Artifact GuideGLOBALETSI EN 303 645

ETSI EN 303 645 Data Protection Provisions

A practical guide to the consumer IoT personal-data provisions in ETSI EN 303 645 clauses 5.8, 5.10, 5.11, and 6.

Use this to scope technical controls and evidence. ETSI EN 303 645 can support privacy work, but it is not a substitute for a separate legal assessment.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
10

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

ETSI EN 303 645 treats data protection as part of consumer IoT security: protect personal data in transit, document sensing capabilities, examine telemetry for security anomalies when telemetry is collected, make user data deletion easy, and give consumers clear information about personal-data and telemetry processing. This page turns those provisions into review questions and evidence items without expanding them into unsupported GDPR or privacy-law conclusions.

Section 1

What do the ETSI EN 303 645 data protection provisions cover?

Start with the actual provision set. Clause 5.8 addresses confidentiality for personal data moving between the device and services, stronger treatment for sensitive personal data exchanged with associated services, and accessible documentation of external sensing capabilities such as optical or acoustic sensors.

Clause 5.10 applies when telemetry is collected and expects that telemetry, including log data, is examined for security anomalies. Clause 5.11 addresses user-data erasure from the device, personal-data removal from associated services, clear deletion instructions, and confirmation after deletion. Clause 6 adds consumer-facing information, consent, withdrawal, telemetry minimisation, and telemetry transparency requirements.

  • List each category of personal data processed by the device or associated service, including purpose, processor or authorized party, lifecycle, consent basis where used, and secure communication mechanism.
  • Identify sensitive personal data by product context; ETSI gives examples such as home-security video, payment information, communication content, and timestamped location data.
  • Document all obvious external sensing capabilities in a way ordinary users can access and understand, including inactive capabilities that could still be enabled by compromised firmware.
  • Treat GDPR references narrowly: EN 303 645 says its technical provisions can help with personal-data protection, but it does not by itself prove legal compliance.
Sources for this answer
ETSI EN 303 645 V2.1.1 consumer IoT security baseline
Primary source for clauses 5.8, 5.10, 5.11, and 6 on consumer IoT personal data, telemetry, deletion, and consent.
ETSI TS 103 701 V2.1.1 conformance assessment
Assessment source mapping these provisions to ICS/IXIT evidence and conceptual or functional test expectations.
Section 2

How should personal data in transit be protected?

For clause 5.8, do not stop at a generic statement that traffic is encrypted. The useful evidence is a route-by-route map that shows which personal-data category uses which secure communication mechanism, what security guarantees it provides, and which cryptographic details are implemented.

TS 103 701 assesses whether secure communication mechanisms referenced by personal-data entries provide confidentiality for the relevant use case, whether the mechanism is appropriate for the technology, operating environment, risk, and usage, and whether the implemented cryptographic settings match the IXIT documentation.

  • Create an IXIT-style personal-data table with description, purpose, authorized parties, lifecycle, processing activities, secure communication mechanisms, sensitivity, consent handling, and anonymization where applicable.
  • For sensitive personal data sent between the device and an associated service, show the associated service relationship and the mechanism protecting confidentiality.
  • Keep cryptographic evidence specific: protocol, version, cipher suite or comparable details, communication partner, and whether confidentiality is accompanied by integrity or authenticity protection.
  • Add a functional check that the observed traffic protection matches the documented secure communication mechanism instead of relying only on architecture diagrams.
Sources for this answer
ETSI EN 303 645 V2.1.1 clause 5.8
Defines the personal-data confidentiality provisions and the requirement to document external sensing capabilities.
ETSI TS 103 701 V2.1.1 test groups 5.8-1 to 5.8-3
Explains conceptual and functional assessment of cryptography for personal data and documentation of external sensors.
Section 3

What evidence is needed for telemetry and consumer transparency?

Telemetry has two separate duties in the grounding. Clause 5.10 expects security-anomaly examination if telemetry is collected. Clause 6 expects transparency about what telemetry is collected, how it is used, by whom, and for what purposes, and says personal-data processing in telemetry should be kept to the minimum necessary for the intended functionality.

The practical evidence should distinguish telemetry used for security examination from telemetry collected for other product purposes. TS 103 701 uses IXIT 24-TelData for telemetry description, purpose, security examination, and linked personal-data categories, and IXIT 2-UserInfo for the consumer-facing telemetry documentation.

  • For each telemetry category, record the description, collection trigger, purpose, security examination if any, and any personal-data categories included.
  • Show why linked personal data is necessary for the telemetry purpose; unsupported convenience collection should be treated as a gap.
  • Make consumer documentation match the telemetry inventory, including what is collected, how it is used, who uses it, and the purposes.
  • Do not claim every telemetry feed supports security monitoring; if no security examination is performed for a feed, state that clearly in the evidence model.
Sources for this answer
ETSI EN 303 645 V2.1.1 clauses 5.10 and 6
Grounds the telemetry anomaly-examination, minimisation, and consumer-information expectations.
ETSI TS 103 701 V2.1.1 test groups 5.10-1, 6-4, and 6-5
Maps telemetry review to IXIT 24-TelData and consumer telemetry documentation to IXIT 2-UserInfo.
Recommended next step

Operationalize ETSI EN 303 645 data protection

Use the ETSI provisions and TS 103 701 evidence model to map personal-data flows, telemetry, consent, deletion, and user documentation before assessment.

