ISO 27701 PII Controller Requirements
When your organization determines the purposes and means of processing personal data, you act as a PII controller. ISO 27701 Annex A provides 31 specific controls that controllers must implement to protect the rights and interests of data subjects. These controls integrate with your PIMS requirements and map directly to GDPR obligations.
Key Takeaways
| Point | Summary |
|---|---|
| Definition | PII controllers determine why and how personal data is processed |
| Control count | 31 controls across 8 control objectives in Annex A |
| Key areas | Lawful basis, transparency, data subject rights, privacy by design |
| Relationship to GDPR | Direct mapping to controller obligations under Articles 5-25 |
| Documentation | Processing records, legal basis register, privacy notices |
| Data subject focus | Protecting individual rights and interests |
Quick Answer: ISO 27701 controller requirements (Annex A) address how you collect, use, share, and manage personal data. Key obligations include establishing legal basis for processing, providing transparency to data subjects, honoring rights requests, implementing privacy by design, and properly managing data sharing and international transfers.
Understanding the Controller Role
When You're a Controller
| Scenario | Controller Determination |
|---|---|
| You collect customer data for your service | You determine purpose (service delivery) and means |
| You collect employee data for HR | You determine purpose (employment) and means |
| You decide what analytics to run on user data | You determine purpose (business intelligence) |
| You select which vendors process your data | You determine means of processing |
Controller vs. Joint Controller vs. Processor
| Role | Characteristic | Example |
|---|---|---|
| Sole controller | You alone determine purposes and means | Your CRM data about your customers |
| Joint controller | Multiple parties determine purposes/means together | Shared platform with partner |
| Processor | You process under another's instructions | Hosting customer's data per their DPA |
Most SaaS companies are controllers for some data (their customers, employees) and processors for other data (customer's customer data processed via their platform).
Annex A Control Objectives
A.7.2: Conditions for Collection and Processing
Establish and document the legitimacy of your processing activities.
| Control | Requirement | Implementation |
|---|---|---|
| A.7.2.1 Purpose identification | Identify and document processing purposes | Maintain purpose register for each processing activity |
| A.7.2.2 Legal basis | Identify legal basis for each purpose | Document which GDPR Article 6 basis applies |
| A.7.2.3 Purpose limitation | Limit processing to specified purposes | Controls preventing purpose creep |
| A.7.2.4 Consent | Obtain and record valid consent where relied upon | Consent mechanisms, timestamps, scope records |
| A.7.2.5 Privacy impact assessment | Assess impact of high-risk processing | PIA/DPIA process and documentation |
| A.7.2.6 Contracts | Establish contracts with processors | DPAs with all processors |
| A.7.2.7 Joint controller | Establish arrangements with joint controllers | Joint controller agreements |
| A.7.2.8 Processing records | Maintain records of processing activities | Article 30 style processing register |
Documentation required:
- PII processing inventory with purposes
- Legal basis register
- Consent records and mechanisms
- PIA/DPIA register
- Processor and joint controller agreements
A.7.3: Obligations to PII Principals
Ensure transparency and fulfill your obligations to data subjects.
| Control | Requirement | Implementation |
|---|---|---|
| A.7.3.1 Obligation determination | Identify obligations to data subjects | Map regulatory requirements to your processing |
| A.7.3.2 Purpose communication | Inform data subjects of purposes | Privacy notices at collection points |
| A.7.3.3 Consent withdrawal | Enable consent withdrawal | Easy-to-use withdrawal mechanisms |
| A.7.3.4 Consent modification | Enable consent modification | Preference center or equivalent |
| A.7.3.5 Objection mechanism | Provide objection mechanism | Process for processing objections |
| A.7.3.6 Access | Provide access to PII | DSAR fulfillment process |
| A.7.3.7 Rectification | Enable correction of PII | Data correction procedures |
| A.7.3.8 Erasure | Enable deletion of PII | Deletion procedures and verification |
| A.7.3.9 Third party notification | Notify third parties of changes | Propagation to processors/recipients |
| A.7.3.10 PII copies | Provide copies of PII | Secure data export capability |
Key processes to implement:
- Data subject access request (DSAR) workflow
- Consent management with withdrawal capability
- Data correction and deletion procedures
- Notification cascade to third parties
A.7.4: Privacy by Design and Default
Embed privacy into the design of processing activities.
| Control | Requirement | Implementation |
|---|---|---|
| A.7.4.1 Collection limitation | Limit collection to what's necessary | Data minimization in product/process design |
| A.7.4.2 Processing limitation | Limit processing to what's necessary | Purpose-specific processing controls |
| A.7.4.3 Accuracy | Keep PII accurate and up to date | Data quality processes |
| A.7.4.4 Minimization objectives | Define minimization objectives | Documented approach to minimization |
| A.7.4.5 De-identification | De-identify PII where possible | Pseudonymization (reversible, still PII) or anonymization (irreversible, no longer PII) |
| A.7.4.6 Temporary files | Securely manage temporary PII | Controls for temporary storage |
| A.7.4.7 Retention | Define and enforce retention periods | Retention schedules and enforcement |
| A.7.4.8 Disposal | Securely dispose of PII | Secure deletion procedures |
| A.7.4.9 Processing controls | Implement processing transmission controls | Encryption, access controls |
Privacy by design principles to document:
- Data minimization approach
- Retention policy with schedules by data type
- De-identification practices: pseudonymization (data remains PII, requires safeguards) vs anonymization (data no longer subject to privacy regulations)
- Secure deletion procedures
A.7.5: PII Sharing, Transfer, and Disclosure
Control how PII is shared with third parties.
