Personal data protection requirements for processing operations

This document specifies baseline requirements for demonstrating compliance with the European personal data protection normative
framework in accordance with ISO/IEC 17065.

Anforderungen an den Datenschutz bei Verarbeitungsvorgängen

Dieses Dokument legt die grundlegenden Anforderungen für den Nachweis fest, dass die Verarbeitungs¬tätigkeiten dem europäischen normativen Bezugsrahmen für den Schutz personenbezogener Daten in Über¬einstimmung mit EN ISO/IEC 17065 entsprechen. Es gilt jedoch nicht für Produkte oder Management¬systeme, die für die Verarbeitung personenbezogener Daten vorgesehen sind.
Dieses Dokument gilt für alle Organisationen, die – als für die Datenverarbeitung Verantwortliche („Verantwortlicher“) und/oder Auftragsverarbeiter – personenbezogene Daten verarbeiten, und sein Ziel ist es, eine Reihe von Anforderungen bereitzustellen, die es diesen Organisationen ermöglichen, sich wirksam an den europäischen normativen Bezugsrahmen für den Schutz personenbezogener Daten anzupassen.
Eine Organisation kann beschließen, dass die Norm nur auf eine bestimmte Untergruppe ihrer Verarbei¬tungstätigkeiten anwendbar ist, wenn eine solche Entscheidung nicht die Nichteinhaltung des normativen europäischen Bezugsrahmens für den Schutz personenbezogener Daten beinhaltet.
Dieses Dokument enthält auch Angaben für die Bewertung der Konformität mit den vorgenannten Anforderungen.

Exigences de protection des données à caractère personnel pour les opérations de traitement

Le présent document spécifie des exigences de base pour démontrer la conformité des activités de traitement au cadre normatif européen de protection des données à caractère personnel, conformément à l'EN ISO/IEC 17065. Il ne s'applique cependant pas aux produits ou systèmes de management destinés au traitement des données à caractère personnel.
Le présent document est applicable à tous les organismes qui, en tant que responsables de traitement et/ou sous-traitants, traitent des données à caractère personnel, et son objectif est de fournir un ensemble d'exigences permettant à ces organismes de se conformer efficacement au cadre normatif européen de protection des données à caractère personnel.
Un organisme peut décider que la norme n'est applicable qu'à un sous-ensemble spécifique de ses activités de traitement si une telle décision n'implique pas une non-conformité avec le cadre normatif européen de protection des données à caractère personnel.
Le présent document fournit également des indications pour l'évaluation de la conformité avec les exigences susmentionnées.

Zahteve za varstvo osebnih podatkov za postopke obdelave

General Information

Status
Not Published
Public Enquiry End Date
13-Feb-2022
Technical Committee
Current Stage
5020 - Formal vote (FV) (Adopted Project)
Start Date
24-Jul-2023
Due Date
11-Sep-2023

Buy Standard

Draft
prEN 17799:2022
English language
26 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
oSIST prEN 17799:2022
01-februar-2022
Zahteve za varstvo osebnih podatkov za postopke obdelave
Personal data protection requirements for processing operations
Anforderungen an den Datenschutz bei Verarbeitungsvorgängen
Ta slovenski standard je istoveten z: prEN 17799
ICS:
03.160 Pravo. Uprava Law. Administration
35.020 Informacijska tehnika in Information technology (IT) in
tehnologija na splošno general
oSIST prEN 17799:2022 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 17799:2022

---------------------- Page: 2 ----------------------
oSIST prEN 17799:2022


EUROPEAN STANDARD DRAFT
prEN 17799
NORME EUROPÉENNE

EUROPÄISCHE NORM

December 2021
ICS 03.120.20; 03.160

English version

Personal data protection requirements for processing
operations
Exigences de protection des données à caractère Anforderungen an den Datenschutz bei
personnel pour les opérations de traitement Verarbeitungsvorgängen
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.

If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.

This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.














CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2021 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. prEN 17799:2021 E
reserved worldwide for CEN national Members and for
CENELEC Members.