Assessment workflow
Open Assessment Autopilot for ETSI EN 303 645

Turn personal-data, telemetry, consent, and deletion requirements into assigned evidence requests.

Explore next step
Research workflow
Research ETSI EN 303 645 source questions

Resolve narrow questions about provision scope, IXIT fields, and evidence expectations before implementation.

Explore next step
Talk to Sorena
Talk through implementation

Review product scope, data flows, deletion paths, and assessment evidence with Sorena.

Explore next step
Section 4

How should user data deletion be designed and tested?

Clause 5.11 requires simple functionality for erasing user data from the device and recommends simple functionality for removing personal data from associated services. It also calls for clear instructions and clear confirmation after personal data has been deleted from services, devices, and applications.

The deletion review should cover more than a factory reset button. EN 303 645 notes that factory reset may be inappropriate in shared-use situations where one user needs to remove their own personal data without disrupting the owner or future users.

  • Define deletion functionality by target type: user data on the device, personal data on associated services, user configuration, and user-related cryptographic material such as passwords or keys.
  • For each deletion flow, document initiation steps, user interaction, confirmation message, and the data categories it covers.
  • Test typical data creation, execute each deletion function, and verify whether the corresponding data still exists on the device or associated service.
  • Where multiple users are supported, verify that a user without elevated privileges cannot delete another user's data.
Sources for this answer
ETSI EN 303 645 V2.1.1 clause 5.11
Defines simple device erasure, associated-service removal, user instructions, and deletion confirmation expectations.
ETSI TS 103 701 V2.1.1 test groups 5.11-1 to 5.11-4
Maps deletion to IXIT 25-DelFunc, IXIT 21-PersData, and IXIT 2-UserInfo evidence and functional checks.
Section 5

Release checklist for ETSI EN 303 645 data protection evidence

Use this checklist before publishing a claim, submitting evidence to an assessor, or using the page in procurement. Each item is grounded in the ETSI provisions or TS 103 701 evidence model and should be tied to a product version and assessment boundary.

  • Personal-data inventory: every data category has purpose, authorized parties, lifecycle, processing activities, secure communication mechanisms, consent handling where used, and sensitivity classification.
  • Sensor transparency: user-facing documentation lists external sensing capabilities and explains them in accessible language.
  • Telemetry register: every telemetry category has purpose, security-examination status, linked personal data, and matching consumer-facing documentation.
  • Consent evidence: when consent is the basis for processing, the flow shows a free, obvious, explicit opt-in choice, withdrawal at any time, and storage of consent information.
  • Deletion evidence: device and associated-service deletion functions are documented, executable by users with limited technical knowledge, cover the intended data categories, and provide clear confirmation.
  • Claim hygiene: avoid saying EN 303 645 proves GDPR compliance; instead, state which ETSI technical provisions are addressed and leave legal conclusions to the applicable privacy-law review.
Sources for this answer
ETSI EN 303 645 V2.1.1 clause 6
Defines consumer information, valid consent, withdrawal, telemetry minimisation, and telemetry information provisions.
ETSI TS 103 701 V2.1.1 data protection assessment model
Provides the IXIT evidence fields and conceptual or functional checks used to assess clauses 5.8, 5.10, 5.11, and 6.
Primary sources

References and citations

ETSI EN 303 645 V2.1.1 clause 5.11
etsi.org
Referenced sections
  • Defines simple device erasure, associated-service removal, user instructions, and deletion confirmation expectations.
"delete user data"
ETSI EN 303 645 V2.1.1 clause 5.8
etsi.org
Referenced sections
  • Defines the personal-data confidentiality provisions and the requirement to document external sensing capabilities.
"personal data"
ETSI EN 303 645 V2.1.1 clause 6
etsi.org
Referenced sections
  • Defines consumer information, valid consent, withdrawal, telemetry minimisation, and telemetry information provisions.
"valid way"
Related guides

Explore more topics

ETSI EN 303 645 Applicability and Scope
Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment.
ETSI EN 303 645 compliance: ICS, IXIT, evidence
Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls.
ETSI EN 303 645 consumer IoT products: what is in scope?
ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence.
ETSI EN 303 645 Current Version Tracker
Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work.
ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports
Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence.
ETSI EN 303 645 default passwords: what must consumer IoT teams do?
ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence.
ETSI EN 303 645 FAQ: Consumer IoT Security Questions
source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence.
ETSI EN 303 645 ICS and IXIT Evidence Template
Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information.
ETSI EN 303 645 implementation checklist
Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims.
ETSI EN 303 645 Implementation Evidence Guide
Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence.
ETSI EN 303 645 IoT Applicability Workflow
Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability.
ETSI EN 303 645 personal data deletion FAQ for consumer IoT
What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records.
ETSI EN 303 645 requirements: consumer IoT provision map
Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners.
ETSI EN 303 645 Secure Update Evidence Workflow
Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs.
ETSI EN 303 645 Secure Update Workflow
Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence.
ETSI EN 303 645 Secure Updates and Vulnerability Disclosure
source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence.
ETSI EN 303 645 support period: what must consumer IoT teams publish?
ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence.
ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?
ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures.
ETSI EN 303 645 test evidence: what should consumer IoT teams keep?
ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks.
ETSI EN 303 645 vs EU CRA for Consumer IoT
Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping.
ETSI EN 303 645 vs RED Cybersecurity Delegated Act
Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope.
ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk
Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route.
ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT
What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence.
ETSI TS 103 701 Test Evidence Workflow for EN 303 645
Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence.
How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?
ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions.