Information technology - Security techniques - Privacy framework (ISO/IEC 29100:2011, including Amd 1:2018)

This International Standard provides a privacy framework which
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
This International Standard is applicable to natural persons and organizations involved in specifying,
procuring, architecting, designing, developing, testing, maintaining, administering, and operating
information and communication technology systems or services where privacy controls are required
for the processing of PII.

Informationstechnik - Sicherheitsverfahren - Rahmenwerk für Datenschutz (ISO/IEC 29100:2011, einschließlich Amd 1:2018)

Diese Internationale Norm enthält ein Rahmenwerk für Datenschutz, das
- eine gemeinsame Terminologie zum Datenschutz festlegt,
- die handelnden Stellen und ihre Rollen bei der Verarbeitung von personenbezogenen Daten (pbD) festlegt,
- Überlegungen zum Datenschutz beschreibt und
- Verweisungen auf bekannte Datenschutzprinzipien für Informationstechnologie enthält.
Diese Internationale Norm gilt für natürliche Personen und Organisationen, die mit Festlegung, Bereitstellung, Aufbau, Entwurf, Entwicklung, Prüfung, Aufrechterhaltung, Verwaltung und Betrieb von Informations- und Kommunikationstechniksystemen befasst sind, wenn Steuerungsmaßnahmen für den Datenschutz für die Verarbeitung von pbD erforderlich sind.

Technologies de l'information - Techniques de sécurité - Cadre privé (ISO/IEC 29100:2011, y compris Amd 1:2018)

ISO/IEC 29100:2011 provides a privacy framework which specifies a common privacy terminology;
defines the actors and their roles in processing personally identifiable information (PII);
describes privacy safeguarding considerations; and
provides references to known privacy principles for information technology.
ISO/IEC 29100:2011 is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.

Informacijska tehnologija - Varnostne tehnike - Zasebni okvir (ISO/IEC 29100:2011, vključno z dopolnilom A1:2018)

General Information

Status
Published
Public Enquiry End Date
29-Apr-2020
Publication Date
28-Jul-2020
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
18-Jun-2020
Due Date
23-Aug-2020
Completion Date
29-Jul-2020

Buy Standard

Standard
EN ISO/IEC 29100:2020
English language
37 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Standard
EN ISO/IEC 29100:2020
English language
37 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN ISO/IEC 29100:2020
English language
34 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN ISO/IEC 29100:2020
01-september-2020
Informacijska tehnologija - Varnostne tehnike - Zasebni okvir (ISO/IEC 29100:2011,
vključno z dopolnilom A1:2018)
Information technology - Security techniques - Privacy framework (ISO/IEC 29100:2011,
including Amd 1:2018)
Informationstechnik - Sicherheitsverfahren - Rahmenwerk für Datenschutz (ISO/IEC
29100:2011, einschließlich Amd 1:2018)
Technologies de l'information - Techniques de sécurité - Cadre privé (ISO/IEC
29100:2011, y compris Amd 1:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 29100:2020
ICS:
35.030 Informacijska varnost IT Security
SIST EN ISO/IEC 29100:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO/IEC 29100:2020

---------------------- Page: 2 ----------------------
SIST EN ISO/IEC 29100:2020


EUROPEAN STANDARD EN ISO/IEC 29100

NORME EUROPÉENNE

EUROPÄISCHE NORM
June 2020
ICS 35.030

English version

Information technology - Security techniques - Privacy
framework (ISO/IEC 29100:2011, including Amd 1:2018)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Cadre privé (ISO/IEC 29100:2011, y compris Amd Rahmenwerk für Datenschutz (ISO/IEC 29100:2011,
1:2018) einschließlich Amd 1:2018)

This European Standard was approved by CEN on 31 May 2020.

This European Standard was corrected and reissued by the CEN-CENELEC Management Centre on 1 July 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.





















CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 29100:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.

---------------------- Page: 3 ----------------------
SIST EN ISO/IEC 29100:2020
EN ISO/IEC 29100:2020 (E)
Contents Page
European foreword . 3

2

---------------------- Page: 4 ----------------------
SIST EN ISO/IEC 29100:2020
EN ISO/IEC 29100:2020 (E)
European foreword
The text of ISO/IEC 29100:2011, including Amd 1:2018 has been prepared by Technical Committee
ISO/IEC JTC 1 "Information technology” of the International Organization for Standardization (ISO) and
has been taken over as EN ISO/IEC 29100:2020 by Technical Committee CEN/CLC/JTC 13
“Cybersecurity and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by December 2020, and conflicting national standards
shall be withdrawn at the latest by December 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 29100:2011, including Amd 1:2018 has been approved by CEN as
EN ISO/IEC 29100:2020 without any modification.

3

---------------------- Page: 5 ----------------------
SIST EN ISO/IEC 29100:2020

---------------------- Page: 6 ----------------------
SIST EN ISO/IEC 29100:2020

INTERNATIONAL ISO/IEC
STANDARD 29100
First edition
2011-12-15

Information technology — Security
techniques — Privacy framework
Technologies de l'information — Techniques de sécurité — Cadre privé




Reference number
ISO/IEC 29100:2011(E)
©
ISO/IEC 2011

---------------------- Page: 7 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2011 – All rights reserved

---------------------- Page: 8 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Contents Page
Foreword . v
Introduction . vi
1  Scope . 1
2  Terms and definitions . 1
3  Symbols and abbreviated terms . 4
4  Basic elements of the privacy framework . 5
4.1  Overview of the privacy framework . 5
4.2  Actors and roles . 5
4.2.1  PII principals . 5
4.2.2  PII controllers . 5
4.2.3  PII processors . 5
4.2.4  Third parties . 6
4.3  Interactions . 6
4.4  Recognizing PII . 7
4.4.1  Identifiers . 7
4.4.2  Other distinguishing characteristics . 7
4.4.3  Information which is or might be linked to a PII principal . 8
4.4.4  Pseudonymous data . 9
4.4.5  Metadata . 9
4.4.6  Unsolicited PII . 9
4.4.7  Sensitive PII . 9
4.5  Privacy safeguarding requirements . 10
4.5.1  Legal and regulatory factors . 11
4.5.2  Contractual factors . 11
4.5.3  Business factors . 12
4.5.4  Other factors . 12
4.6  Privacy policies . 13
4.7  Privacy controls . 13
5  The privacy principles of ISO/IEC 29100 . 14
5.1  Overview of privacy principles . 14
5.2  Consent and choice . 14
5.3  Purpose legitimacy and specification . 15
5.4  Collection limitation . 15
5.5  Data minimization . 16
5.6  Use, retention and disclosure limitation . 16
5.7  Accuracy and quality . 16
5.8  Openness, transparency and notice . 17
5.9  Individual participation and access . 17
5.10  Accountability . 18
5.11  Information security . 18
5.12  Privacy compliance . 19
Annex A (informative) Correspondence between ISO/IEC 29100 concepts and ISO/IEC 27000
concepts . 20
Bibliography . 21

