ISO 27701 PII Processor Requirements
When your organization processes personal data on behalf of another organization (the controller), you act as a PII processor. ISO 27701 Annex B provides 18 specific controls that processors must implement to ensure they handle data responsibly and in accordance with controller instructions. These requirements complement your PIMS and differ from controller requirements.
Key Takeaways
| Point | Summary |
|---|---|
| Definition | PII processors process personal data on behalf of controllers |
| Control count | 18 controls across 5 control objectives in Annex B |
| Key obligations | Process only under instructions, assist controllers, manage sub-processors |
| Relationship focus | Contractual compliance with controller requirements |
| Documentation | Processing agreements, sub-processor records, instruction logs |
| Liability | Limited to processing scope, but significant for non-compliance |
Quick Answer: ISO 27701 processor requirements (Annex B) govern how you handle data when processing on behalf of controllers. Key obligations include processing only under documented instructions, assisting controllers with their obligations (like rights requests), properly managing sub-processors, and ensuring data return or deletion at relationship end.
Understanding the Processor Role
When You're a Processor
| Scenario | Processor Indicator |
|---|---|
| You host customer's customer data on their behalf | Processing for controller's purposes |
| You provide analytics on customer-provided data | Processing under customer direction |
| You send emails using customer's contact lists | Processing per customer instructions |
| You store data that customer controls | Providing processing infrastructure |
Processor vs. Controller Distinction
| Question | Controller | Processor |
|---|---|---|
| Who decides what data to collect? | Controller | N/A (controller decides) |
| Who decides why to process? | Controller | N/A (follows instructions) |
| Who decides how to process? | Controller (means) | Implements as instructed |
| Who responds to data subjects? | Controller | Assists controller |
| Who determines retention? | Controller | Follows controller policy |
The B2B SaaS Processor Model
Most B2B SaaS companies act as processors for customer data:
| Your Data | Your Role |
|---|---|
| Your employees' data | Controller |
| Your direct customers' accounts | Controller |
| Your customers' end-user data | Processor |
| Your customers' customer data | Processor |
Annex B Control Objectives
B.8.2: Conditions for Collection and Processing
Ensure you process only under valid instructions from controllers.
| Control | Requirement | Implementation |
|---|---|---|
| B.8.2.1 Customer agreement | Process only under contract | DPA or processing terms in place |
| B.8.2.2 Purposes | Process only for specified purposes | Document permitted processing purposes |
| B.8.2.3 Marketing | No marketing use without authorization | Controls preventing unauthorized marketing |
| B.8.2.4 Infringing instructions | Inform controller of potentially unlawful instructions | Process for identifying and escalating |
| B.8.2.5 Customer obligations | Assist customer with their obligations | Support processes in place |
| B.8.2.6 Processing records | Maintain records of processing | Records per controller |
Key documentation:
- Data Processing Agreements (DPAs) with all controllers
- Instruction logs showing authorized processing
- Records of processing activities per controller
B.8.3: Obligations to PII Principals
Support controllers in meeting their obligations to data subjects.
| Control | Requirement | Implementation |
|---|---|---|
| B.8.3.1 Obligation disclosure | Provide information for privacy notices | Standard processor information |
| B.8.3.2 PII rights | Assist with rights request fulfillment | Technical capability and procedures |
Assistance capabilities needed:
- Data export functionality for access requests
- Data deletion capability for erasure requests
- Data correction capability for rectification
- Mechanisms to identify specific individual's data
B.8.4: PII Sharing, Transfer, and Disclosure
Control sharing of controller's data appropriately.
| Control | Requirement | Implementation |
|---|---|---|
| B.8.4.1 Notification | Notify of legally required disclosures | Notification procedures |
| B.8.4.2 Basis | Document basis for transfers | Transfer documentation |
| B.8.4.3 Disclosure records | Record any disclosures | Disclosure logging |
Transfer considerations:
- Sub-processors in other jurisdictions
- Law enforcement requests
- Required regulatory disclosures
B.8.5: Sub-Processor Management
Properly manage downstream processors.
| Control | Requirement | Implementation |
|---|---|---|
| B.8.5.1 Sub-processor list | Disclose sub-processors to controller | Maintained sub-processor register |
| B.8.5.2 Sub-processor contracts | Flow down appropriate obligations | Contracts with sub-processors |
| B.8.5.3 Sub-processor changes | Inform of changes | Change notification process |
| B.8.5.4 Sub-processor use | Use only with authorization | Authorization records |
| B.8.5.5 Sub-processor agreements | Ensure appropriate protections | Standard contractual clauses |
Sub-processor documentation:
| Element | Content |
|---|---|
| Register | Name, location, services, data types |
| Contracts | Processing terms, security requirements |
| Due diligence | Security assessment evidence |
| Change log | History of sub-processor changes |
B.8.6: Data Return and Deletion
Ensure proper handling at end of processing relationship.
