oSIST prEN 17926:2026

SLOVENSKI STANDARD
01-junij-2026
Sistem vodenja informacij o zasebnosti po EN ISO/IEC 27701 - Izboljšave v
evropskem kontekstu
Privacy information management system per EN ISO/IEC 27701 – Refinements in
European context
Datenschutz-Informationsmanagementsystem per ISO/IEC 27701 - Konkretisierungen
im europäischen Kontext
Système de management de la protection de la vie privée conformément à l'EN ISO/IEC
27701 - Affinements relatifs au contexte européen
Ta slovenski standard je istoveten z: prEN 17926
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
May 2026
ICS
English version
Privacy information management system per EN ISO/IEC
27701 - Refinements in European context
Système de management de la protection de la vie Datenschutz-Informationsmanagementsystem per
privée conformément à l'EN ISO/IEC 27701 - ISO/IEC 27701 - Konkretisierungen im europäischen
Affinements relatifs au contexte européen Kontext
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

Contents Page
European foreword . 2
Introduction . 3
1 Scope . 4
2 Normative references . 4
3 Terms and definitions . 4
4 Structure of this document . 4
5 Privacy information management system for PII processing operations . 4
6 Requirement for PII processing operations . 6
Annex A (normative) PIMS reference control objectives and controls for PII controllers and PII
processors . 7
Annex B (informative) Model for combination of management system certification governed by
certification requirements in ISO/IEC 17021 with a non-tangible product-based certification
governed by certification requirements in ISO/IEC 17065 . 21
Annex C (informative) Relationship between this European Standard and the General Data
Protection Regulation . 23
Bibliography . 32

European foreword
This document (prEN 17926:2026) has been prepared by Technical Committee CEN/CLC/JTC 13,
“Cybersecurity and Data Protection”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
Introduction
EN ISO/IEC 27701 specifies requirements and provides guidance for establishing, implementing,
maintaining, and continually improving a Privacy Information Management System (PIMS) which can be
implemented in any jurisdiction. As a management system designed for international use, its
requirements are generic, and the guidance can be adapted by the organizations according to their
context and applicable obligations.
Although EN ISO/IEC 27701 was written with the intention to be applicable under any jurisdiction,
including under the EU General Data Protection Regulation (GDPR) (ISO/IEC 27701 Annex D contains a
mapping between clauses of the standard and GDPR), it is the responsibility of the organization to
determine how to implement requirements and controls of EN ISO/IEC 27701 in the context of the GDPR.
This document provides refinements to EN ISO/IEC 27701 in the application of controls and guidance in
EN ISO/IEC 27701 specific to GDPR where necessary. This document is applicable to the same entities as
is ISO/IEC 27701: all types and sizes of organizations, including public and private companies,
government entities and not-for-profit organizations, which are PII controllers and/or PII processors
processing PII. This is intended to be used by organizations in the GDPR context for the purpose of
demonstrating compliance with their obligations. EN ISO/IEC 27701 combined with the refinements of
this document constitutes a set of requirements which is more specifically designed and fit for the context
of GDPR than the generic ones from EN ISO/IEC 27701 alone.
Thus EN ISO/IEC 27701 can be considered as an international framework, which can be refined for a
particular regional context (in the case of this document, the GDPR), and even to add requirements fit for
a given jurisdiction/country or sector (out of scope of this document).
The refinements to EN ISO/IEC 27701, for processing operations as part of products, processes, and
services specified in this document can be used for conformity assessment which can be conducted, either
by first, second, or third parties. In particular, certification bodies can use these requirements and
refinements to assess the conformity of both a privacy information management system per
ISO/IEC 17021 and the processing operations of a product, process or service per ISO/IEC 17065.
Certification schemes for products involving PII processing can reference this document, as described in
ISO/IEC 17067 for “type 6” schemes.
NOTE “product” can be read as “process” or “service” (ISO/IEC 17065, Clause 1 and Annex B).
