.
Note 2 to entry: A public cloud PII processor (3.18) is typically not in a position to know explicitly whether
information it processes falls into any specified category unless this is made transparent by the cloud service
customer.
[SOURCE: ISO/IEC 19944-1:2020, 3.3.1, modified — The admitted term has been deleted, Note 1 to
entry and Note 2 to entry have been shortened.]
3.3
privacy breach
situation where personally identifiable information (3.2) is processed in violation of one or more relevant
privacy safeguarding requirements (3.9)
[SOURCE: ISO/IEC 29100:2011, 2.13]
3.4
service
output of an organization with at least one activity necessarily performed between the organization
and the consumer (3.1)
Note 1 to entry: The dominant elements of a service are generally intangible.
Note 2 to entry: A service often involves activities at the interface with the consumer to establish consumer
requirements (3.9) as well as upon delivery of the service and can involve a continuing relationship such as banks,
accountancies or public organizations, e.g. schools or hospitals.
Note 3 to entry: Provision of a service can involve, for example, the following:
— an activity performed on a consumer-supplied tangible product (e.g. a car to be repaired);
— an activity performed on a consumer-supplied intangible product (e.g. the income statement needed to
prepare a tax return);
— the delivery of an intangible product (e.g. the delivery of information in the context of knowledge transmission);
— the creation of ambience for the customer (e.g. in hotels and restaurants).
Note 4 to entry: A service is generally experienced by the consumer.
[SOURCE: ISO 9000:2015, 3.7.7, modified — “customer” has been replaced with “consumer”.]
3.5
privacy by design
design methodologies in which privacy is considered and integrated into the initial design stage and
throughout the complete lifecycle of products, processes or services (3.3) that involve processing of
personally identifiable information (3.2), including product retirement (3.15) and the eventual deletion
(3.26) of any associated personally identifiable information (3.2)
Note 1 to entry: The lifecycle also includes changes or updates.
3.6
interested party
stakeholder
person, group of people or organization (3.2.1) that has an interest in, can affect, be affected by, or
perceive itself to be affected by a decision or activity
3.7
consumer-configurable privacy setting
consumer privacy setting
consumer privacy control
specific choices made by a personally identifiable information (3.2) principal about how their personally
identifiable information is processed for a particular purpose
[SOURCE: ISO/IEC 29100:2011, 2.17, modified — Preferred term deleted, new preferred and admitted
terms added.]
3.8
processing of personally identifiable information
processing of PII
operation or set of operations performed upon personally identifiable information (3.2)
Note 1 to entry: Examples of processing operations of personally identifiable information include, but are not limited
to, the collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization,
dissemination or otherwise making available, deletion or destruction of personally identifiable information.
[SOURCE: ISO/IEC 29100:2011, 2.23]
3.9
requirement
statement that translates or expresses a need and its associated constraints (3.7) and conditions (3.10)
in an unambiguous manner
Note 1 to entry: Requirements exist at different levels in the system structure.
Note 2 to entry: A requirement always relates to a system, software or service (3.4), or other item of interest.
[SOURCE: ISO/IEC/IEEE 29148:2018, 3.1.19, modified – "in an unambiguous manner” has been added to
the definition, Note 2 to entry has been deleted and Note 3 to entry is now Note 2 to entry.]
3.10
condition
measurable qualitative or quantitative attribute (3.11) that is stipulated for a requirement (3.9) and that
indicates a circumstance or event under which a requirement applies
[SOURCE: ISO/IEC/IEEE 29148:2018, 3.1.6]
3.11
attribute
inherent property or characteristic of an entity that can be distinguished quantitatively or qualitatively
by human or automated means
Note 1 to entry: ISO 9000 distinguishes two types of attributes: a permanent characteristic existing inherently in
something; and an assigned characteristic of a product, process, or system (e.g. the price of a product, the owner
of a product). The assigned characteristic is not an inherent quality characteristic of that product, process or
system.
[SOURCE: ISO/IEC 25000:2014, 4.1, modified — Note 1 to entry has been removed; Note 2 to entry has
become Note 1 to entry.]
3.12
third party
person or body that is independent of the organization (3.1)
Note 1 to entry: All business associates are third parties, but not all third parties are business associates.
Note 2 to entry: A third party can be a personally identifiable information controller (3.19) or a personally
identifiable information processor (3.20) or both, depending on context.
3.13
consumer product
good or service designed and produced primarily for, but not limited to, personal or household use,
including its components, parts accessories, instructions and packaging
[SOURCE: ISO 10377:2013, 2.2, modified]
3.14
personally identifiable information lifecycle
PII lifecycle
sequence of events from creation or origination, collection, through storage, use and transfer to
eventual disposal (e.g. secure destruction) of personally identifiable information (3.2).
3.15
retirement
withdrawal of active support by the operation and maintenance organization, partial or total
replacement by a new system, or installation of an upgraded system
Note 1 to entry: This can include decommissioning, cessation of marketing, selling, or provision of parts, services
or software updates for the product.
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.39, modified — Note 1 to entry added.]
3.16
privacy control
measure that treats privacy risks (3.18) by reducing their likelihood or their consequences
Note 1 to entry: Privacy controls include organizational, physical and technical measures, e.g. policies,
procedures, guidelines, legal contracts, management practices, data-minimizing protocols and techniques or
organizational structures.
Note 2 to entry: Control is also used as a synonym for safeguard or countermeasure.
[SOURCE: ISO/IEC 29100:2011, modified — Note 1 to entry modified.]
3.17
information security
preservation of confidentiality, integrity and availability of information
Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability
can also be involved.
[SOURCE: ISO/IEC 27000:2018, 3.28]
3.18
privacy risk
effect of uncertainty on privacy
Note 1 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 2 to entry: a privacy risk can be personally identifiable information (3.2) misuse or the risk that consumers
(3.1) will experience adverse consequences resulting from personally identifiable information processing.
[SOURCE: ISO/IEC 29100:2011, 2.19, modified — Note 1 to entry has been deleted, Note 2 to entry has
been added.]
3.19
personally identifiable information controller
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for pro
...