| Control | Requirement | Implementation |
|---|---|---|
| A.7.5.1 Third party identification | Identify third parties receiving PII | Recipient register |
| A.7.5.2 Disclosure records | Record disclosures | Disclosure log |
| A.7.5.3 Disclosure controls | Protect PII during disclosure | Secure transfer mechanisms |
| A.7.5.4 Third party agreements | Contractual protections with recipients | Appropriate agreements in place |
Required documentation:
- Third party recipient register
- Disclosure records
- Contracts with appropriate privacy terms
Legal Basis Requirements
Documenting Legal Basis
For each processing activity, document:
| Element | Example |
|---|---|
| Processing activity | Customer account management |
| PII categories | Name, email, company, usage data |
| Legal basis | Contractual necessity (Art. 6(1)(b)) |
| Justification | Required to deliver subscribed service |
| Retention basis | Duration of contract + 7 years legal requirement |
Legal Basis Options (GDPR Context)
| Basis | When Appropriate | Documentation Needed |
|---|---|---|
| Consent | Optional processing, marketing | Consent records with timestamp, scope |
| Contract | Processing necessary for contract | Service agreement showing necessity |
| Legal obligation | Legally required processing | Specific legal requirement reference |
| Vital interests | Emergency situations | Rare, document circumstances |
| Public interest | Public sector tasks | Task definition and basis |
| Legitimate interests | Business needs, balanced with rights | LIA (Legitimate Interest Assessment) |
Legitimate Interest Assessment (LIA)
When relying on legitimate interests, document:
| Assessment Element | Content |
|---|---|
| Purpose | What are you trying to achieve? |
| Necessity | Is this processing necessary for the purpose? |
| Legitimate interest | What interest does it serve? |
| Impact assessment | What's the impact on data subjects? |
| Balance | Do data subject rights override? |
| Safeguards | What protections are in place? |
Data Subject Rights Implementation
Rights Request Workflow
| Stage | Activities |
|---|---|
| 1. Receipt | Log request, acknowledge within 24-48 hours |
| 2. Verification | Verify identity of requester |
| 3. Assessment | Determine scope, exemptions, extension needs |
| 4. Fulfillment | Gather data, prepare response, quality check |
| 5. Response | Deliver response within deadline (30 days GDPR) |
| 6. Documentation | Record request and outcome |
Rights Request Metrics
| Metric | Target |
|---|---|
| Response time | Within regulatory deadline (GDPR: 30 days) |
| Acknowledgment | Within 48 hours of receipt |
| Completion rate | 100% of valid requests fulfilled |
| Quality | Accurate, complete responses |
Privacy Notice Requirements
Required Content
| Element | Description |
|---|---|
| Controller identity | Who you are, contact details |
| DPO contact | If appointed, contact information |
| Processing purposes | Why you process data |
| Legal basis | Lawful basis for each purpose |
| Categories of data | What personal data you collect |
| Recipients | Who receives the data |
| Transfers | International transfers and safeguards |
| Retention | How long data is kept |
| Rights | Data subject rights and how to exercise |
| Consent withdrawal | How to withdraw consent |
| Complaint right | Right to complain to supervisory authority |
| Source | Where you got the data (if not from subject) |
| Automated decisions | Profiling and automated decision-making |
Notice Delivery
| Collection Method | Notice Delivery |
|---|---|
| Direct collection | At time of collection |
| Indirect collection | Within reasonable period, max 1 month |
| Website | Privacy policy accessible from all pages |
| Mobile app | In-app privacy notice |
| Offline | Written notice at collection |
Common Questions
What's the difference between controller and processor controls?
Controller controls (Annex A) focus on determining and communicating processing purposes, honoring data subject rights, and privacy by design. Processor controls (Annex B) focus on following controller instructions and assisting controllers with their obligations.
What's the difference between pseudonymization and anonymization?
Pseudonymization replaces identifiers with artificial keys but remains reversible with additional information. Pseudonymized data is still personal data under GDPR and requires protection. Anonymization irreversibly removes all identifiers so individuals cannot be re-identified. Truly anonymized data falls outside GDPR scope. Most operational de-identification is pseudonymization because organizations need to re-link data for legitimate purposes.
Do I need to implement all 31 Annex A controls?
You must consider all controls and document in your Statement of Applicability which apply. Some may not apply if you don't perform certain activities (e.g., joint controller controls if you're not a joint controller).
How detailed must consent records be?
Detailed enough to demonstrate valid consent: who consented, when, to what specifically, what information was provided, and how. Timestamps, version of privacy notice, and specific consent scope are essential.
What if I rely on legitimate interests instead of consent?
You must document a Legitimate Interest Assessment (LIA) showing you've balanced your interests against data subject rights. This documentation is essential for demonstrating compliance.
How Bastion Helps
Implementing controller requirements requires understanding both legal obligations and practical operations. We help organizations implement effective controller controls.
| Service | Description |
|---|---|
| Processing inventory | Comprehensive documentation of all processing activities |
| Legal basis mapping | Document appropriate legal basis for each activity |
| Rights workflow | Design and implement DSAR fulfillment processes |
| Privacy notices | Develop compliant privacy communications |
| Control implementation | Implement Annex A controls systematically |
Ready to implement ISO 27701 controller requirements? Talk to our team
Sources
- ISO/IEC 27701:2019 Annex A - PII controller controls
- GDPR Articles 5-25 - Controller obligations under GDPR
- EDPB Guidelines on Consent - Consent requirements
- ICO Legitimate Interests Guidance - LIA approach