The requirements in this document can be part of scheme governed under both ISO/IEC 17065 for the
requirements on products involving PII processing activities (“products requirements” as per
ISO/IEC 17065 Clause 3.8) and ISO/IEC 17021 for the management system requirements
(ISO/IEC 17067 type 6 scheme).
GDPR Article 42 encourages the establishment of data protection certification mechanisms. Provisions of
this document can be used by competent bodies to specify data protection certification mechanisms as
per GDPR article 42 in order to assess the conformity of processing operations in the PIMS as per
ISO/IEC 17065 including assessment of privacy information management system systematic elements as
allowed by Clause 6 of ISO/IEC 17067.
1 Scope
This document specifies refinements for an application of EN ISO/IEC 27701 in a European context.
This document is applicable to the same entities as is ISO/IEC 27701: all types and sizes of organizations,
including public and private companies, government entities and not-for-profit organizations, which are
PII controllers and/or PII processors processing PII.
An organization can use this document for the implementation of the generic requirements and controls
of EN ISO/IEC 27701 according to its context and its applicable obligations.
Certification criteria based on these refinements can provide a certification model under ISO/IEC 17065
for processing operations performed within the scope of a privacy information management system
according to EN ISO/IEC 27701, which can be combined with certification requirements for
EN ISO/IEC 27701 under ISO/IEC 17021.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN ISO/IEC 27701:2025, Information security, cybersecurity and privacy protection — Privacy information
management systems — Requirements and guidance
3 Terms and definitions
No terms and definitions are listed in this document.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
4 Structure of this document
Clause 5 refers to the privacy information management system as defined in EN ISO/IEC 27701, and
specifies additional requirements and refinements of requirements.
Clause 6 specifies the requirements for PII processing operations as part of products, processes, or
services; these are requirements for the organization to implement specific controls from Annexes A, B,
C and related guidance.
Annex A refers to the ISO/IEC 27701:2025 Annex A controls.
The informative Annex D provides a model for combining certifications governed by ISO/IEC 17021 and
ISO/IEC 17065. Finally, Annex E presents the relationship between this document and EU 2016/679
GDPR.
5 Privacy information management system for PII processing operations
The organization shall establish, implement, maintain, and continually improve a PIMS as defined in
EN ISO/IEC 27701.
The organization shall determine the PII processing operations within the scope of the management
system (EN ISO/IEC 27701:2025, 4.3).
EN ISO/IEC 27701:2025, 4.3 is refined as follows:
When determining this scope, the organization shall consider interfaces and dependencies between PII
processing activities internal and external to the organization.
EN ISO/IEC 27701:2025 6.1.3 c) is refined as follows.
The information security programme at a minimum should address the following:
— information security risk management;
— policies for information security;
— organization of information security;
— including segregation of duties
— human resources security;
— asset management;
— access control;
— Access control policy, including :
— Management of privileged access rights
— Management of secret authentication information of users
— Information access restriction
— operations security;
— including Separation of development, testing and operational environments
— network security management;
— development security;
— supplier management;
— including
— Information and communication technology supply chain
— Monitoring and review of supplier services
— Managing changes to supplier services
— incident management;
— information security continuity;
— information security reviews;
— cryptography; and
— physical and environmental security.
EN ISO/IEC 27701, 6.1.3 d) is refined as follows:
The controls determined in ISO/IEC 27701:2013 6.1.3 b) shall be compared with the controls in Annex A
to verify that no necessary controls have been omitted.
ISO/IEC 27701, 6.1.3 e) is refined as follows:
Producing a Statement of Applicability that contains:
— the necessary controls [see ISO/IEC 27701:2013, 6.1.3 b) and d) as refined above];
— justification for their inclusion;
— whether the necessary controls are implemented or not; and
— the justification for excluding any of the controls in Annex A according to the determination of the
role of the organization (see ISO/IEC 27701:2025, 4.2) and justification for excluding any of the
aspects of the security programme as described above.,
6 Requirement for PII processing operations
For all PII processing operations as determined in Clause 5, the organization shall implement the controls
required per Annexes A depending on the role of the organization (see ISO/IEC 27701:2025, 4.2).
Annex A
(normative)
PIMS reference control objectives and controls for PII controllers and PII
processors
This annex is intended to be used by organizations acting as PII controllers or PII processors, or both.
Table A.1 applies to PII controllers, Table A.2 applies to PII processors and Table A.3 relates to
information security controls for both PII controllers and PII processors.
Table A.1 — Control objectives and controls for PII controllers
Conditions for collection and processing
Objective:
To demonstrate that processing is lawful, with legal basis as per applicable jurisdictions, with clearly
defined and legitimate purposes.
Control
Control title Control
reference
The organization shall implement control ISO/IEC 27701:2025
PIMS CTRL
Identify and
A.1.2.2, following the additional guidance in ISO/IEC
document purpose
A.1.2.2
27701:2025 B.1.2.2.
The organization shall implement control ISO/IEC 27701:2025
PIMS CTRL
Identify lawful basis A.1.2.3, following the additional guidance in ISO/IEC
A.1.2.3
27701:2025 B.1.2.3.
Determine when The organization shall implement control ISO/IEC 27701:2025
PIMS CTRL
and how consent is A.1.2.4, following the additional guidance in ISO/IEC
A.1.2.4
to be obtained 27701:2025 B.1.2.4.
The organization shall implement control ISO/IEC 27701:2025
PIMS CTRL
Obtain and record
A.1.2.5, following the additional guidance in ISO/IEC
consent
A.1.2.5
27701:2025 B.1.2.5.
The organization shall implement control ISO/IEC 27701:2025
A.1.2.6, following the additional guidance in ISO/IEC
27701:2025 B.1.2.6 and these additional refinements:
- The organization shall identify processing operations which
may result in high risks to the rights and freedoms of PII
principals.
- The organization shall undertake and document privacy
impact assessments for high risk processing operations.
- The organization shall involve the DPO or the persons in
charge of privacy matters (where a DPO is not designated)
in the review of high risk processing and in the carrying on
the PIA.
- The organization, where appropriate, shall seek the views of
the PII principals or their representative, without prejudice
to the protection of commercial or public interests or the
PIMS CTRL
Privacy impact
security of processing operations.
assessment
A.1.2.6
- When a PIA identifies processing that may result in high
risks to PII principals, in the absence of measures taken by
the controller to mitigate residual risk, the organization
shall consult the supervisory authorities prior to processing,
and supply them with the details required.
The PIA shall at the minimum:
− describe systematically the envisaged processing
operations and their purposes;
− describe the legal basis of the processing activity;
− assess the necessity and proportionality of the processing
operations in relation to the purposes;
− identify and assess risks to PII principals;
identify the measures that will address the risks to PII
principals.
The organization shall implement control ISO/IEC 27701:2025
PIMS CTRL
Contracts with PII
A.1.2.7, following the additional guidance in ISO/IEC
processors
A.1.2.7
27701:2025 B.1.2.7.
The organization shall implement control ISO/IEC 27701:2025
PIMS CTRL
Joint PII controller A.1.2.8, following the additional guidance in ISO/IEC
A.1.2.8
27701:2025 B.1.2.8.
The organization shall implement control ISO/IEC 27701:2025
PIMS CTRL
Records related to
A.1.2.9, following the additional guidance in ISO/IEC
processing PII
A.1.2.9
27701:2025 B.1.2.9.
Obligations to PII principals
Objective:
To ensure that PII principals are provided with appropriate information about the processing of their
PII, and to meet any other applicable obligations to PII principals related to the processing of their
PII.
Determining and The organization shall implement control ISO/IEC
PIMS CTRL
fulfilling obligations to 27701:2025 A.1.3.2, following the additional guidance in
A.1.3.2
PII principals ISO/IEC 27701:2025 B.1.3.2.
Determining The organization shall implement control ISO/IEC
PIMS CTRL
information for PII 27701:2025 A.1.3.3, following the additional guidance in
A.1.3.3
principals ISO/IEC 27701:2025 B.1.3.3.
The organization shall implement control ISO/IEC
PIMS CTRL
Providing information
27701:2025 A.1.3.4, following the additional guidance in
to PII principals
A.1.3.4
ISO/IEC 27701:2025 B.1.3.4.
The organization shall implement control ISO/IEC
27701:2025 A.1.3.5, following the additional guidance in
ISO/IEC 27701:2025 B.1.3.5, and these additional
refinements:
− The organization shall provide a mechanism for PII
principals to be able to place restrictions on the
processing of their PII:
o during verification by the organization of the
accuracy of the PII processed, if accuracy is
contested by PII principal;
o if the PII principal opposes the erasure of data
collected under unlawful processing;
Providing mechanism
PIMS CTRL
o if the PII principal, in order to support a legal
to modify or withdraw
A.1.3.5 claim, requests the organization to keep PII that
consent
is no longer necessary for the processing;
o during verification of the legitimate grounds of
the organization for PII processing, if the PII
principal objects to the processing.
− Restricted PII shall be stored and used only under
consent of PII principal or in specific lawful contexts
(legal claims, protection of rights of a person, important
public interest).
− PII principal shall be informed by the organization before
the restriction is lifted.
Restriction of processing shall in principle be ensured by
technical measures, such as clear labelling of restricted PII.
Providing mechanism The organization shall implement control ISO/IEC
PIMS CTRL
to object to PII 27701:2025, A.1.3.6, following the additional guidance in
A.1.3.6
processing ISO/IEC 27701:2025, B.1.3.6.
The organization shall implement control ISO/IEC
PIMS CTRL
Access, correction or
27701:2025 A.1.3.7, following the additional guidance in
erasure
A.1.3.7
ISO/IEC 27701:2025 B.1.3.7.
PII controllers' The organization shall implement control ISO/IEC
PIMS CTRL
obligations to inform 27701:2025 A.1.3.8, following the additional guidance in
A.1.3.8
third parties ISO/IEC 27701:2025 B.1.3.8.
The organization shall implement control ISO/IEC
PIMS CTRL
Providing copy of PII
27701:2025 A.1.3.9, following the additional guidance in
processed
A.1.3.9
ISO/IEC 27701:2025 B.1.3.9.
The organization shall implement control ISO/IEC
PIMS CTRL
Handling requests 27701:2025 A.1.3.10, following the additional guidance in
A.1.3.10
ISO/IEC 27701:2025 B.1.3.10.
The organization shall implement control ISO/IEC
PIMS CTRL
Automated decision
27701:2025 A.1.3.11, following the additional guidance in
making
A.1.3.11
ISO/IEC 27701:2025 B.1.3.11.
Privacy by design and privacy by default
Objective:
To ensure that processes and systems are designed such that the collection and processing of PII
(including use, disclosure, retention, transmission and disposal) are limited to what is necessary for
the identified purpose.
PIMS CTRL Limit collection The organization shall implement control ISO/IEC
27701:2025 A.1.4.2, following the additional guidance in
A.1.4.2
ISO/IEC 27701:2025 B.1.4.2.
The organization shall implement control ISO/IEC
PIMS CTRL
Limit processing 27701:2025 A.1.4.3, following the additional guidance in
A.1.4.3
ISO/IEC 27701:2025 B.1.4.3.
The organization shall implement control ISO/IEC
PIMS CTRL
Accuracy and quality 27701:2025 A.1.4.4, following the additional guidance in
A.1.4.4
ISO/IEC 27701:2025 B.1.4.4.