INTERNATIONAL ISO
STANDARD 31700-1
First edition
2023-01
Consumer protection — Privacy
by design for consumer goods and
services —
Part 1:
High-level requirements
Protection des consommateurs — Respect de la vie privée assuré
dès la conception des biens de consommation et services aux
consommateurs —
Partie 1: Exigences de haut niveau
Reference number
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword . vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General . 8
4.1 Overview . 8
4.2 Designing capabilities to enable consumers to enforce their privacy rights . 9
4.2.1 Requirement . 9
4.2.2 Explanation . 9
4.2.3 Guidance . 10
4.3 Developing capability to determine consumer privacy preferences . 10
4.3.1 Requirement . 10
4.3.2 Explanation . 11
4.3.3 Guidance . 11
4.4 Designing human computer interface (HCI) for privacy . 11
4.4.1 Requirement . 11
4.4.2 Explanation .12
4.4.3 Guidance .12
4.5 Assigning relevant roles and authorities .12
4.5.1 Requirement .12
4.5.2 Explanation . 12
4.5.3 Guidance .12
4.6 Establishing multi-functional responsibilities . 13
4.6.1 Requirement .13
4.6.2 Explanation . 13
4.6.3 Guidance .13
4.7 Developing privacy knowledge, skill and ability . 13
4.7.1 Requirement .13
4.7.2 Explanation . 14
4.7.3 Guidance . 14
4.8 Ensuring knowledge of privacy controls . 14
4.8.1 Requirement . 14
4.8.2 Explanation . 14
4.8.3 Guidance .15
4.9 Documentation and information management . 15
4.9.1 Requirement .15
4.9.2 Explanation . 15
4.9.3 Guidance . 16
5 Consumer communication requirements .16
5.1 Overview . 16
5.2 Provision of privacy information . 17
5.2.1 Requirement . 17
5.2.2 Explanation . 17
5.2.3 Guidance . 17
5.3 Accountability for providing privacy information . 18
5.3.1 Requirement . 18
5.3.2 Explanation . 19
5.3.3 Guidance . 19
5.4 Responding to consumer inquiries and complaints . 19
5.4.1 Requirement . 19
5.4.2 Explanation . 19
iii
5.4.3 Guidance . 19
5.5 Communicating to diverse consumer population . 19
5.5.1 Requirement . 19
5.5.2 Explanation . 19
5.5.3 Guidance . 20
5.6 Prepare data breach communications . 20
5.6.1 Requirement .20
5.6.2 Explanation . 20
5.6.3 Guidance . 20
6 Risk management requirements .21
6.1 Overview . 21
6.2 Conducting a privacy risk assessment . 21
6.2.1 Requirement . 21
6.2.2 Explanation . 21
6.2.3 Guidance .22
6.3 Assessing privacy capabilities of third parties . 22
6.3.1 Requirement .22
6.3.2 Explanation . 23
6.3.3 Guidance .23
6.4 Establishing and documenting requirements for privacy controls .23
6.4.1 Requirement: .23
6.4.2 Explanation . 23
6.4.3 Guidance . 24
6.5 Monitoring and updating risk assessment . 24
6.5.1 Requirement . 24
6.5.2 Explanation . 24
6.5.3 Guidance . 24
6.6 Including privacy risks in cybersecurity resilience design . 25
6.6.1 Requirement . 25
6.6.2 Explanation . 25
6.6.3 Guidance . 25
7 Developing, deploying and operating designed privacy controls .25
7.1 Overview . 25
7.2 Integrating the design and operation of privacy controls into the product
development and management lifecycles . 26
7.2.1 Requirement .26
7.2.2 Explanation . 26
7.2.3 Guidance . 26
7.3 Designing privacy controls . 27
7.3.1 Requirement . 27
7.3.2 Explanation . 27
7.3.3 Guidance . 27
7.4 Implementing privacy controls . . 27
7.4.1 Requirement . 27
7.4.2 Explanation . 27
7.4.3 Guidance . 27
7.5 Designing privacy control testing .28
7.5.1 Requirement .28
7.5.2 Explanation .28
7.5.3 Guidance .28
7.6 Managing the transition of privacy controls .29
7.6.1 Requirement .29
7.6.2 Explanation .29
7.6.3 Guidance .29
7.7 Managing the operation of privacy controls .30
7.7.1 Requirement .30
7.7.2 Explanation . 30
iv
7.7.3 Guidance . 30
7.8 Preparing for and managing a privacy breach.30
7.8.1 Requirement .30
7.8.2 Explanation . 31
7.8.3 Guidance . 31
7.9 Operating privacy controls for the processes and products upon which the
product in scope depends throughout the PII lifecycle . 31
7.9.1 Requirement . 31
7.9.2 Explanation . 31
7.9.3 Guidance . 31
8 End of PII lifecycle requirements .32
8.1 Overview . 32
8.2 Designing privacy controls for retirement and end of use . 32
8.2.1 Requirement . 32
8.2.2 Explanation . 32
8.2.3 Guidance . 32
Bibliography .34
v
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Project Committee ISO/PC 317, Consumer protection: privacy by design
for consumer goods and services.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
vi
Introduction
Consumers’ trust and how well individual privacy needs are met are defining concerns for the digital
economy. This includes how consumers' personally identifiable information (PII) and other data are
processed (collected, used, accessed, stored, and deleted) — or intentionally not collected or processed
— by the organization and by the digital goods and services within that digital economy. If PII has
been compromised because of lax, outdated, or non-existent privacy practices, the consequences for
the individual can be severe. In addition, consumers' trust of the digital product can be damaged with
potentially legal or reputational impacts to the organization providing that consumer product.
“Privacy by Design” was originally used by the Information and Privacy Commissioner of Ontario,