© ISO/IEC 2011 – All rights reserved iii

---------------------- Page: 9 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Figures
Figure 1 – Factors influencing privacy risk management . 11

Tables
Table 1 – Possible flows of PII among the PII principal, PII controller, PII processor and a third party and their
roles 7
Table 2 – Example of attributes that can be used to identify natural persons 8
Table 3 – The privacy principles of ISO/IEC 29100 14
Table A.1 – Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts 20

iv © ISO/IEC 2011 – All rights reserved

---------------------- Page: 10 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 29100 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

© ISO/IEC 2011 – All rights reserved v

---------------------- Page: 11 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Introduction
This International Standard provides a high-level framework for the protection of personally
identifiable information (PII) within information and communication technology (ICT) systems. It is
general in nature and places organizational, technical, and procedural aspects in an overall privacy
framework.
The privacy framework is intended to help organizations define their privacy safeguarding
requirements related to PII within an ICT environment by:
- specifying a common privacy terminology;
- defining the actors and their roles in processing PII;
- describing privacy safeguarding requirements; and
- referencing known privacy principles.
In some jurisdictions, this International Standard’s references to privacy safeguarding requirements
might be understood as being complementary to legal requirements for the protection of PII. Due to
the increasing number of information and communication technologies that process PII, it is
important to have international information security standards that provide a common understanding
for the protection of PII. This International Standard is intended to enhance existing security
standards by adding a focus relevant to the processing of PII.
The increasing commercial use and value of PII, the sharing of PII across legal jurisdictions, and the
growing complexity of ICT systems, can make it difficult for an organization to ensure privacy and to
achieve compliance with the various applicable laws. Privacy stakeholders can prevent uncertainty
and distrust from arising by handling privacy matters properly and avoiding cases of PII misuse.
Use of this International Standard will:
- aid in the design, implementation, operation, and maintenance of ICT systems that handle and protect
PII;
- spur innovative solutions to enable the protection of PII within ICT systems; and
- improve organizations’ privacy programs through the use of best practices.
The privacy framework provided within this International Standard can serve as a basis for additional
privacy standardization initiatives, such as for:
- a technical reference architecture;
- the implementation and use of specific privacy technologies and overall privacy management;
- privacy controls for outsourced data processes;
- privacy risk assessments; or
- specific engineering specifications.
Some jurisdictions might require compliance with one or more of the documents referenced in
ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents
References [3] or with other applicable laws and regulations, but this International Standard is not
intended to be a global model policy, nor a legislative framework.

vi © ISO/IEC 2011 – All rights reserved

---------------------- Page: 12 ----------------------
SIST EN ISO/IEC 29100:2020
INTERNATIONAL STANDARD ISO/IEC 29100:2011(E)

Information technology — Security techniques — Privacy
framework
1 Scope
This International Standard provides a privacy framework which
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
This International Standard is applicable to natural persons and organizations involved in specifying,
procuring, architecting, designing, developing, testing, maintaining, administering, and operating
information and communication technology systems or services where privacy controls are required
for the processing of PII.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE In order to make it easier to use the ISO/IEC 27000 family of International Standards in the specific context of
privacy and to integrate privacy concepts in the ISO/IEC 27000 context, the table in Annex A provides the ISO/IEC 27000
concepts that correspond with the ISO/IEC 29100 concepts used in this International Standard.
2.1
anonymity
characteristic of information that does not permit a personally identifiable information principal to be
identified directly or indirectly
2.2
anonymization
process by which personally identifiable information (PII) is irreversibly altered in such a way that a
PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in
collaboration with any other party
2.3
anonymized data
data that has been produced as the output of a personally identifiable information anonymization
process
2.4
consent
personally identifiable information (PII) principal’s freely given, specific and informed agreement to
the processing of their PII
© ISO/IEC 2011 – All rights reserved 1

