ISO/IEC 2770149
ISO/IEC 27701:2019 privacy information management clauses and control enhancements for PII controllers and processors.
Requirements in this framework
- Access control for PII
- Access, correction and erasure
- Accuracy and quality
- Addressing security in supplier agreements for PII
- Automated decision making
- Basis for PII transfer between jurisdictions (processor)
- Change of sub-contractor to process PII
- Classification of PII
- Contracts with PII processors
- Countries and international organizations to which PII can be transferred
- Country or region of PII processing
- Customer agreement
- Customer obligations
- Determine when and how consent is to be obtained
- Determining and fulfilling obligations to PII principals
- Determining information for PII principals
- Determining the scope of the PIMS
- Disclosure of sub-contractors used to process PII
- Engagement of a sub-contractor to process PII
- Handling requests
- Identify and document purpose
- Identify basis for PII transfer between jurisdictions
- Identify lawful basis
- Information security policies for PII protection
- Information security roles and responsibilities for PII
- Joint PII controller
- Limit collection
- Limit processing
- Obligations to PII principals (processor)
- Obtain and record consent
- Organization's purposes
- PII controllers' obligations to inform third parties
- PII de-identification and deletion at end of processing
- PII minimization objectives
- Privacy awareness, education and training
- Privacy impact assessment
- Privacy information management system
- Privacy risk assessment
- Privacy risk treatment
- Providing copy of PII processed
- Providing information to PII principals
- Providing mechanism to modify or withdraw consent
- Providing mechanism to object to PII processing
- Records related to processing PII
- Responsibilities and procedures for PII breaches
- Return, transfer or disposal of PII (processor)
- Temporary files (processor)
- Understanding the needs and expectations of interested parties
- Understanding the organization and its context