Canada. with the goal that the individual need not bear the burden of striving for protection when using
a consumer product.
Privacy by design refers to several methodologies for product, process, system, software and service
development, e.g. References [1], [2], [3], [4], [5] and [6]. These methodologies take into account the
privacy of a consumer throughout the design and development of a product, considering the entire
product lifecycle - from before it is placed on the market, through purchase and use by consumers, to
the expected time when all instances of that product finally stop being used. It means that a product
has default consumer-oriented privacy controls and settings that provide appropriate levels of privacy,
without placing undue burden on the consumer.
NOTE This document provides references in the bibliography to other existing standards and resources,
that provide more detailed requirements and guidance on privacy (e.g. identification of PII, PII access and
privacy controls, consumer consent, notification of privacy breach, secure disposal of PII, interactions with third
party processors) for common functions within the organization (e.g. Corporate Governance; Data and Privacy
Governance; IT Operations and IT Services Management; Security and Security Management; Data Management
and Database Administration; Marketing, Product Management; Web and mobile application development,
systems development; Systems administration, network administration).
In this document, the benefits of privacy by design can be viewed through three guiding principles as
outlined below.
Empowerment and transparency
There is growing demand for accurate privacy assertions, systematic methods of privacy due diligence,
and greater transparency and accountability in the design and operation of consumer products that
process PII. The goal is to promote wider adoption of privacy-aware design, earn consumer trust and
satisfy consumer needs for robust privacy and data protection. In addition, the intent is to create
and promote innovative solutions that protect and manage consumers' privacy: a) by analysing and
implementing privacy controls based on the consumer’s perspective, context, and needs, and b) by
succinctly documenting and communicating directly to consumers how privacy considerations were
approached.
Institutionalization and responsibility
In today’s digital world of shared platforms, interconnected devices, cloud applications and
personalization, it is increasingly important to delineate and distinguish the responsibilities and
perspectives of the consumer of the products that process PII from those of product design, business
and other stakeholders in the ecosystems in which the product operates.
Privacy by design focuses on the consumer perspective when institutionalizing robust privacy norms
throughout the ecosystem including privacy protection and data handling practices. With privacy
by design, the consumer’s behavioural engagement with the product(s) and their privacy needs
are considered early and throughout the product lifecycle process. This way, decisions concerning
consumer privacy needs will be more consistent and systematic and become a functional requirement
alongside the interests of product design, business and other stakeholders.
Privacy by design also focuses on accountability, responsibility, and leadership. These aspects are
essential to successfully operationalizing and institutionalizing the privacy by design process.
vii
A demonstrated leadership commitment to privacy by design is essential to operationalize and
institutionalize privacy in the product design process of an organization.
Ecosystem and lifecycle
A privacy by design approach can be applied to the broader information ecosystems in which both
technologies and organizations operate and function. Privacy and consumer protection benefit from
taking a holistic, integrative approach that considers as many contextual factors as possible (e.g. the
type of consumer, their goal and intent in using a product, and the data the product will process for
that consumer) – even (or especially) when these factors lie outside the direct control of any particular
actor, organization, or component in the system. [see 5.5.3 a)].
Privacy by design applies to all products that use PII, whether physical goods, or intangible services
such as software as a service, or a mixture of both. It is intended to be scalable to the needs of all types
of organizations in different countries and different sectors, regardless of organization size or maturity.
It is possible that additional privacy issues and a need for related controls are identified at any point
in the product lifecycle, including during development or after use by consumers. Privacy by design
methodologies support iterative approaches to product development, with supplementary privacy
enhancements designed and deployed long after the initial design phase.
Audience for this document
The primary audiences for this document are those staff of organizations and third parties, who
are responsible for the concept, design, manufacturing, management, testing, operation, service,
maintenance and disposal of consumer goods and services.
viii
INTERNATIONAL STANDARD ISO 31700-1:2023(E)
Consumer protection — Privacy by design for consumer
goods and services —
Part 1:
High-level requirements
1 Scope
This document establishes high-level requirements for privacy by design to protect privacy throughout
the lifecycle of a consumer product, including data processed by the consumer.
This document does not contain specific requirements for the privacy assurances and commitments that
organizations can offer consumers nor does it specify particular methodologies that an organization
can adopt to design and-implement privacy controls, nor the technology that can be used to operate
such controls.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
consumer
individual member of the general public purchasing or using property, products for private purposes
Note 1 to entry: “Consumer” (including elderly, children, and persons with disabilities) covers both consumers
and potential consumers. Consumer products can be one-time purchases or long-term contracts or obligations.
Note 2 to entry: This term only applies to natural persons, not legal entities.
Note 3 to entry: Property, products or services (3.3) purchased or used by consumers can be used for professional
purposes and not only private ones (e.g. Bring Your Own Device).
[SOURCE: ISO/IEC Guide 14:2018, 3.2, modified — "or serviced" has been removed from the definition,
Note 1 to entry has been modified, Notes 2 and 3 to entry have been added.]
3.2
personally identifiable information
PII
personal information
information that a) can be used to establish a link between the information and the natural person to
whom such information relates or b) is or can be directly or indirectly linked to a natural person
Note 1 to entry: To determine whether a PII principal is identifiable, account should be taken of all the means
which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the
link between the set of PII and the natural person.
Note 2 to entry: A public cloud PII processor (3.18) is typically not in a position to know explicitly whether
information it processes falls into any specified category unless this is made transparent by the cloud service
customer.
[SOURCE: ISO/IEC 19944-1:2020, 3.3.1, modified — The admitted term has been deleted, Note 1 to
entry and Note 2 to entry have been shortened.]
3.3
privacy breach
situation where personally identifiable information (3.2) is processed in violation of one or more relevant
privacy safeguarding requirements (3.9)
[SOURCE: ISO/IEC 29100:2011, 2.13]
3.4
service
output of an organization with at least one activity necessarily performed between the organization
and the consumer (3.1)
Note 1 to entry: The dominant elements of a service are generally intangible.
Note 2 to entry: A service often involves activities at the interface with the consumer to establish consumer
requirements (3.9) as well as upon delivery of the service and can involve a continuing relationship such as banks,
accountancies or public organizations, e.g. schools or hospitals.
Note 3 to entry: Provision of a service can involve, for example, the following:
— an activity performed on a consumer-supplied tangible product (e.g. a car to be repaired);
— an activity performed on a consumer-supplied intangible product (e.g. the income statement needed to
prepare a tax return);
— the delivery of an intangible product (e.g. the delivery of information in the context of knowledge transmission);
— the creation of ambience for the customer (e.g. in hotels and restaurants).
Note 4 to entry: A service is generally experienced by the consumer.
[SOURCE: ISO 9000:2015, 3.7.7, modified — “customer” has been replaced with “consumer”.]
3.5
privacy by design
design methodologies in which privacy is considered and integrated into the initial design stage and
throughout the complete lifecycle of products, processes or services (3.3) that involve processing of
personally identifiable information (3.2), including product retirement (3.15) and the eventual deletion
(3.26) of any associated personally identifiable information (3.2)
Note 1 to entry: The lifecycle also includes changes or updates.
3.6
interested party
stakeholder
person, group of people or organization (3.2.1) that has an interest in, can affect, be affected by, or
perceive itself to be affected by a decision or activity
3.7
consumer-configurable privacy setting
consumer privacy setting
consumer privacy control
specific choices made by a personally identifiable information (3.2) principal about how their personally
identifiable information is processed for a particular purpose
[SOURCE: ISO/IEC 29100:2011, 2.17, modified — Preferred term deleted, new preferred and admitted
terms added.]
3.8
processing of personally identifiable information
processing of PII
operation or set of operations performed upon personally identifiable information (3.2)
Note 1 to entry: Examples of processing operations of personally identifiable information include, but are not limited
to, the collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization,
dissemination or otherwise making available, deletion or destruction of personally identifiable information.
[SOURCE: ISO/IEC 29100:2011, 2.23]
3.9
requirement
statement that translates or expresses a need and its associated constraints (3.7) and conditions (3.10)
in an unambiguous manner
Note 1 to entry: Requirements exist at different levels in the system structure.
Note 2 to entry: A requirement always relates to a system, software or service (3.4), or other item of interest.
[SOURCE: ISO/IEC/IEEE 29148:2018, 3.1.19, modified – "in an unambiguous manner” has been added to
the definition, Note 2 to entry has been deleted and Note 3 to entry is now Note 2 to entry.]
3.10
condition
measurable qualitative or quantitative attribute (3.11) that is stipulated for a requirement (3.9) and that
indicates a circumstance or event under which a requirement applies
[SOURCE: ISO/IEC/IEEE 29148:2018, 3.1.6]
3.11
attribute
inherent property or characteristic of an entity that can be distinguished quantitatively or qualitatively
by human or automated means
Note 1 to entry: ISO 9000 distinguishes two types of attributes: a permanent characteristic existing inherently in
something; and an assigned characteristic of a product, process, or system (e.g. the price of a product, the owner
of a product). The assigned characteristic is not an inherent quality characteristic of that product, process or
system.
[SOURCE: ISO/IEC 25000:2014, 4.1, modified — Note 1 to entry has been removed; Note 2 to entry has
become Note 1 to entry.]
3.12
third party
person or body that is independent of the organization (3.1)
Note 1 to entry: All business associates are third parties, but not all third parties are business associates.
Note 2 to entry: A third party can be a personally identifiable information controller (3.19) or a personally
identifiable information processor (3.20) or both, depending on context.
3.13
consumer product
good or service designed and produced primarily for, but not limited to, personal or household use,
including its components, parts accessories, instructions and packaging
[SOURCE: ISO 10377:2013, 2.2, modified]
3.14
personally identifiable information lifecycle
PII lifecycle
sequence of events from creation or origination, collection, through storage, use and transfer to
eventual disposal (e.g. secure destruction) of personally identifiable information (3.2).
3.15
retirement
withdrawal of active support by the operation and maintenance organization, partial or total
replacement by a new system, or installation of an upgraded system
Note 1 to entry: This can include decommissioning, cessation of marketing, selling, or provision of parts, services
or software updates for the product.
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.39, modified — Note 1 to entry added.]
3.16
privacy control
measure that treats privacy risks (3.18) by reducing their likelihood or their consequences
Note 1 to entry: Privacy controls include organizational, physical and technical measures, e.g. policies,
procedures, guidelines, legal contracts, management practices, data-minimizing protocols and techniques or
organizational structures.
Note 2 to entry: Control is also used as a synonym for safeguard or countermeasure.
[SOURCE: ISO/IEC 29100:2011, modified — Note 1 to entry modified.]
3.17
information security
preservation of confidentiality, integrity and availability of information
Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability
can also be involved.
[SOURCE: ISO/IEC 27000:2018, 3.28]
3.18
privacy risk
effect of uncertainty on privacy
Note 1 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 2 to entry: a privacy risk can be personally identifiable information (3.2) misuse or the risk that consumers
(3.1) will experience adverse consequences resulting from personally identifiable information processing.
[SOURCE: ISO/IEC 29100:2011, 2.19, modified — Note 1 to entry has been deleted, Note 2 to entry has
been added.]
3.19
personally identifiable information controller
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing
personally identifiable information (3.2) other than natural persons who use data for personal purposes
[SOURCE: ISO/IEC 29100:2011, 2.10, modified — Note to entry has been removed.]
3.20
personally identifiable information processor
PII processor
privacy stakeholder that processes personally identifiable information (3.2) on behalf of and in
accordance with the instruction of a PII controller (3.19)
[SOURCE: ISO/IEC 29100:2011, 2.12]
3.21
human-centred design
approach to system design and development that aims to make interactive systems more usable by
focusing on the use of the system by human beings; applying human factors, ergonomics and usability
knowledge and techniques
Note 1 to entry: The term "human-centred design" is used rather than "consumer-centred design" to emphasize
that design impacts a number of stakeholders, not just those typically considered as consumer (3.1). However, in
practice, they are often used synonymously.
Note 2 to entry: Usable systems can provide a number of benefits including improved productivity, enhanced
consumer wellbeing, avoidance of stress, increased accessibility, and reduced risk of harm.
[SOURCE: ISO/IEC 25063:2014, 3.6, modified — Note 1 to entr
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