---------------------- Page: 3 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 Overview . 8
5 Planning . 8
5.1 General. 8
5.2 Understanding the needs and expectations of interested parties . 8
5.3 Scope of personal data processing activities . 9
5.3.1 General. 9
5.3.2 Records of data processing activities . 9
5.3.3 Identification of the legal basis . 9
5.3.4 Data minimization . 10
5.3.5 Storage of data . 10
5.4 Policy for personal data protection . 11
5.5 Roles and responsibilities . 11
5.5.1 General. 11
5.5.2 Internal roles . 12
5.5.3 External roles . 13
5.6 Risk management . 13
5.6.1 General. 13
5.6.2 Data protection risk assessment and impact analysis . 13
5.6.3 Evaluation of the impact on data protection . 15
5.6.4 Risk treatment and treatment plan . 15
5.7 Personal data protection by design and by default . 15
6 Operational activities . 16
6.1 General. 16
6.2 Data protection notices and consent . 16
6.2.1 Data protection notices . 16
6.2.2 Consent . 16
6.3 Update of roles . 17
6.4 Personal data protection . 17
6.4.1 Erasure of data . 17
6.4.2 Implementation and maintenance of security measures . 17
6.4.3 Management of personal data breaches . 18
6.5 Data subjects’ requests for the application of their rights. 19
6.5.1 General. 19
6.5.2 Data access . 19
6.5.3 Correction . 19
6.5.4 Erasure. 20
6.5.5 Restriction of processing . 20
6.5.6 Data portability . 20
6.5.7 Objections . 20
2

---------------------- Page: 4 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
6.5.8 Automated decisions, including profiling . 21
6.5.9 Complaints and appeals . 21
6.6 Training and awareness . 21
7 Control . 21
7.1 General . 21
7.2 Internal audits . 21
7.3 Periodical report. 22
7.4 Nonconformities and corrective actions . 23
Annex A (informative) Controllers and processors requirements mapping . 24
Bibliography . 26
3

---------------------- Page: 5 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
European foreword
This document (prEN 17799:2021) has been prepared by Technical Committee CEN/CLC/JTC 13
“Cybersecurity and Data Protection”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
4

---------------------- Page: 6 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
Introduction
Personal data protection is regulated throughout Europe according to laws, the most important of which
is the European Regulation 2016/679 (hereafter referred to as “Regulation”). This regulates the
protection of natural persons with regard to the processing of personal data but does not contextualise
it in a set of consequential or related activities and refers specifically to mechanisms for the certification
of personal data protection for demonstrating compliance with the Regulation.
ISO/IEC 27701 is undergoing the process for adoption as an EN, and CEN/CLC JTC 13 is undertaking a
new work item on “enhancing ISO/IEC 27701 for the EU context”. Those efforts will also provide a solid
basis for GDPR conformance and alignment of the European data protection landscape with global norms.
The focus of those standards is however fundamentally different since they are aimed to a management
system and not to services and processes as the current document.
5

---------------------- Page: 7 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
1 Scope
This document specifies baseline requirements for demonstrating processing activities compliance with
the European personal data protection normative framework in accordance with EN ISO/IEC 17065. It
does not however apply to products or management systems destined for processing personal data.
This document is applicable to all organizations which, as personal data controllers and/or processors,
process personal data, and its objective is to provide a set of requirements enabling such organizations
to conform effectively with the European personal data protection normative framework.
An organization can decide that the standard is applicable only to a specific subset of its processing
activities if such a decision does not involve failure to conform with the European personal data
protection normative framework.
This document also provides indications for conformity assessment with the aforementioned
requirements.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology - Security techniques - Information security management systems -
Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following
apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1
supervisory authority
independent public authority which is established by a Member State pursuant to Article 51
[SOURCE: European Regulation 2016/679]
3.2
supervisory authority concerned
supervisory authority which is concerned by the processing of personal data because: (a) the controller
or processor is established on the territory of the Member State of that supervisory authority; (b) data
subjects residing in the Member State of that supervisory authority are substantially affected or likely to
be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory
authority
[SOURCE: European Regulation 2016/679]
6

---------------------- Page: 8 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
3.3
consent
consent of the data subject
any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he
or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal
data relating to him or her
[SOURCE: European Regulation 2016/679]
3.4
personal data
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable
natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person
[SOURCE: European Regulation 2016/679]
3.5
profiling
any form of automated processing of personal data used to evaluate certain aspects relating to a natural
person, in particular to analyse or to predict aspects concerning that natural person’s performance at
work, economic situation, health, personal preferences, interests, reliability, behaviour, location or
movements
[SOURCE: European Regulation 2016/679]
3.6
processor
natural or legal person, public authority, agency or other body which processes personal data on behalf
of the controller
[SOURCE: European Regulation 2016/679]
3.7
processing
any operation or set of operations which is performed on personal data or on sets of personal data,
whether or not by automated means, such as collection, recording, organization, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or destruction
[SOURCE: European Regulation 2016/679]
3.8
controller
natural or legal person, public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data; where the purposes and means
of such processing are determined by Union or Member State law, the controller or the specific criteria
for its nomination may be provided for by Union or Member State law
[SOURCE: European Regulation 2016/679]
7

