Home · Synthesis · cl-pims-data-subject-rights-comprehensive

PII principal rights — comprehensive ISO 27701-anchored programme

CCPA CPA CTDPA DPDPA GDPR ISO 27701 MODPA OCPA TDPSA VCDPA EU AI Act

Primary statement

PII principal rights operate per ISO 27701 PIMS specifications: (1) determine information to provide to PII principals (A.1.3.1); (2) provide privacy notice at collection (A.1.3.2); (3) provide mechanism to object to processing (A.1.3.4); (4) provide rights of access, correction, erasure, portability (A.1.3.5); (5) automated decision-making and profiling controls (A.1.3.6); (6) handling requests with documented procedure — receive, authenticate, evaluate, respond (A.1.3.7); (7) processor support to controller for principal requests (A.2.3.1).

Audit-fatigue payoff

A single PIMS-aligned rights programme — request portal + identity verification + per-right SLA + automated decision-making controls + processor support — satisfies ISO 27701 PIMS audit requirements end-to-end. The ISO 27701 specification IS the audit standard for this cluster; no other framework provides this level of PIMS depth.

Strictness matrix

Scope

Scope: receive + authenticate + evaluate + respond — four operations per request. Coverage of all PII principal rights — access, correction, erasure, portability, objection, ADM intervention. Processor responsibilities (A.2.3.1) flow to processor support of controller. Ceiling source: iso27701:A.1.3.7 Rationale: ISO 27701 A.1.3.7 four-operation scope is comprehensive. A.2.3.1 extends to processor responsibilities.

Threshold

Threshold: documented procedure for receive / authenticate / evaluate / respond. Identity authentication threshold proportionate to request sensitivity. Response SLA per applicable jurisdiction (typically 30–45 days). Ceiling source: iso27701:A.1.3.7 Rationale: ISO 27701 A.1.3.7 documented-procedure threshold is the audit-defensible specification.

Method

Method: (1) information determination per A.1.3.1; (2) privacy notice at collection per A.1.3.2; (3) mechanism to object per A.1.3.4; (4) access / correction / erasure / portability rights per A.1.3.5; (5) automated decision-making controls per A.1.3.6 — meaningful information about logic, significance, consequences + right to human intervention; (6) documented request handling per A.1.3.7; (7) processor support to controller per A.2.3.1. Ceiling source: iso27701:A.1.3.7 Rationale: ISO 27701 A.1.3.7 anchors the method with the request-handling procedure. The full A.1.3.x and A.2.3.1 control set is the audit-defensible specification.

Frequency

Request handling: per request within SLA (typically 30–45 days per jurisdiction). Procedure review: annual minimum + on regulatory change. Privacy notice review: annual + on processing change. Ceiling source: iso27701:A.1.3.7 Rationale: Per-request SLA is the operational floor. Annual procedure review is the audit-defensible periodic cadence.

Evidence

Required evidence: (1) documented request handling procedure; (2) request register with classification, identity verification, evaluation, response, SLA tracking; (3) privacy notice current version; (4) sample fulfilled requests (one per right type — access, correction, erasure, portability); (5) automated decision-making controls evidence (A.1.3.6); (6) processor support records (A.2.3.1). Ceiling source: iso27701:A.1.3.7 Rationale: ISO 27701 A.1.3.7 evidence list is comprehensive for PIMS audit. The per-right-type sample is the audit-defensible discipline.

Auditor test pattern

Step 1: Inspect the documented request handling procedure (A.1.3.7). Step 2: Inspect the privacy notice; verify it meets A.1.3.1 + A.1.3.2 content requirements. Step 3: Inspect the request register; verify classification and SLA tracking. Step 4: Sample one request per right type (access, correction, erasure, portability); verify fulfilment evidence. Step 5: For ADM/profiling, verify A.1.3.6 controls (meaningful information, human intervention right). Step 6: For processors, verify A.2.3.1 support to controller via sample evidence.

Common findings

Common 2024–26 findings: (1) Documented procedure exists but identity verification step is informal; (2) Erasure not propagated to backups and processors; (3) ADM controls absent — A.1.3.6 not implemented; (4) Privacy notice covers GDPR but misses ISO 27701 additional content elements; (5) Processors do not support controller A.2.3.1 obligations; (6) Request SLA tracking absent — responses ad-hoc.