| Control | Requirement | Implementation |
|---|---|---|
| B.8.6.1 Return | Return or delete PII at end of service | Export and deletion capabilities |
| B.8.6.2 Temporary files | Securely manage temporary data | Temporary data procedures |
| B.8.6.3 Retention | Follow controller retention requirements | Configurable retention |
| B.8.6.4 Disposal | Securely dispose when required | Secure deletion procedures |
End of relationship procedures:
- Notify controller of approaching contract end
- Provide data export in portable format
- Confirm deletion requirements
- Execute secure deletion
- Provide deletion certification
Data Processing Agreement Requirements
Essential DPA Elements
| Element | Description |
|---|---|
| Subject matter | What processing is covered |
| Duration | How long processing continues |
| Nature and purpose | Why and how processing occurs |
| Data types | Categories of PII processed |
| Data subjects | Whose data is processed |
| Controller obligations | What controller must do |
| Processor obligations | What processor must do |
Processor Commitments in DPA
| Commitment | Details |
|---|---|
| Instructions | Process only on documented instructions |
| Confidentiality | Ensure personnel confidentiality obligations |
| Security | Implement appropriate technical and organizational measures |
| Sub-processing | Use sub-processors only with authorization |
| Assistance | Assist with rights requests and obligations |
| Audit | Allow controller audits |
| Deletion | Delete or return at end of service |
Instruction Management
Processing Instruction Types
| Type | Example | Documentation |
|---|---|---|
| Initial instructions | DPA scope and permitted processing | DPA terms |
| Standing instructions | Standard platform functionality | Service documentation |
| Ad hoc instructions | Specific controller requests | Written request and confirmation |
| Configuration | Customer settings and preferences | System configuration records |
Instruction Documentation
| Element | Purpose |
|---|---|
| Request | What the controller asked |
| Date | When instruction received |
| Verification | How requester was verified |
| Assessment | Whether instruction is lawful |
| Implementation | How instruction was executed |
| Confirmation | Acknowledgment to controller |
Handling Problematic Instructions
| Situation | Response |
|---|---|
| Instruction seems unlawful | Inform controller, don't process without clarification |
| Instruction exceeds DPA scope | Request amendment or additional authorization |
| Instruction conflicts with regulation | Explain concern, seek legal guidance |
| Instruction unclear | Request clarification before acting |
Supporting Controller Obligations
Rights Request Assistance
| Right | Processor Support |
|---|---|
| Access | Export individual's data on request |
| Rectification | Correct data per controller instruction |
| Erasure | Delete data per controller instruction |
| Portability | Provide data in portable format |
| Restriction | Restrict processing per instruction |
Response Timelines
| Activity | Timeline |
|---|---|
| Acknowledge request | Within 24-48 hours |
| Provide requested data | As needed to meet controller's deadline |
| Execute deletion | Per controller instruction |
| Confirm completion | Promptly after execution |
Breach Notification
When you become aware of a personal data breach:
| Step | Timeline |
|---|---|
| 1. Containment | Immediately upon discovery |
| 2. Assessment | Begin immediately |
| 3. Controller notification | Without undue delay (GDPR does not specify hours; DPA may require 24-48 hours) |
| 4. Information provision | As facts become available |
| 5. Assistance | Support controller's notification obligations |
Important: The 72-hour deadline in GDPR Article 33 applies to controllers notifying the supervisory authority, not to processors notifying controllers. Your Data Processing Agreement typically specifies your notification timeline to controllers.
Notification content:
| Element | Details |
|---|---|
| Nature of breach | What happened |
| Data affected | Types and approximate volume |
| Likely consequences | Potential impact |
| Measures taken | Response actions |
| Contact point | For further information |
Common Questions
What if a controller's instructions seem inadequate for security?
You can and should raise concerns. Processors often have technical expertise that controllers lack. Document your recommendations. If the controller insists on inadequate measures, document this and consider whether continued processing is appropriate.
Can I use customer data for my own purposes?
Generally no. Processing beyond controller instructions typically requires separate authorization or a different legal basis where you would be acting as a controller. This should be clearly disclosed and agreed.
What if I receive a law enforcement request for customer data?
Notify the controller unless legally prohibited. The controller should generally respond to legal requests. You may need to comply with direct legal requirements, but document everything and notify controller when permitted.
How do I demonstrate compliance to controllers?
Provide evidence of ISO 27701 certification, audit reports, security documentation, and make yourself available for controller audits as required by your DPA.
Processor Liability Considerations
Where Processors Are Liable
| Scenario | Liability |
|---|---|
| Processing beyond instructions | Processor liable as if controller |
| Inadequate security | Processor liable for security failures |
| Sub-processor failures | Processor remains accountable |
| Failure to assist | Breach of DPA obligations |
| Unauthorized disclosure | Direct liability for breach |
Limiting Liability
| Approach | Implementation |
|---|---|
| Clear scope | Well-defined DPA boundaries |
| Documented instructions | Written record of all instructions |
| Sub-processor diligence | Careful selection and monitoring |
| Security measures | Appropriate technical and organizational measures |
| Insurance | Appropriate cyber and professional liability coverage |
How Bastion Helps
Implementing processor requirements requires understanding both regulatory obligations and practical customer relationship management. We help organizations build effective processor compliance programs.
| Service | Description |
|---|---|
| DPA review | Ensure your DPA meets ISO 27701 requirements |
| Sub-processor management | Establish sub-processor oversight program |
| Instruction handling | Design instruction management processes |
| Rights support | Build technical capabilities for rights assistance |
| Audit readiness | Prepare for controller audits |
Ready to implement ISO 27701 processor requirements? Talk to our team
Sources
- ISO/IEC 27701:2019 Annex B - PII processor controls
- GDPR Article 28 - Processor requirements
- GDPR Article 33 - Notification of personal data breach
- EDPB Guidelines on Data Protection Officers - Controller-processor relationships