---------------------- Page: 13 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.5
identifiability
condition which results in a personally identifiable information (PII) principal being identified, directly
or indirectly, on the basis of a given set of PII
2.6
identify
establish the link between a personally identifiable information (PII) principal and PII or a set of PII
2.7
identity
set of attributes which make it possible to identify the personally identifiable information principal
2.8
opt-in
process or type of policy whereby the personally identifiable information (PII) principal is required to
take an action to express explicit, prior consent for their PII to be processed for a particular purpose
NOTE A different term that is often used with the privacy principle ‘consent and choice’ is “opt-out”. It describes a
process or type of policy whereby the PII principal is required to take a separate action in order to withhold or withdraw
consent, or oppose a specific type of processing. The use of an opt-out policy presumes that the PII controller has the right
to process the PII in the intended way. This right can be implied by some action of the PII principal different from consent
(e.g., placing an order in an online shop).
2.9
personally identifiable information
PII
any information that (a) can be used to identify the PII principal to whom such information relates, or
(b) is or might be directly or indirectly linked to a PII principal
NOTE To determine whether a PII principal is identifiable, account should be taken of all the means which can
reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.
2.10
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for
processing personally identifiable information (PII) other than natural persons who use data for
personal purposes
NOTE A PII controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the
responsibility for the processing remains with the PII controller.
2.11
PII principal
natural person to whom the personally identifiable information (PII) relates
NOTE Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data
subject” can also be used instead of the term “PII principal”.
2.12
PII processor
privacy stakeholder that processes personally identifiable information (PII) on behalf of and in
accordance with the instructions of a PII controller
2.13
privacy breach
situation where personally identifiable information is processed in violation of one or more relevant
privacy safeguarding requirements
2 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 14 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.14
privacy controls
measures that treat privacy risks by reducing their likelihood or their consequences
NOTE 1 Privacy controls include organizational, physical and technical measures, e.g., policies, procedures, guidelines,
legal contracts, management practices or organizational structures.
NOTE 2 Control is also used as a synonym for safeguard or countermeasure.
2.15
privacy enhancing technology
PET
privacy control, consisting of information and communication technology (ICT) measures, products,
or services that protect privacy by eliminating or reducing personally identifiable information (PII) or
by preventing unnecessary and/or undesired processing of PII, all without losing the functionality of
the ICT system
NOTE 1 Examples of PETs include, but are not limited to, anonymization and pseudonymization tools that eliminate,
reduce, mask, or de-identify PII or that prevent unnecessary, unauthorized and/or undesirable processing of PII.
NOTE 2 Masking is the process of obscuring elements of PII.
2.16
privacy policy
overall intention and direction, rules and commitment, as formally expressed by the personally
identifiable information (PII) controller related to the processing of PII in a particular setting
2.17
privacy preferences
specific choices made by a personally identifiable information (PII) principal about how their PII
should be processed for a particular purpose
2.18
privacy principles
set of shared values governing the privacy protection of personally identifiable information (PII) when
processed in information and communication technology systems
2.19
privacy risk
effect of uncertainty on privacy
NOTE 1 Risk is defined as the “effect of uncertainty on objectives” in ISO Guide 73 and ISO 31000.
NOTE 2 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an
event, its consequence, or likelihood.
2.20
privacy risk assessment
overall process of risk identification, risk analysis and risk evaluation with regard to the processing of
personally identifiable information (PII)
NOTE This process is also known as a privacy impact assessment.
2.21
privacy safeguarding requirements
set of requirements an organization has to take into account when processing personally identifiable
information (PII) with respect to the privacy protection of PII
2.22
privacy stakeholder
natural or legal person, public authority, agency or any other body that can affect, be affected by, or
perceive themselves to be affected by a decision or activity related to personally identifiable
information (PII) processing
© ISO/IEC 2011 – All rights reserved 3

---------------------- Page: 15 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.23
processing of PII
operation or set of operations performed upon personally identifiable information (PII)
NOTE Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration,
retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion
or destruction of PII.
2.24
pseudonymization
process applied to personally identifiable information (PII) which replaces identifying information with
an alias
NOTE 1 Pseudonymization can be performed either by PII principals themselves or by PII controllers. Pseudonymization
can be used by PII principals to consistently use a resource or service without disclosing their identity to this resource or
service (or between services), while still being held accountable for that use.
NOTE 2 Pseudonymization does not rule out the possibility that there might be (a restricted set of) privacy stakeholders
other than the PII controller of the pseudonymized data which are able to determine the PII principal’s identity based on the
alias and data linked to it.
2.25
secondary use
processing of personally identifiable information (PII) in conditions which differ from the initial ones
NOTE Conditions that differ from the initial ones could involve, for example, a new purpose for processing PII, a new
recipient of the PII, etc.
2.26
sensitive PII
category of personally identifiable information (PII), either whose nature is sensitive, such as those
that relate to the PII principal’s most intimate sphere, or that might have a significant impact on the
PII principal
NOTE In some jurisdictions or in specific contexts, sensitive PII is defined in reference to the nature of the PII and can
consist of PII revealing the racial origin, political opinions or religious or other beliefs, personal data on health, sex life or
criminal convictions, as well as other PII that might be defined as sensitive.
2.27
third party
privacy stakeholder other than the personally identifiable information (PII) principal, the PII controller
and the PII processor, and the natural persons who are authorized to process the data under the
direct authority of the PII controller or the PII processor
3 Symbols and abbreviated terms
The following abbreviations are common to ISO/IEC 29100.
ICT Information and Communication Technology
PET Privacy Enhancing Technology
PII Personally Identifiable Information
4 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 16 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
4 Basic elements of the privacy framework
4.1 Overview of the privacy framework
The following components relate to privacy and the processing of PII in ICT systems and make up
the privacy framework described in this International Standard:
- actors and roles;
- interactions;
- recognizing PII;
- privacy safeguarding requirements;
- privacy policies; and
- privacy controls.
For the development of this privacy framework, concepts, definitions and recommendations from
other official sources have been taken into consideration. These sources can be found in
ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents
References [3].
4.2 Actors and roles
For the purposes of this standard, it is important to identify the actors involved in the processing of
PII. There are four types of actors who can be involved in the processing of PII: PII principals, PII
controllers, PII processors and third parties.
4.2.1 PII principals
PII principals provide their PII for processing to PII controllers and PII processors and, when it is not
otherwise provided by applicable law, they give consent and determine their privacy preferences for
how their PII should be processed. PII principals can include, for example, an employee listed in the
human resources system of a company, the consumer mentioned in a credit report, and a pa
...

SLOVENSKI STANDARD
SIST EN ISO/IEC 29100:2020
01-september-2020
Informacijska tehnologija - Varnostne tehnike - Zasebni okvir (ISO/IEC 29100:2011,
vključno z dopolnilom A1:2018)
Information technology - Security techniques - Privacy framework (ISO/IEC 29100:2011,
including Amd 1:2018)
Informationstechnik - Sicherheitsverfahren - Rahmenwerk für Datenschutz (ISO/IEC
29100:2011, einschließlich Amd 1:2018)
Technologies de l'information - Techniques de sécurité - Cadre privé (ISO/IEC
29100:2011, y compris Amd 1:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 29100:2020
ICS:
35.030 Informacijska varnost IT Security
SIST EN ISO/IEC 29100:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO/IEC 29100:2020

---------------------- Page: 2 ----------------------
SIST EN ISO/IEC 29100:2020


EUROPEAN STANDARD EN ISO/IEC 29100

NORME EUROPÉENNE

EUROPÄISCHE NORM
June 2020
ICS 35.030

English version

Information technology - Security techniques - Privacy
framework (ISO/IEC 29100:2011, including Amd 1:2018)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Cadre privé (ISO/IEC 29100:2011, y compris Amd Rahmenwerk für Datenschutz (ISO/IEC 29100:2011,
1:2018) einschließlich Amd 1:2018)

This European Standard was approved by CEN on 31 May 2020.