PIMS CTRL PII minimization The organization shall implement control ISO/IEC
objectives 27701:2025 A.1.4.5, following the additional guidance in
A.1.4.5
ISO/IEC 27701:2025 B.1.4.5.
PIMS CTRL PII de-identification The organization shall implement control ISO/IEC
and deletion at the end 27701:2025 A.1.4.6, following the additional guidance in
A.1.4.6
of processing ISO/IEC 27701:2025 B.1.4.6.
PIMS CTRL Temporary files The organization shall implement control ISO/IEC
27701:2025 A.1.4.7, following the additional guidance in
A.1.4.7
ISO/IEC 27701:2025 B.1.4.7.
The organization shall implement control ISO/IEC
PIMS CTRL
Retention 27701:2025 A.1.4.8, following the additional guidance in
A.1.4.8
ISO/IEC 27701:2025 B.1.4.8.
The organization shall implement control ISO/IEC
PIMS CTRL
Disposal 27701:2025 A.1.4.9, following the additional guidance in
A.1.4.9
ISO/IEC 27701:2025 B.1.4.9.
The organization shall implement control ISO/IEC
PIMS CTRL
PII transmission
27701:2025 A.1.4.10, following the additional guidance in
controls
A.1.4.10
ISO/IEC 27701:2025 B.1.4.10.
PII sharing, transfer and disclosure
Objective:
To determine whether, and document when, PII is shared, transferred to other jurisdictions or third
parties or disclosed in accordance with applicable obligations.
The organization shall implement control ISO/IEC
27701:2025 A.1.5.2, following the additional guidance in
ISO/IEC 27701:2025 B.1.5.2 and these additional
refinements:
− The organization shall identify and document the
relevant basis for transfers of PII between jurisdictions,
which can be permission from regulatory authorities to
transfer PII to jurisdictions providing an adequate level
of protection, or, in its absence, transfer tools containing
“appropriate safeguards” to ensure that, overall, the PII
transferred will benefit from a level of protection at least
equivalent to the originating jurisdiction.
o Transfer tools include standard data protection
clauses, binding corporate rules, and codes of
conduct or certification mechanisms recognized
as transfer tools under the applicable legislation
(e.g. in the European context the GDPR), and ad
hoc contractual clauses.
o If the legislation and practice of the third country
to which PII is to be transferred does not offer to
the PII transferred protection essentially
equivalent to that provided in the jurisdiction
from where it originates, the organization shall
supplement the transfer tools and the safeguards
Identify basis for PII
PIMS CTRL
they contain with “supplementary measures”, i.e.
transfer between
A.1.5.2
contractual, technical and organizational
jurisdictions
measures to ensure the protection of PII being
transferred, including security and
confidentiality, equivalent to the level of
protection provided in the jurisdiction from
where it originates. The technical and
organisational measures shall use techniques
with due regard to the state of the art and in
accordance with the risk involved, aiming at
ensuring that the PII transferred are not
accessible to the third country’s public
authorities.
− If the organization receives notification (see AB.8.5.1) or
otherwise becomes aware that a subcontracted PII
processor is no longer able to comply with the transfer
tool it relies on, the organization shall identify
appropriate measures to address the situation, if
necessary, in consultation with the competent
supervisory authority.
o Such measures shall include “supplementary
measures”, i.e. contractual, technical and
organizational measures adopted by the
organization and/or the processor to ensure the
protection of PII being transferred, including
security and confidentiality, equivalent to the
level of protection provided in the jurisdiction
from where it originates. The technical and
organisational measures shall use techniques,
with due regard to the state of the art and in
accordance with the risk involved, aiming at
ensuring that the PII transferred are not
accessible to the third country’s public
authorities.
The organization shall suspend the transfer if it considers
that no appropriate safeguards can be ensured, or if so,
instructed by the competent supervisory authority.
Countries and
The organization shall implement control ISO/IEC
PIMS CTRL
international
27701:2025 A.1.5.3, following the additional guidance in
organizations to which
A.
...