We present PISCES (Privacy Incorporated and SeCurity Enhanced Systems) framework, which aims at establishing foundations for implementing Privacy and Security by Design (PSD) in the scope of the Internet of Things (IoT). PISCES operates a strict separation between data provider and data controller, where providers are managers of their data privacy, and controllers are accountable for the privacy and protection of the data provided. This role separation is ensured by the Controller Smart Data System (CSDS) of the Smart Data System (SDS), that handles data along with its privacy settings (metadata), defined by the user, offering the possibility of private data management for IoT. The SDS also balances user privacy against the need to access information in case of law-enforcement organization activities (e.g., police investigations in fight against crime). This is made possible thanks to the building of a Privacy Validation Chain (PVC) allowing the data owner and/or any intermediary (data controllers, data processors) to know easily by whom, and to which purpose, the data is used, thus asserting that the user rights are respected or not. Finally, PISCES is thought for Internet users and service providers to get a reasonable bargain when monetizing user data; it makes necessary to define fair and mutually acceptable conditions for using the services and the data. These conditions can give incentives for the user to allow more access to his data and for the service provider to allow free usage to some services.