This European Standard was corrected and reissued by the CEN-CENELEC Management Centre on 1 July 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.





















CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 29100:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.

---------------------- Page: 3 ----------------------
SIST EN ISO/IEC 29100:2020
EN ISO/IEC 29100:2020 (E)
Contents Page
European foreword . 3

2

---------------------- Page: 4 ----------------------
SIST EN ISO/IEC 29100:2020
EN ISO/IEC 29100:2020 (E)
European foreword
The text of ISO/IEC 29100:2011, including Amd 1:2018 has been prepared by Technical Committee
ISO/IEC JTC 1 "Information technology” of the International Organization for Standardization (ISO) and
has been taken over as EN ISO/IEC 29100:2020 by Technical Committee CEN/CLC/JTC 13
“Cybersecurity and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by December 2020, and conflicting national standards
shall be withdrawn at the latest by December 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 29100:2011, including Amd 1:2018 has been approved by CEN as
EN ISO/IEC 29100:2020 without any modification.

3

---------------------- Page: 5 ----------------------
SIST EN ISO/IEC 29100:2020

---------------------- Page: 6 ----------------------
SIST EN ISO/IEC 29100:2020

INTERNATIONAL ISO/IEC
STANDARD 29100
First edition
2011-12-15

Information technology — Security
techniques — Privacy framework
Technologies de l'information — Techniques de sécurité — Cadre privé




Reference number
ISO/IEC 29100:2011(E)
©
ISO/IEC 2011

---------------------- Page: 7 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2011 – All rights reserved

---------------------- Page: 8 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Contents Page
Foreword . v
Introduction . vi
1  Scope . 1
2  Terms and definitions . 1
3  Symbols and abbreviated terms . 4
4  Basic elements of the privacy framework . 5
4.1  Overview of the privacy framework . 5
4.2  Actors and roles . 5
4.2.1  PII principals . 5
4.2.2  PII controllers . 5
4.2.3  PII processors . 5
4.2.4  Third parties . 6
4.3  Interactions . 6
4.4  Recognizing PII . 7
4.4.1  Identifiers . 7
4.4.2  Other distinguishing characteristics . 7
4.4.3  Information which is or might be linked to a PII principal . 8
4.4.4  Pseudonymous data . 9
4.4.5  Metadata . 9
4.4.6  Unsolicited PII . 9
4.4.7  Sensitive PII . 9
4.5  Privacy safeguarding requirements . 10
4.5.1  Legal and regulatory factors . 11
4.5.2  Contractual factors . 11
4.5.3  Business factors . 12
4.5.4  Other factors . 12
4.6  Privacy policies . 13
4.7  Privacy controls . 13
5  The privacy principles of ISO/IEC 29100 . 14
5.1  Overview of privacy principles . 14
5.2  Consent and choice . 14
5.3  Purpose legitimacy and specification . 15
5.4  Collection limitation . 15
5.5  Data minimization . 16
5.6  Use, retention and disclosure limitation . 16
5.7  Accuracy and quality . 16
5.8  Openness, transparency and notice . 17
5.9  Individual participation and access . 17
5.10  Accountability . 18
5.11  Information security . 18
5.12  Privacy compliance . 19
Annex A (informative) Correspondence between ISO/IEC 29100 concepts and ISO/IEC 27000
concepts . 20
Bibliography . 21

© ISO/IEC 2011 – All rights reserved iii

---------------------- Page: 9 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Figures
Figure 1 – Factors influencing privacy risk management . 11

Tables
Table 1 – Possible flows of PII among the PII principal, PII controller, PII processor and a third party and their
roles 7
Table 2 – Example of attributes that can be used to identify natural persons 8
Table 3 – The privacy principles of ISO/IEC 29100 14
Table A.1 – Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts 20

iv © ISO/IEC 2011 – All rights reserved

---------------------- Page: 10 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 29100 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

© ISO/IEC 2011 – All rights reserved v

---------------------- Page: 11 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Introduction
This International Standard provides a high-level framework for the protection of personally
identifiable information (PII) within information and communication technology (ICT) systems. It is
general in nature and places organizational, technical, and procedural aspects in an overall privacy
framework.
The privacy framework is intended to help organizations define their privacy safeguarding
requirements related to PII within an ICT environment by:
- specifying a common privacy terminology;
- defining the actors and their roles in processing PII;
- describing privacy safeguarding requirements; and
- referencing known privacy principles.
In some jurisdictions, this International Standard’s references to privacy safeguarding requirements
might be understood as being complementary to legal requirements for the protection of PII. Due to
the increasing number of information and communication technologies that process PII, it is
important to have international information security standards that provide a common understanding
for the protection of PII. This International Standard is intended to enhance existing security
standards by adding a focus relevant to the processing of PII.
The increasing commercial use and value of PII, the sharing of PII across legal jurisdictions, and the
growing complexity of ICT systems, can make it difficult for an organization to ensure privacy and to
achieve compliance with the various applicable laws. Privacy stakeholders can prevent uncertainty
and distrust from arising by handling privacy matters properly and avoiding cases of PII misuse.
Use of this International Standard will:
- aid in the design, implementation, operation, and maintenance of ICT systems that handle and protect
PII;
- spur innovative solutions to enable the protection of PII within ICT systems; and
- improve organizations’ privacy programs through the use of best practices.
The privacy framework provided within this International Standard can serve as a basis for additional
privacy standardization initiatives, such as for:
- a technical reference architecture;
- the implementation and use of specific privacy technologies and overall privacy management;
- privacy controls for outsourced data processes;
- privacy risk assessments; or
- specific engineering specifications.
Some jurisdictions might require compliance with one or more of the documents referenced in
ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents
References [3] or with other applicable laws and regulations, but this International Standard is not
intended to be a global model policy, nor a legislative framework.