---------------------- Page: 9 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
3.9
third party
the natural or legal person, public authority, agency or other body other than a data subject, controller,
processor and persons who, under the direct authority of the controller or processor, are authorized to
process personal data
[SOURCE: European Regulation 2016/679]
3.10
impact
data protection impact
anything that has an effect on the protection of a data subject and/or group of data subjects
[SOURCE: ISO/IEC 27557]
3.11
consequence
outcome of an event affecting organizational objectives
[SOURCE: ISO/IEC 27557]
4 Overview
This document specifies baseline requirements for the processing of personal data so that an
organization, whether controller or processor, is able to attain compliance with the European and
applicable national personal data protection normative framework. The separation between controller
and processor activities is based on the requirements within the aforementioned normative framework
but processors might be delegated more activities by the related controllers, therefore transferring the
applicability of related additional requirements set forth in this document to them.
The present document is completed by Annex A which contains the indications for conformity
assessment to the requirements of the document.
5 Planning
5.1 General
This clause sets out the activities which a controller or processor shall perform, in order to carry out the
protection of personal data in a systematic and organized way within processing activities. They shall be
implemented periodically or after relevant changes such as modifications to the law or corporate
organization, structural changes in information technology or its characteristics.
5.2 Understanding the needs and expectations of interested parties
The controller or processor shall determine:
a) all interested parties, involved in personal data processing activities including data subjects,
processors and controllers; and
b) the requirements of such interested parties related to personal data processing activities;
the mandatory requirements of the normative reference framework of national laws and the
contractual obligations.
8

---------------------- Page: 10 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
5.3 Scope of personal data processing activities
5.3.1 General
The controller shall determine the limits and applicability of the personal data processing, documenting:
records of data processing activities, their legal basis, the locations, organizational structure (including
all interested parties identified in 5.1), information systems and main involved supporting assets.
5.3.2 Records of data processing activities
The controller or processor shall identify the personal data and their flow related to each processing and
shall keep them updated in personal data processing activity records. In particular, the controller or
processor shall establish and maintain up-to-date records of data processing activities identifying:
1) the controller of the processing;
2) the processes which use personal data;
3) the sources of processed personal data;
4) the processed personal data and related categories;
5) the purposes of the use of the personal data;
6) the recipients of personal data, including third parties;
7) the role (controller, processor or joint controller of the processing of the organization;
8) the information systems involved in the archiving of personal data;
9) any transfers of personal data to third parties, international organizations or other countries;
10) the storage period of personal data or the criteria used for determining such period and the measures
taken at the end of the period;
11) the locations where processing takes place.
NOTE This is in line with article 30 of the Regulation.
5.3.3 Identification of the legal basis
The controller shall define the legal basis for the processing of personal data and communicate them to
the data subjects. The controller shall document the legal basis.
NOTE The legal basis contained in article 6 of the Regulation are as follows:
—  the data subject has given consent to the processing of his or her personal data for one or more specific
purposes;
—  processing is necessary for the performance of a contract to which the data subject is party or in order to take
steps at the request of the data subject prior to entering into a contract;
—  processing is necessary for compliance with a legal obligation to which the controller is subject;
—  processing is necessary for protecting the vital interests of the data subject or of another natural person;
9

---------------------- Page: 11 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
—  processing is necessary for the performance of a task carried out in the public interest or for in the exercise of
official authority vested in the controller;
—  processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,
except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
which require protection of personal data, in particular where the data subject is a child.
When special categories of personal data are processed, the controller shall identify, define, communicate
and document the legal basis for the processing of personal data, which shall be instead chosen from
amongst the following:
— the explicit data subject’s consent for specific purposes;
— processing is necessary for compliance with labour laws;
— processing is necessary for the protection of the vital interests of data subjects;
— processing is necessary for the legitimate activities of a foundation, association or other no-profit —
body for political, philosophical, religious or trade union purposes, with appropriate safeguards;
— it is information intentionally made public by data subjects;
— processing is necessary for the creation, performance or defence of legal claims;
— processing is necessary for reasons of relevant public interests;
— processing is necessary for preventive or occupational medicine, for the provision of health services
or social assistance;
— processing is necessary for reasons of public health or professional secrecy;
— processing is necessary for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes.
NOTE As defined by Article 9 of the Regulation.
5.3.4 Data minimization
The controller shall, for all processing, always ensure that:
a) the organization processes the minimum quantity of personal data requested to fulfil its legitimate
purposes;
b) any other personal data which is not relevant are not gathered unless the provision of such
information is optional and only processed with the consent of the data subject;
c) any processing activity and the relevant purposes are performed accordingly to the data protection
notice;
d) new systems and processes involving processing of personal data are reviewed in order to guarantee
that the processed information is relevant and not unnecessary.
5.3.5 Storage of data
Storage periods of personal data, or, where not possible, the criteria used to determine those periods,
shall be:
10

---------------------- Page: 12 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
a) defined by the controller considering the effective need for the purposes of processing and the
periods indicated in the normative requirements and in the purposes of the processing; and
b) declared in the relevant data protection notices.
The controller shall keep documentation regarding the motivations leading to the definition of such
periods.
5.4 Policy for personal data protection
The controller’s or processor’s top management shall establish a policy for personal data protection
which:
a) is consistent with the purposes of the organization;
b) provides a reference framework for setting objectives for the protection of personal data;
c) includes a commitment to fulfil applicable requirements for the protection of personal data in
compliance with the present document and with the reference personal data protection normative
framework;
d) includes a commitment to continuously improve the protection of personal data;
e) is suitable for the corporate organization and its geographical location, the architecture and
connection of the networks and IT systems and the existing policies concerning the exchange of data.
The policy for personal data protection shall:
— be documented;
— be communicated within the organization;
— be made available to all interested parties, external and internal, involved in the processing of
personal data; and
— be periodically reviewed and updated if necessary.
The policy for personal data protection shall involve the coverage of all processing of personal data of
data subjects covered by EU law.
5.5 Roles and responsibilities
5.5.1 General
The controller’s or processor’s top management shall ensure that the responsibilities and authority of the
relevant roles are assigned and communicated.
The controller’s or processor’s top management shall assign the responsibilities and authority in order
to:
a) ensure that the activities regarding the processing of personal data conform with the present
document and with the normative reference standard framework; and
b) report the results of such activities to the top management.
c) Responsibilities shall be duly assigned for:
11

---------------------- Page: 13 ----------------------
oSIST prEN 17799:2022
prEN 17799:2021 (E)
d) monitoring the compliance of the policy for personal data protection with the normative reference
framework;
e) implementing the objectives for the protection of personal data, including those defined in the
practice regarding the processing of personal data set out or specified in any code of conduct
applicable to the organization;
f) managing the training program and creating awareness;
g) assigning authorizations for the processing of personal data;
h) defining and approving the following documented procedures for processing personal data:
1) gathering and processing of personal data;
2) management and communication of all information regarding the personal data protection;
3) processing of requests made by data subjects;
4) management of complaints;
5) management of personal data breaches;
6) management of suppliers and external officers;
7) controls and any transfers of personal data to third parties or international organizations; and
8) monitoring of normative updates and legal developments concerning the personal data
protection.
5.5.2 Internal roles
5.5.2.1 Data protection manager
At least one member of the controller’s or processor’s management shall be designated as person in
charge of data protection matters for activities of the processing of personal data within an organization
in such a way as to manage compliance with the data protection requirements and best practices.
prEN 17740 defines the competence requirements applicable to the profile and its main characteristics.
5.5.2.2 Data protection officer
If a controller or a processor is required to nominate a data protection officer in accordance with article
37 of the Regulation or decides to do so owing to specific corporate needs, it shall nominate a person
adequately qualified to perform such tasks and it shall assign this person’s role.
NOTE The assignment of the person’s role is described in article 38 of the Regulation.
The contact details of the data protection officer shall be communicated to the competent supervisory
authority and included in the data protection notices (see 6.2.1).
The data protection officer, or if such figure does not exist, an adequately qualified person, shall ensure
at least the conduct of the tasks.
NOTE These tasks are set out in article 39 of the Regulation.
prEN 17740 defines the competence
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.