SIST
SIST-TP ISO/TR 31700-2:2024(Main)
Consumer protection — Privacy by design for consumer goods and services — Part 2: Use cases
ISO/TR 31700-2:2023

This document provides illustrative use cases, with associated analysis, chosen to assist in understanding the requirements of 31700-1.
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

  • Technical report
    36 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Technical report
    31 pages
    English language
    sale 15% off
SIST
SIST EN 16647-1:2026(Main)
Alcohol powered flueless fireplaces - Safety requirements and test methods- Part 1: Manually operated decorative fireplaces for domestic use
EN 16647-1:2025

This document is applicable only to decorative fireplaces that have been manufactured for domestic use, which produce a flame using liquid alcohol, hereafter referred to as fuel.
NOTE 1   The requirements outlined in this document can also be applied for outside domestic settings. In that case, additional or different rules on the use of the fireplaces can apply.
This document is applicable to free-standing, wall-mounted and built-in fireplaces.
This document is applicable to decorative fireplaces that require manual user interaction for ignition, filling, re-filling or extinguishing the fireplace.
NOTE 2   The fireplaces can contain some electric or electronic components.
This document is applicable to fireplaces ready for use, whose fuel box is of one unit or is an integral component of the fireplace but not to fireplaces with a fuel tank separate from the fireplace.
This document does not apply to fireplaces specifically designed for heating food or keeping food warm (rechauds), nor does it apply to fireplaces for use in boats, caravans, other vehicles or outdoor areas.
This document does not apply to fireplaces with a power output higher than 4,5 kW or with a defined heating function.
NOTE 3   National regulations can restrict the power output to less than 4,5 kW.

