(As approved under Council Resolution 27/2024)
ISO processes personal data as described in the Privacy Notice (https://www.iso.org/privacy.html). In the ISO context, "Personal Data" includes a person’s or identifiable person’s names, email addresses, physical addresses, telephone numbers and roles played. This ISO Member Data Privacy Policy (the "Policy") applies to Personal Data that an ISO member processes in the name of ISO and while pursuing ISO’s statutory purpose (“ISO’s Purpose”).
As an ISO member, you are responsible for protecting Personal Data in accordance with this Policy even if, for the fulfilment of ISO’s Purpose, you give access to this Personal Data to:
- People within your organization (including Member Body User Administrators "MBUA", Committee Managers, IT staff, etc.);
- Third Parties (including sub-organizations, agents, subcontractors, etc.) outside your organization; and
- Others, including through electronic means.
As an ISO member, you must:
- ensure that Data Subjects whose Personal Data is collected and processed1:
- understand that ISO as data controller will process their Personal Data for ISO’s Purpose in accordance with the Privacy Notice; and
- know that you and ISO are available to answer any questions about the processing of their Personal Data.
- ensure that the parties whom you allow to access Personal Data:
- agree to use the Personal Data they access never for their own purposes but only for ISO’s Purpose and consistent with the Declaration for participants in ISO activities;
- agree to respect confidentiality obligations and standard technical and organizational measures;
- agree to respect relevant ISO rules as updated from time to time, and applicable laws; and
- understand that they remain bound by these obligations even after their participation in the standards development work ends
- collect, use, share and archive (i.e. “process”) Personal Data solely for ISO’s Purpose. This means that Personal Data cannot be collected and used for commercial purposes unless the person concerned has also explicitly given permission for this to ISO;
- undertake appropriate technical and organizational measures to protect Personal Data prior to processing it, including nominating at least one person for the ISO Central Secretariat (“ISO/CS”) to contact regarding any data protection issues;
- immediately inform ISO/CS if you cannot comply with this Policy;
- immediately inform and cooperate with ISO/CS in case of any accidental or unauthorized access; and
- ensure that your employees and processors accept this Policy or equivalent or stricter terms. In all cases, you remain responsible for compliance with this Policy by such third parties.
If you cease to be an ISO member, you must delete any Personal Data and copies thereof to which this Policy applies and certify its destruction to ISO/CS in writing.
ISO may change this Policy as approved by Council. Members will be informed and the changes will be posted online.
The protection of Personal Data is very important for ISO. Any ISO member with concerns about the processing of Personal Data, including by another ISO member should inform ISO at DataProtection@iso.org.
ISO may require ISO members to take measures in case of doubt regarding compliance with this Policy. The Secretary-General may also take measures against ISO members that do not comply with this Policy and applicable laws.
This Policy and its implementation are governed exclusively by Swiss law. This Policy is supplemented by a general description of the main data protection principles, terms and concepts in the Annex. This description is provided solely for informational purposes and neither this Policy nor its Annex replace or supersede applicable laws and requirements.
For further information regarding other relevant ISO privacy rules, please contact ISO at DataProtection@iso.org.
1 ISO Central Secretariat will assist the member with this by sending an email advising the person of this when their data is first entered in the ISO Global Directory. If a member wants to opt-out of this service they should contact helpdesk@iso.org.
Annex to the ISO Member Data Privacy Policy
Main Terms and Principles of Data Protection
To enhance the knowledge around data protection, this general overview describes the main data protection principles and rules that must govern all data processing activities within ISO. Please note this general overview is solely meant as a description of applicable principles and rules and does not replace ISO members’ own obligations linked to internal awareness around data protection.
All data processing activities must comply with the main principles of data protection. These include obligations for the controller and processor, as well as rights for the data subjects. Violation of these principles makes the processing unlawful, which may lead to sanctions.
From a general overview, the principles, rights and obligations are similar in the new Swiss Federal Act on Data Protection (nFADP) and in the European General Data Protection Regulation (GDPR).
1) Transparency
The principle of transparency (Art. 6 par. 3 nFADP) requires that data must be collected for specific purposes that are recognizable to the data subject. Recognizability is considered to be fulfilled when the data subject is informed, when the processing is provided for by law or when it is clear from the circumstances.
Specific information obligations are explicitly provided for under Art. 19 nFADP.
2) Good Faith
Any processing of personal data must be carried out in accordance with the principle of good faith (Art. 6 par. 2 nFADP). This means that data processing must not be misleading or the information excessively complicated to obtain.
For example, anyone who, when collecting data, leads the data subject to believe that all the data are compulsory, whereas some are optional, violates the principle of good faith.
3) Proportionality
Any processing of personal data must be carried out in accordance with the principle of proportionality (Art. 6 par. 2 nFADP). This means that only data that is objectively necessary to achieve the aim pursued, that are appropriate to achieve it, and that the processing remains in a reasonable relationship between the legitimate result sought and the means used, while preserving as much as possible the rights of the persons concerned.
This principle also includes the principles of data avoidance (i.e. if the purpose of the processing can be achieved without the collection of new data, this option should be preferred) and data minimization (i.e. only data that is absolutely necessary for the purpose of the processing should be processed).
The proportionality principle applies to everything relating to the processing of personal data, including: The types and categories of data processed, the means of processing, the purposes and the retention period.
Regarding specifically retention periods, personal data may not be kept for longer than necessary for the purposes of the corresponding processing. In other words, personal data must be deleted as soon as they are no longer necessary for the processing, with the exception of certain limited situations. The retention period must itself be communicated to the data subject (or at least the criteria for determining it).
4) Purpose Limitation
Personal data may only be collected for specific purposes and their processing must be limited to these purposes (Art. 6 par. 3 nFADP). Vague, undefined or imprecise purposes are not allowed.
5) Correctness
Anyone who processes personal data must make certain that it is correct and up to date (Art. 6 par. 5 nFADP). All appropriate measures must be taken to rectify, erase or destroy data that are inaccurate or incomplete in relation to the purposes for which they were collected or processed.
6) Data Security
Data security provides that controllers and processors must ensure, through appropriate organizational and technical measures, adequate security of personal data in relation to the risk involved (Art. 8 nFADP). This provision materializes the risk-based approach. The higher the risk of a data breach, the higher the requirements for the measures to be taken.
7) Lawfulness
Under the nFADP regime, Art. 6 par. 1 provides that personal data may only be processed lawfully. This means that processing must not lead to the violation of an applicable norm of data protection law or aimed at protecting the personality of the data subject.
If ever the processing may infringe the personality of the data subject, especially when it is done in violation of the principles provided above or against the express will of the data subject, or when as soon as personal data is communicated to third parties, the existence of a justification is required. Such justification may be the data subject’s consent (exceptional), an overriding private or public interest, or the law.