vi © ISO/IEC 2011 – All rights reserved

---------------------- Page: 12 ----------------------
SIST EN ISO/IEC 29100:2020
INTERNATIONAL STANDARD ISO/IEC 29100:2011(E)

Information technology — Security techniques — Privacy
framework
1 Scope
This International Standard provides a privacy framework which
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
This International Standard is applicable to natural persons and organizations involved in specifying,
procuring, architecting, designing, developing, testing, maintaining, administering, and operating
information and communication technology systems or services where privacy controls are required
for the processing of PII.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE In order to make it easier to use the ISO/IEC 27000 family of International Standards in the specific context of
privacy and to integrate privacy concepts in the ISO/IEC 27000 context, the table in Annex A provides the ISO/IEC 27000
concepts that correspond with the ISO/IEC 29100 concepts used in this International Standard.
2.1
anonymity
characteristic of information that does not permit a personally identifiable information principal to be
identified directly or indirectly
2.2
anonymization
process by which personally identifiable information (PII) is irreversibly altered in such a way that a
PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in
collaboration with any other party
2.3
anonymized data
data that has been produced as the output of a personally identifiable information anonymization
process
2.4
consent
personally identifiable information (PII) principal’s freely given, specific and informed agreement to
the processing of their PII
© ISO/IEC 2011 – All rights reserved 1

---------------------- Page: 13 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.5
identifiability
condition which results in a personally identifiable information (PII) principal being identified, directly
or indirectly, on the basis of a given set of PII
2.6
identify
establish the link between a personally identifiable information (PII) principal and PII or a set of PII
2.7
identity
set of attributes which make it possible to identify the personally identifiable information principal
2.8
opt-in
process or type of policy whereby the personally identifiable information (PII) principal is required to
take an action to express explicit, prior consent for their PII to be processed for a particular purpose
NOTE A different term that is often used with the privacy principle ‘consent and choice’ is “opt-out”. It describes a
process or type of policy whereby the PII principal is required to take a separate action in order to withhold or withdraw
consent, or oppose a specific type of processing. The use of an opt-out policy presumes that the PII controller has the right
to process the PII in the intended way. This right can be implied by some action of the PII principal different from consent
(e.g., placing an order in an online shop).
2.9
personally identifiable information
PII
any information that (a) can be used to identify the PII principal to whom such information relates, or
(b) is or might be directly or indirectly linked to a PII principal
NOTE To determine whether a PII principal is identifiable, account should be taken of all the means which can
reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.
2.10
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for
processing personally identifiable information (PII) other than natural persons who use data for
personal purposes
NOTE A PII controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the
responsibility for the processing remains with the PII controller.
2.11
PII principal
natural person to whom the personally identifiable information (PII) relates
NOTE Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data
subject” can also be used instead of the term “PII principal”.
2.12
PII processor
privacy stakeholder that processes personally identifiable information (PII) on behalf of and in
accordance with the instructions of a PII controller
2.13
privacy breach
situation where personally identifiable information is processed in violation of one or more relevant
privacy safeguarding requirements
2 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 14 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.14
privacy controls
measures that treat privacy risks by reducing their likelihood or their consequences
NOTE 1 Privacy controls include organizational, physical and technical measures, e.g., policies, procedures, guidelines,
legal contracts, management practices or organizational structures.
NOTE 2 Control is also used as a synonym for safeguard or countermeasure.
2.15
privacy enhancing technology
PET
privacy control, consisting of information and communication technology (ICT) measures, products,
or services that protect privacy by eliminating or reducing personally identifiable information (PII) or
by preventing unnecessary and/or undesired processing of PII, all without losing the functionality of
the ICT system
NOTE 1 Examples of PETs include, but are not limited to, anonymization and pseudonymization tools that eliminate,
reduce, mask, or de-identify PII or that prevent unnecessary, unauthorized and/or undesirable processing of PII.
NOTE 2 Masking is the process of obscuring elements of PII.
2.16
privacy policy
overall intention and direction, rules and commitment, as formally expressed by the personally
identifiable information (PII) controller related to the processing of PII in a particular setting
2.17
privacy preferences
specific choices made by a personally identifiable information (PII) principal about how their PII
should be processed for a particular purpose
2.18
privacy principles
set of shared values governing the privacy protection of personally identifiable information (PII) when
processed in information and communication technology systems
2.19
privacy risk
effect of uncertainty on privacy
NOTE 1 Risk is defined as the “effect of uncertainty on objectives” in ISO Guide 73 and ISO 31000.
NOTE 2 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an
event, its consequence, or likelihood.
2.20
privacy risk assessment
overall process of risk identification, risk analysis and risk evaluation with regard to the processing of
personally identifiable information (PII)
NOTE This process is also known as a privacy impact assessment.
2.21
privacy safeguarding requirements
set of requirements an organization has to take into account when processing personally identifiable
information (PII) with respect to the privacy protection of PII
2.22
privacy stakeholder
natural or legal person, public authority, agency or any other body that can affect, be affected by, or
perceive themselves to be affected by a decision or activity related to personally identifiable
information (PII) processing
© ISO/IEC 2011 – All rights reserved 3

---------------------- Page: 15 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.23
processing of PII
operation or set of operations performed upon personally identifiable information (PII)
NOTE Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration,
retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion
or destruction of PII.
2.24
pseudonymization
process applied to personally identifiable information (PII) which replaces identifying information with
an alias
NOTE 1 Pseudonymization can be performed either by PII principals themselves or by PII controllers. Pseudonymization
can be used by PII principals to consistently use a resource or service without disclosing their identity to this resource or
service (or between services), while still being held accountable for that use.
NOTE 2 Pseudonymization does not rule out the possibility that there might be (a restricted set of) privacy stakeholders
other than the PII controller of the pseudonymized data which are able to determine the PII principal’s identity based on the
alias and data linked to it.
2.25
secondary use
processing of personally identifiable information (PII) in conditions which differ from the initial ones
NOTE Conditions that differ from the initial ones could involve, for example, a new purpose for processing PII, a new
recipient of the PII, etc.
2.26
sensitive PII
category of personally identifiable information (PII), either whose nature is sensitive, such as those
that relate to the PII principal’s most intimate sphere, or that might have a significant impact on the
PII principal
NOTE In some jurisdictions or in specific contexts, sensitive PII is defined in reference to the nature of the PII and can
consist of PII revealing the racial origin, political opinions or religious or other beliefs, personal data on health, sex life or
criminal convictions, as well as other PII that might be defined as sensitive.
2.27
third party
privacy stakeholder other than the personally identifiable information (PII) principal, the PII controller
and the PII processor, and the natural persons who are authorized to process the data under the
direct authority of the PII controller or the PII processor
3 Symbols and abbreviated terms
The following abbreviations are common to ISO/IEC 29100.
ICT Information and Communication Technology
PET Privacy Enhancing Technology
PII Personally Identifiable Information
4 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 16 ----------------------
SIST EN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
4 Basic elements of the privacy framework
4.1 Overview of the privacy framework
The following components relate to privacy and the processing of PII in ICT systems and make up
the privacy framework described in this International Standard:
- actors and roles;
- interactions;
- recognizing PII;
- privacy safeguarding requirements;
- privacy policies; and
- privacy controls.
For the development of this privacy framework, concepts, definitions and recommendations from
other official sources have been taken into consideration. These sources can be found in
ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents
References [3].
4.2 Actors and roles
For the purposes of this standard, it is important to identify the actors involved in the processing of
PII. There are four types of actors who can be involved in the processing of PII: PII principals, PII
controllers, PII processors and third parties.
4.2.1 PII principals
PII principals provide their PII for processing to PII controllers and PII processors and, when it is not
otherwise provided by applicable law, they give consent and determine their privacy preferences for
how their PII should be processed. PII principals can include, for example, an employee listed in the
human resources system of a company, the consumer mentioned in a credit report, and a pa
...

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 29100:2020
01-april-2020
Informacijska tehnologija - Varnostne tehnike - Zasebni okvir (ISO/IEC 29100:2011,
vključno z dopolnilom A1:2018)
Information technology - Security techniques - Privacy framework (ISO/IEC 29100:2011,
including Amd 1:2018)
Informationstechnik - Sicherheitsverfahren - Rahmenwerk für Datenschutz (ISO/IEC
29100:2011, einschließlich Amd 1:2018)
Technologies de l'information - Techniques de sécurité - Cadre privé (ISO/IEC
29100:2011, y compris Amd 1:2018)
Ta slovenski standard je istoveten z: prEN ISO/IEC 29100
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 29100:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO/IEC 29100:2020

---------------------- Page: 2 ----------------------
oSIST prEN ISO/IEC 29100:2020

INTERNATIONAL ISO/IEC
STANDARD 29100
First edition
2011-12-15

Information technology — Security
techniques — Privacy framework
Technologies de l'information — Techniques de sécurité — Cadre privé




Reference number
ISO/IEC 29100:2011(E)
©
ISO/IEC 2011

---------------------- Page: 3 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2011 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Contents Page
Foreword . v
Introduction . vi
1  Scope . 1
2  Terms and definitions . 1
3  Symbols and abbreviated terms . 4
4  Basic elements of the privacy framework . 5
4.1  Overview of the privacy framework . 5
4.2  Actors and roles . 5
4.2.1  PII principals . 5
4.2.2  PII controllers . 5
4.2.3  PII processors . 5
4.2.4  Third parties . 6
4.3  Interactions . 6
4.4  Recognizing PII . 7
4.4.1  Identifiers . 7
4.4.2  Other distinguishing characteristics . 7
4.4.3  Information which is or might be linked to a PII principal . 8
4.4.4  Pseudonymous data . 9
4.4.5  Metadata . 9
4.4.6  Unsolicited PII . 9
4.4.7  Sensitive PII . 9
4.5  Privacy safeguarding requirements . 10
4.5.1  Legal and regulatory factors . 11
4.5.2  Contractual factors . 11
4.5.3  Business factors . 12
4.5.4  Other factors . 12
4.6  Privacy policies . 13
4.7  Privacy controls . 13
5  The privacy principles of ISO/IEC 29100 . 14
5.1  Overview of privacy principles . 14
5.2  Consent and choice . 14
5.3  Purpose legitimacy and specification . 15
5.4  Collection limitation . 15
5.5  Data minimization . 16
5.6  Use, retention and disclosure limitation . 16
5.7  Accuracy and quality . 16
5.8  Openness, transparency and notice . 17
5.9  Individual participation and access . 17
5.10  Accountability . 18
5.11  Information security . 18
5.12  Privacy compliance . 19
Annex A (informative) Correspondence between ISO/IEC 29100 concepts and ISO/IEC 27000
concepts . 20
Bibliography . 21

© ISO/IEC 2011 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Figures
Figure 1 – Factors influencing privacy risk management . 11

Tables
Table 1 – Possible flows of PII among the PII principal, PII controller, PII processor and a third party and their
roles 7
Table 2 – Example of attributes that can be used to identify natural persons 8
Table 3 – The privacy principles of ISO/IEC 29100 14
Table A.1 – Matching ISO/IEC 29100 concepts to ISO/IEC 27000 concepts 20

iv © ISO/IEC 2011 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 29100 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

© ISO/IEC 2011 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
Introduction
This International Standard provides a high-level framework for the protection of personally
identifiable information (PII) within information and communication technology (ICT) systems. It is
general in nature and places organizational, technical, and procedural aspects in an overall privacy
framework.
The privacy framework is intended to help organizations define their privacy safeguarding
requirements related to PII within an ICT environment by:
- specifying a common privacy terminology;
- defining the actors and their roles in processing PII;
- describing privacy safeguarding requirements; and
- referencing known privacy principles.
In some jurisdictions, this International Standard’s references to privacy safeguarding requirements
might be understood as being complementary to legal requirements for the protection of PII. Due to
the increasing number of information and communication technologies that process PII, it is
important to have international information security standards that provide a common understanding
for the protection of PII. This International Standard is intended to enhance existing security
standards by adding a focus relevant to the processing of PII.
The increasing commercial use and value of PII, the sharing of PII across legal jurisdictions, and the
growing complexity of ICT systems, can make it difficult for an organization to ensure privacy and to
achieve compliance with the various applicable laws. Privacy stakeholders can prevent uncertainty
and distrust from arising by handling privacy matters properly and avoiding cases of PII misuse.
Use of this International Standard will:
- aid in the design, implementation, operation, and maintenance of ICT systems that handle and protect
PII;
- spur innovative solutions to enable the protection of PII within ICT systems; and
- improve organizations’ privacy programs through the use of best practices.
The privacy framework provided within this International Standard can serve as a basis for additional
privacy standardization initiatives, such as for:
- a technical reference architecture;
- the implementation and use of specific privacy technologies and overall privacy management;
- privacy controls for outsourced data processes;
- privacy risk assessments; or
- specific engineering specifications.
Some jurisdictions might require compliance with one or more of the documents referenced in
ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents
References [3] or with other applicable laws and regulations, but this International Standard is not
intended to be a global model policy, nor a legislative framework.

vi © ISO/IEC 2011 – All rights reserved

---------------------- Page: 8 ----------------------
oSIST prEN ISO/IEC 29100:2020
INTERNATIONAL STANDARD ISO/IEC 29100:2011(E)

Information technology — Security techniques — Privacy
framework
1 Scope
This International Standard provides a privacy framework which
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
This International Standard is applicable to natural persons and organizations involved in specifying,
procuring, architecting, designing, developing, testing, maintaining, administering, and operating
information and communication technology systems or services where privacy controls are required
for the processing of PII.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE In order to make it easier to use the ISO/IEC 27000 family of International Standards in the specific context of
privacy and to integrate privacy concepts in the ISO/IEC 27000 context, the table in Annex A provides the ISO/IEC 27000
concepts that correspond with the ISO/IEC 29100 concepts used in this International Standard.
2.1
anonymity
characteristic of information that does not permit a personally identifiable information principal to be
identified directly or indirectly
2.2
anonymization
process by which personally identifiable information (PII) is irreversibly altered in such a way that a
PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in
collaboration with any other party
2.3
anonymized data
data that has been produced as the output of a personally identifiable information anonymization
process
2.4
consent
personally identifiable information (PII) principal’s freely given, specific and informed agreement to
the processing of their PII
© ISO/IEC 2011 – All rights reserved 1

---------------------- Page: 9 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.5
identifiability
condition which results in a personally identifiable information (PII) principal being identified, directly
or indirectly, on the basis of a given set of PII
2.6
identify
establish the link between a personally identifiable information (PII) principal and PII or a set of PII
2.7
identity
set of attributes which make it possible to identify the personally identifiable information principal
2.8
opt-in
process or type of policy whereby the personally identifiable information (PII) principal is required to
take an action to express explicit, prior consent for their PII to be processed for a particular purpose
NOTE A different term that is often used with the privacy principle ‘consent and choice’ is “opt-out”. It describes a
process or type of policy whereby the PII principal is required to take a separate action in order to withhold or withdraw
consent, or oppose a specific type of processing. The use of an opt-out policy presumes that the PII controller has the right
to process the PII in the intended way. This right can be implied by some action of the PII principal different from consent
(e.g., placing an order in an online shop).
2.9
personally identifiable information
PII
any information that (a) can be used to identify the PII principal to whom such information relates, or
(b) is or might be directly or indirectly linked to a PII principal
NOTE To determine whether a PII principal is identifiable, account should be taken of all the means which can
reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.
2.10
PII controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for
processing personally identifiable information (PII) other than natural persons who use data for
personal purposes
NOTE A PII controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the
responsibility for the processing remains with the PII controller.
2.11
PII principal
natural person to whom the personally identifiable information (PII) relates
NOTE Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data
subject” can also be used instead of the term “PII principal”.
2.12
PII processor
privacy stakeholder that processes personally identifiable information (PII) on behalf of and in
accordance with the instructions of a PII controller
2.13
privacy breach
situation where personally identifiable information is processed in violation of one or more relevant
privacy safeguarding requirements
2 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.14
privacy controls
measures that treat privacy risks by reducing their likelihood or their consequences
NOTE 1 Privacy controls include organizational, physical and technical measures, e.g., policies, procedures, guidelines,
legal contracts, management practices or organizational structures.
NOTE 2 Control is also used as a synonym for safeguard or countermeasure.
2.15
privacy enhancing technology
PET
privacy control, consisting of information and communication technology (ICT) measures, products,
or services that protect privacy by eliminating or reducing personally identifiable information (PII) or
by preventing unnecessary and/or undesired processing of PII, all without losing the functionality of
the ICT system
NOTE 1 Examples of PETs include, but are not limited to, anonymization and pseudonymization tools that eliminate,
reduce, mask, or de-identify PII or that prevent unnecessary, unauthorized and/or undesirable processing of PII.
NOTE 2 Masking is the process of obscuring elements of PII.
2.16
privacy policy
overall intention and direction, rules and commitment, as formally expressed by the personally
identifiable information (PII) controller related to the processing of PII in a particular setting
2.17
privacy preferences
specific choices made by a personally identifiable information (PII) principal about how their PII
should be processed for a particular purpose
2.18
privacy principles
set of shared values governing the privacy protection of personally identifiable information (PII) when
processed in information and communication technology systems
2.19
privacy risk
effect of uncertainty on privacy
NOTE 1 Risk is defined as the “effect of uncertainty on objectives” in ISO Guide 73 and ISO 31000.
NOTE 2 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an
event, its consequence, or likelihood.
2.20
privacy risk assessment
overall process of risk identification, risk analysis and risk evaluation with regard to the processing of
personally identifiable information (PII)
NOTE This process is also known as a privacy impact assessment.
2.21
privacy safeguarding requirements
set of requirements an organization has to take into account when processing personally identifiable
information (PII) with respect to the privacy protection of PII
2.22
privacy stakeholder
natural or legal person, public authority, agency or any other body that can affect, be affected by, or
perceive themselves to be affected by a decision or activity related to personally identifiable
information (PII) processing
© ISO/IEC 2011 – All rights reserved 3