  • Standard
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN IEC 62841-2-19:2026/A11:2026(Amendment)
Electric motor-operated hand-held tools, transportable tools and lawn and garden machinery - Safety - Part 2-19: Particular requirements for hand-held jointers
EN IEC 62841-2-19:2025/A11:2025

2021-12-20: This prAA includes common mods to EN IEC 62841-2-19 (PR=75430)
DOW=DOR+48 months is applied to all parts in EN IEC 62841 series

  • Amendment
    9 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 17984-3:2026(Main)
Assistance Dogs - Part 3: Competencies for Assistance Dogs Professionals
EN 17984-3:2025

This document specifies the competencies required of assistance dogs’ professionals. The purpose of this document is to improve and ensure the quality of professionals working in a role within an assistance dog organization. Each speciality of assistance dog requires a specific set of role competencies and there are some common core competencies.
Core competencies in:
-   breeding;
-   puppy raising;
-   dog care;
-   assessors;
-   orientation and mobility;
-   trainers;
-   instructors.
Specific competencies to train:
-   guide dogs;
-   hearing dogs;
-   medical alert dogs;
-   mobility assistance dogs;
-   autism and development disorder dogs;
-   team training instructor.
It is accepted that assistance dog organisations vary greatly in structure and not every organization will have all the roles identified. Where one person performs more than one role, it is expected that they will have the competencies of all the roles they perform e.g. a dog trainer may also have the competencies of a dog care specialist. And there will be some organisations where some of these roles are not required, e.g. those with no breeding programme will not require the associated role competencies.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 5577:2026(Main)
Non-destructive testing - Ultrasonic testing - Vocabulary (ISO 5577:2025)
EN ISO 5577:2025

This document defines the terms used in ultrasonic non-destructive testing and forms a common basis for standards and general use.
This document does not cover specific terms used in ultrasonic testing with arrays.
NOTE            Terms used in ultrasonic testing with arrays are defined in ISO 23243.

  • Standard
    55 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 2719:2026(Main)
Determination of flash point - Pensky-Martens closed cup method (ISO 2719:2025)
EN ISO 2719:2025

This document specifies three procedures, A, B and C, using the Pensky-Martens closed cup tester, for determining the flash point of combustible liquids, liquids with suspended solids, liquids that tend to form a surface film under the test conditions, biodiesel and other liquids in the temperature range of 40 °C to 370 °C.
NOTE 1        Although, technically, kerosene with a flash point above 40 °C can be tested using this document, it is standard practice to test kerosene according to ISO 13736.[5] Similarly, lubricating oils are normally tested according to ISO 2592.[2]
Procedure A is applicable to distillate fuels (diesel, biodiesel blends, heating oil and turbine fuels), new and in-use lubricating oils, paints and varnishes, and other homogeneous liquids not included in the scope of procedures B or C.
Procedure B is applicable to residual fuel oils, cutback residuals, used lubricating oils, mixtures of liquids with solids, and liquids that tend to form a surface film under test conditions or are of such kinematic viscosity that they are not uniformly heated under the stirring and heating conditions of procedure A.
Procedure C is applicable to fatty acid methyl esters (FAME) as specified in specifications such as EN 14214[11] or ASTM D6751.[13]
This document is not applicable to water-borne paints and varnishes.
NOTE 2        Water-borne paints and varnishes can be tested using ISO 3679.[3] Liquids containing traces of highly volatile materials can be tested using ISO 1523[1] or ISO 3679.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 18862:2026(Main)
Coffee and coffee products - Determination of acrylamide - Methods using high-performance liquid chromatography with tandem mass spectrometric detection (HPLC-MS/MS) and gas chromatography with mass spectrometric detection (GC-MS) after derivatization (ISO 18862:2025)
EN ISO 18862:2025

This document specifies methods for the determination of acrylamide in coffee and coffee products by extraction with water, clean-up by solid-phase extraction (SPE) and determination by high-performance liquid chromatography with tandem mass spectrometric detection (HPLC-MS/MS) and gas chromatography with mass spectrometric detection (GC-MS) after derivatization. The methods were validated in a validation study for roasted coffee, soluble coffee, coffee substitutes and coffee products with ranges from 53 μg/kg to 612,1 μg/kg.

  • Standard
    32 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/TS 18227:2026(Main)
Automotive fuels - E20 petrol - Requirements and test methods
CEN/TS 18227:2025

This document specifies requirements and test methods for E20 petrol marketed and delivered as such, containing a minimum oxygen content of 3,7 % (m/m) and a maximum of 8,0 % (m/m). The fuel has a maximum of 20,0 % (V/V) ethanol.
It is applicable to fuel for use in spark-ignition petrol-fuelled engines and vehicles.
This document is complementary to EN 228, which describes unleaded petrol containing an oxygen content up to 3,7 % (m/m) and a maximum ethanol content of 10 % (V/V).
NOTE 1   For general petrol engine vehicle warranty, E20 petrol might not be suitable for all vehicles and it is advised that the recommendations of the vehicle manufacturer are consulted before use. E20 petrol might need a validation step to confirm the compatibility of the fuel with the vehicle, which for some existing engines might still be needed.
NOTE 2   For the purposes of this document, the terms “% (m/m)” and “% (V/V)” are used to represent respectively the mass fraction, µ, and the volume fraction, φ.

  • Technical specification
    16 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO 80601-2-70:2026(Main)
Medical electrical equipment - Part 2-70: Particular requirements for basic safety and essential performance of sleep apnoea breathing therapy equipment (ISO 80601-2-70:2025)
EN ISO 80601-2-70:2025

This document is applicable to the basic safety and essential performance of sleep apnoea breathing therapy equipment, hereafter referred to as ME equipment, intended to alleviate the symptoms of patients who suffer from obstructive sleep apnoea by delivering a therapeutic breathing pressure to the respiratory tract of the patient. Sleep apnoea breathing therapy equipment is intended for use in the home healthcare environment by lay operators as well as in professional healthcare institutions.
Sleep apnoea breathing therapy equipment is not considered to utilize a physiologic closed-loop-control system unless it uses a physiological patient variable to adjust the therapy settings.
This document excludes sleep apnoea breathing therapy equipment intended for use with neonates.
This document is applicable to ME equipment or an ME system intended for those patients who are not dependent on artificial ventilation. This document is not applicable to ME equipment or an ME system intended for those patients who are dependent on artificial ventilation such as patients with central sleep apnoea.
This document is also applicable to those accessories intended by their manufacturer to be connected to sleep apnoea breathing therapy equipment, where the characteristics of those accessories can affect the basic safety or essential performance of the sleep apnoea breathing therapy equipment.
Masks and application accessories intended for use during sleep apnoea breathing therapy are additionally addressed by ISO 17510. Refer to Figure AA.1 for items covered further under this document.
If a clause or subclause is specifically intended to be applicable to ME equipment only, or to ME systems only, the title and content of that clause or subclause will say so. If that is not the case, the clause or subclause applies both to ME equipment and to ME systems, as relevant.
Hazards inherent in the intended physiological function of ME equipment or ME systems within the scope of this document are not covered by specific requirements in this document except in 7.2.13 and 8.4.1 of the general standard.
NOTE 2        See also 4.2 of the general standard.
This document does not specify the requirements for:
–    ventilators or accessories intended for critical care ventilators for ventilator-dependent patients, which are given in ISO 80601‑2‑12.
–    ventilators or accessories intended for anaesthetic applications, which are given in ISO 80601-2-13.
–    ventilators or accessories intended for home care ventilators for ventilator-dependent patients, which are given in ISO 80601-2-72.
–    ventilators or accessories intended for emergency and transport, which are given in ISO 80601-2-84.
–    ventilators or accessories intended for home-care ventilatory support, which are given in ISO 80601‑2-79 and ISO 80601‑2‑80.
–    high-frequency ventilators[23], which are given in ISO 80601-2-87.
–    respiratory high flow equipment, which are given in ISO 80601‑2‑90;
NOTE 3      ISO 80601-2-80 ventilatory support equipment can incorporate high-flow therapy operational mode, but such a mode is only for spontaneously breathing patients.
–    user-powered resuscitators, which are given in ISO 10651-4;
–    gas-powered emergency resuscitators, which are given in ISO 10651-5;
–    oxygen therapy constant flow ME equipment; and
–    cuirass or “iron-lung” ventilation equipment.

  • Standard
    89 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 15016-2:2023+A1:2026(Main + Amendment)
Railway applications - Technical documents - Part 2: Parts lists
EN 15016-2:2023+A1:2025

This document specifies the preparation and reproduction of design parts. This document defines the basic principles and structure of design parts lists. This document is applicable to all design parts lists for railway applications.

  • Standard
    26 pages
    English language
    sale 10% off
    e-Library read for
    1 day