M/530 - Privacy Management

[C(2015)102] Standardization request on privacy and personal data protection management in the design and development and in the production and service provision and process in the security technologies

English

Mandate M/530 requests the European standardisation organisations to develop standards on privacy and personal data protection management. The focus is on integrating these privacy principles throughout the design, development, production, service provision, and related processes within security technologies. The aim is to ensure secure technology solutions comply with data protection requirements, enhancing user trust and regulatory adherence across the EU. This mandate supports the implementation of privacy by design and by default in security technology products and services.

Purpose

The mandate M/530 concerns the standardisation of privacy and personal data protection management. It focuses on integrating privacy and data protection considerations throughout the entire lifecycle of security technologies. This includes design and development, production, service provision, and operational processes.

Standardisation request

The European Commission requests the development of harmonised standards that address privacy management and data protection requirements specifically within security technologies. These standards should guide manufacturers and service providers in embedding privacy principles and ensuring compliance with EU data protection laws.

Expected deliverables

The deliverables expected from this mandate include:

Technical specifications and guidelines for privacy and personal data protection management systems applicable to security technologies.
Standards that cover processes from the design stage through to production and provision of services.
Frameworks that facilitate compliance with EU privacy regulations and enhance trust in security technology products and services.

Context

This mandate aligns with the EU’s broader objective to strengthen personal data protection and privacy by making them intrinsic elements of security technology management. It supports the Digital Single Market strategy by promoting interoperable privacy standards across member states. The request complements existing legal frameworks like the General Data Protection Regulation (GDPR) to ensure comprehensive privacy protection throughout technology lifecycles.

This mandate covers standardisation work on privacy and personal data protection management throughout the entire lifecycle of security technologies, including design, development, production, service provision, and related processes.

General Information

Organization

CEN - CEN European Committee for Standardization

Resolution Reference

D148/029

Resolution Date

28-Oct-2014

Type Of Decision

(Dis-)Approval of mandate

Search Term

Standardization Organization

ICS

Technical Committee

Technical Committee Code

Directive

Project Code

Project Reference

Project Title

Project Scope

	Apr 2026
29	30	31	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	1	2
3	4	5	6	7	8	9

	May 2026
26	27	28	29	30	1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31	1	2	3	4	5	6

Publication Date

	Apr 2026
29	30	31	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	1	2
3	4	5	6	7	8	9

	May 2026
26	27	28	29	30	1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31	1	2	3	4	5	6

Withdrawal Date

	Apr 2026
29	30	31	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	1	2
3	4	5	6	7	8	9

	May 2026
26	27	28	29	30	1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31	1	2	3	4	5	6

Public Enquiry End Date

Page Size:

SIST

SIST-TP CEN/TR 18241:2026(Main)

Privacy management in products and services - Biometric access control products and services

CEN/TR 18241:2025

This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’ during the entire lifecycle of biometric access-control products and services, in order to achieve ‘data protection and privacy by default’.
NOTE 1 The GDPR requires the effective integration of data-protection safeguards into the processing of personal data (Article 25).
NOTE 2 Biometric access control includes cards and passports, biometric comparisons on card, in databases and a combination of both, as well as one-to-one and one-to-many (and many-to-many) comparisons.
NOTE 3 Biometric access control is used at work and border control as well as in combination with cards and PINs and in online and mobile services.
Facial recognition for access control is covered by this document.
This document extends EN 17529.
This document applies to aspects of data protection and privacy by design.
This document is not applicable to non-biometric aspects of access control, or to aspects not relating to data protection or privacy.
NOTE 4 In general, biometrics is for example covered by ISO/JTC 1/SC 37 and CEN/TC 224/WG 18.

Technical report
12 pages
English language
e-Library read for
AI-Chat
1 day

14-Oct-2025
19-Jan-2026
35.030
35.240.15
95/46/EC
M/530
ITC

CEN

CEN/TR 18241:2025(Main)

Privacy management in products and services - Biometric access control products and services

SIST-TP CEN/TR 18241:2026

This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’
during the entire lifecycle of biometric access-control products and services, in order to achieve ‘data protection and
privacy by default’.
Biometric facial recognition for access control is covered by this document. Biometric facial recognition for surveillance is
covered by CEN/CLC/JTC 13 TR ‘Video surveillance’.
This document specifies recommendations for the management of data protection and privacy by design in biometricaccess-
control products and services. This document extends ISO/IEC 27552. This document applies to aspects of data
protection and privacy by design. This document is not applicable to non-biometric aspects of access control, or to aspects
not relating to data protection or privacy.

Technical report
12 pages
English language
e-Library read for
AI-Chat
1 day

SIST

SIST-TP CEN/CLC/TR 17919:2023(Main)

Data protection and privacy by design and by default - Technical Report on applicability to the videosurveillance industry - State of the art

CEN/CLC/TR 17919:2023

This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’ during the entire lifecycle of video-surveillance products and services, in order to achieve ‘data protection and privacy by default’.

Technical report
15 pages
English language
e-Library read for
AI-Chat
1 day

CEN

CEN/CLC/TR 17919:2023(Main)

Data protection and privacy by design and by default - Technical Report on applicability to the video surveillance industry - State of the art

SIST-TP CEN/CLC/TR 17919:2023

Technical report
15 pages
English language
e-Library read for
AI-Chat
1 day

CEN

EN 17529:2022(Main)

Data protection and privacy by design and by default

SIST EN 17529:2022

This document provides requirements for manufacturers and/or service providers to implement Data protection and Privacy by Design and by Default (DPbDD) early in their development of their products and services, i.e. before (or independently of) any specific application integration, to make sure that they are as privacy ready as possible. The document will be applicable to all business sectors, including the security industry.

Standard
62 pages
English language
e-Library read for
AI-Chat
1 day

17-May-2022
29-Nov-2022
35.030
2016/679
95/46/EC
M/530
CEN/CLC/TC 13

SIST

SIST EN 17529:2022(Main)

Data protection and privacy by design and by default

EN 17529:2022

Standard
62 pages
English language
e-Library read for
AI-Chat
1 day

06-Sep-2020
16-Aug-2022
35.030
2016/679
95/46/EC
M/530
ITC

Page Size:

Frequently Asked Questions

What is a European Standardization Mandate?

A European Standardization Mandate is a formal request from the European Commission to the European Standardization Organizations (CEN, CENELEC, and ETSI) to develop European standards (ENs) in support of EU legislation and policies. Mandates are issued under Regulation (EU) No 1025/2012 and help ensure that products and services meet the essential requirements set out in EU directives and regulations.

What does M/530 cover?

M/530 is a European Standardization Mandate titled "[C(2015)102] Standardization request on privacy and personal data protection management in the design and development and in the production and service provision and process in the security technologies". [C(2015)102] Standardization request on privacy and personal data protection management in the design and development and in the production and service provision and process in the security technologies There are 6 standards developed under this mandate.

How do mandates relate to harmonized standards?

Standards developed in response to a mandate and cited in the Official Journal of the European Union become "harmonized standards". Products manufactured in compliance with harmonized standards benefit from a presumption of conformity with the essential requirements of the corresponding EU directive or regulation, facilitating CE marking and market access across the European Economic Area.