---------------------- Page: 11 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
2.23
processing of PII
operation or set of operations performed upon personally identifiable information (PII)
NOTE Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration,
retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion
or destruction of PII.
2.24
pseudonymization
process applied to personally identifiable information (PII) which replaces identifying information with
an alias
NOTE 1 Pseudonymization can be performed either by PII principals themselves or by PII controllers. Pseudonymization
can be used by PII principals to consistently use a resource or service without disclosing their identity to this resource or
service (or between services), while still being held accountable for that use.
NOTE 2 Pseudonymization does not rule out the possibility that there might be (a restricted set of) privacy stakeholders
other than the PII controller of the pseudonymized data which are able to determine the PII principal’s identity based on the
alias and data linked to it.
2.25
secondary use
processing of personally identifiable information (PII) in conditions which differ from the initial ones
NOTE Conditions that differ from the initial ones could involve, for example, a new purpose for processing PII, a new
recipient of the PII, etc.
2.26
sensitive PII
category of personally identifiable information (PII), either whose nature is sensitive, such as those
that relate to the PII principal’s most intimate sphere, or that might have a significant impact on the
PII principal
NOTE In some jurisdictions or in specific contexts, sensitive PII is defined in reference to the nature of the PII and can
consist of PII revealing the racial origin, political opinions or religious or other beliefs, personal data on health, sex life or
criminal convictions, as well as other PII that might be defined as sensitive.
2.27
third party
privacy stakeholder other than the personally identifiable information (PII) principal, the PII controller
and the PII processor, and the natural persons who are authorized to process the data under the
direct authority of the PII controller or the PII processor
3 Symbols and abbreviated terms
The following abbreviations are common to ISO/IEC 29100.
ICT Information and Communication Technology
PET Privacy Enhancing Technology
PII Personally Identifiable Information
4 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
4 Basic elements of the privacy framework
4.1 Overview of the privacy framework
The following components relate to privacy and the processing of PII in ICT systems and make up
the privacy framework described in this International Standard:
- actors and roles;
- interactions;
- recognizing PII;
- privacy safeguarding requirements;
- privacy policies; and
- privacy controls.
For the development of this privacy framework, concepts, definitions and recommendations from
other official sources have been taken into consideration. These sources can be found in
ISO/IEC JTC 1/SC 27 WG 5 Standing Document 2 (WG 5 SD2) — Official Privacy Documents
References [3].
4.2 Actors and roles
For the purposes of this standard, it is important to identify the actors involved in the processing of
PII. There are four types of actors who can be involved in the processing of PII: PII principals, PII
controllers, PII processors and third parties.
4.2.1 PII principals
PII principals provide their PII for processing to PII controllers and PII processors and, when it is not
otherwise provided by applicable law, they give consent and determine their privacy preferences for
how their PII should be processed. PII principals can include, for example, an employee listed in the
human resources system of a company, the consumer mentioned in a credit report, and a patient
listed in an electronic health record. It is not always necessary that the respective natural person is
identified directly by name in order to be considered a PII principal. If the natural person to whom the
PII relates can be identified indirectly (e.g., through an account identifier, social security number, or
even through the combination of available attributes), he or she is considered to be the PII principal
for that PII set.
4.2.2 PII controllers
A PII controller determines why (purpose) and how (means) the processing of PII takes place. The
PII controller should ensure adherence to the privacy principles in this framework during the
processing of PII under its control (e.g., by implementing the necessary privacy controls). There
might be more than one PII controller for the same PII set or set of operations performed upon PII
(for the same or different legitimate purposes). In this case the different PII controllers shall work
together and make the necessary arrangements to ensure the privacy principles are adhered to
during the processing of PII. A PII controller can also decide to have all or part of the processing
operations carried out by a different privacy stakeholder on its behalf. PII controllers should carefully
assess whether or not they are processing sensitive PII and implement reasonable and appropriate
privacy and security controls based on the requirements set forth in the relevant jurisdiction as well
as any potential adverse effects for PII principals as identified during a privacy risk assessment.
4.2.3 PII processors
A PII processor carries out the processing of PII on behalf of a PII controller, acts on behalf of, or in
accordance with the instructions of the PII controller, observes the stipulated privacy requirements
© ISO/IEC 2011 – All rights reserved 5

---------------------- Page: 13 ----------------------
oSIST prEN ISO/IEC 29100:2020
ISO/IEC 29100:2011(E)
and implements the corresponding privacy controls. In some jurisdictions, the PII processor is bound
by a legal contract.
4.2.4 Third parties
A third party can receive PII from a PII controller or a PII processor. A third party does not process
PII on behalf of the PII controller. Generally, the third party will become a PII controller in its own
right once it has received the PII in question.
4.3 Interactions
The actors identified in the previous clause can interact with each other in a variety of ways. As far
as the possible flows of PII among the PII principal, the PII controller and the PII processor are
concerned, the following scenarios can be identified:
a) the PII principal provides PII to a PII controller (e.g., when registering for a service provided by
the PII controller);
b) the PII controller provides PII to a PII processor which processes that PII on behalf of the PII
controller (e.g., as part of an outsourcing agreement);
c) the PII principal provides PII to a PII processor which processes that PII on behalf of the PII
controller;
d) the PII controller provides the PII principal with PII which is related to the PII principal (e.g.,
pursuant to a request made by the PII principal);
e) the PII processor provides PII to the PII principal (e.g., as directed by the PII controller); and
f) the PII processor provides PII to the PII controller (e.g., after having performed the service for
which it was appointed).
The roles of the PII principal, PII controller, PII processor and a third party in these scenarios are
illustrated in Table 1.
There is a need to distinguish between PII processors and third parties because the legal control of
the PII remains with the original PII controller when it is sent over to the PII processor, whereas a
third party can become a PII controller in its own right once it has received the PII in question. For
instance, where a third party makes the decision to transfer PII it has received from a PII controller to
yet another party, it will be acting as a PII controller in its own right and will therefore no longer be
considered a third party.
As far as the possible flows of PII among the PII controllers and P
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.