PII Processor Policy
ISO/IEC 27701 Toolkit: Version 1 ©CertiKit
PII Processor Policy
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document sets out the organization’s policy when acting as a processor regarding the privacy relationship with controllers.
Areas of the standard addressed The following area of the ISO27701 standard are addressed by this document: •
Annex B o B.8.2 Conditions for collection and processing ▪ B.8.2.1 Customer agreement ▪ B.8.2.2 Organization’s purposes ▪ B.8.2.3 Marketing and advertising use ▪ B.8.2.4 Infringing instruction ▪ B.8.2.5 Customer obligations ▪ B.8.2.6 Records relating to processing PII o B.8.3 Obligations to PII principals ▪ B.8.3.1 Obligations to PII principals o B.8.5 PII sharing, transfer and disclosure ▪ B.8.5.6 Disclosure of subcontractors used to process PII ▪ B.8.5.7 Engagement of a subcontractor to process PII ▪ B.8.5.8 Change of subcontractor to process PII
General guidance It’s important to document the organization’s approach to ensuring that its customers acting as PII controllers are able to fulfil their privacy obligations, and to give assurance that the PII they provide will be respected. The specific requirements that must be fulfilled will depend on the laws involved which will in turn depend upon the PII principals that the processed PII relates to. This document is largely based on the requirements of the GDPR and may need to be amended if different legislation is relevant. The information provided in this document should be used in conjunction with available information from relevant privacy bodies, such as the European Data Protection Board for
Version 1
Page 2 of 12
[Insert date]
PII Processor Policy
the GDPR, relating to standard contractual clauses; this policy is based on our understanding of what is generally required it but should be reviewed by a qualified law practitioner before relying upon it in a contract.
Review frequency We would recommend that this document is reviewed whenever additional guidance is published by relevant legislative bodies, such as the EU for the GDPR, or your local supervisory authority.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Version 1
Page 3 of 12
[Insert date]
PII Processor Policy
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 12
[Insert date]
PII Processor Policy [Insert classification]
PII Processor Policy
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
PIMS-DOC-B82-1
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 12
[Insert date]
PII Processor Policy [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 12
DATE
[Insert date]
PII Processor Policy [Insert classification]
Contents 1
Introduction ............................................................................................................... 8
2
PII Processor Policy .................................................................................................... 9 2.1 2.1.1 2.1.2 2.1.3 2.1.4
Customer agreement ................................................................................................... 9 Subject matter and duration of the processing ............................................................................ 9 Nature and purpose of the processing ....................................................................................... 10 Type of PII and categories of PII principals ................................................................................. 10 Additional contractual terms to be included .............................................................................. 10
2.2
Use of customer provided PII ..................................................................................... 11
2.3
Infringing instruction.................................................................................................. 11
2.4
Assistance to the customer in fulfilling their obligations .............................................. 11
2.5
Records of processing customer PII............................................................................. 12
2.6
Use of subcontractors to process customer PII ............................................................ 12
Version 1
Page 7 of 12
[Insert date]
PII Processor Policy [Insert classification]
1 Introduction [Organization Name] is committed to protecting the personally identifiable information (PII) that we process on behalf of our customers and to ensuring our, and our customers’, compliance with all relevant legislation. Privacy legislation places obligations on a controller of PII to ensure the protection of that data when they are processed by a third party, that is, a processor. In forming a controller/processor relationship, privacy legislation is quite specific about the fact that a contractual agreement must be in place between the two parties, and that it should specify key items of information about the PII involved and how it is processed. This policy document sets out [Organization Name]’s approach to ensuring that all relevant requirements are understood and met when we act as a processor of PII on behalf of our customers. The following related documents are relevant to this procedure: • •
Processor Security Controls Customer PII Transfer Policy
Version 1
Page 8 of 12
[Insert date]
PII Processor Policy [Insert classification]
2 PII Processor Policy 2.1 Customer agreement It is a requirement of all existing and new contractual agreements between [Organization Name] and customers where PII is shared or processed on their behalf, that specific information is detailed, and data protection-related contract terms are included. The contract must be legally binding on both parties for it to be compliant. The following sections set out the information that is required and the terms that must be included. Important Note: The exact wording of the data protection clauses may vary in each individual contract, and each amendment to an existing contract or creation of a new contract must be subject to review by a qualified legal practitioner with knowledge of the legal framework in the country or countries involved. Standard contractual clauses may be made available by relevant privacy legislative bodies, and these should be used where possible. The GDPR makes provision for the EU and individual supervisory authorities to publish standard contractual clauses (see Article 28 – Processor, points 6,7,8) and, at the current version of this policy document, new SCCs have recently been published by the European Data Protection Board (EDPB). The website of the EDPB must be consulted on a regular basis to check the latest SCCs available. Depending on the privacy legislation involved, the following information about the processing of PII may need to be included in each contract for it to be compliant. This information must be specific to the individual contract and must describe the processing in clear terms, that is, generic descriptions with a wide interpretation must not be used.
2.1.1 Subject matter and duration of the processing The topic or area that the processing is concerned with should be described, together with an indication of the period of time the processing should continue for. A simple example could be “the creation and despatch of marketing materials for a period of one year from the date of contract.” This gives a clear indication of the area the PII is intended to be used in and for how long it should be kept. [Organization Name], acting as a processor, is therefore not permitted to use the PII for any other purpose (unless with the controller’s consent) and cannot retain the data for longer than is contractually agreed.
Version 1
Page 9 of 12
[Insert date]
PII Processor Policy [Insert classification]
2.1.2 Nature and purpose of the processing A description of the processing and the intended reasons for it must be included. A simple example of the nature of the processing could be “the printing of address labels from a list provided by the controller, the attachment of the labels to physical mailing pieces and their dispatch to the recipient.” Similarly, a simple example of the purpose of the processing could be “communication of customer product information to individuals who have requested it.” Again, this information is intended to make it clear how the PII will be used and why.
2.1.3 Type of PII and categories of PII principals The PII involved in the processing must be described as clearly as possible, partly in order to give an indication of its level of sensitivity, particularly if special categories of data (for example, genetic and biometric data) are involved. Information about the groups of PII principals that the PII refers to must also be given, in as much detail as is available or appropriate. A simple example could be “name and address of individuals who have requested product information”.
2.1.4 Additional contractual terms to be included Privacy legislation generally requires that the controller specify a set of minimum terms related to data protection in the contract. These may require that the processor: • • • • •
• •
Processes the PII only on documented instructions from the controller Ensures that persons authorised to process the PII have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality Takes all measures required to provide a level of security of the PII appropriate to the risk Respects relevant conditions for engaging another processor and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller Assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the PII principal’s rights laid down in relevant privacy legislation Assists the controller in ensuring compliance with their obligations in areas such as breach notification and privacy impact assessment At the choice of the controller, deletes or returns all the PII to the controller after the end of the provision of services relating to processing, and deletes existing copies unless relevant law requires storage of the PII
Version 1
Page 10 of 12
[Insert date]
PII Processor Policy [Insert classification]
2.2 Use of customer provided PII A customer providing PII to [Organization Name] so that we may process it as part of our services remains the controller of that PII, as they determine the purpose of the processing. In processing that PII, [Organization Name] must ensure that it is only used for the specific purposes instructed by the customer, and for no additional reasons. In the event that we are processing customer provided PII for marketing and advertising purposes, assurance must be obtained from the customer that the PII principals involved have either given their consent, or that an alternative lawful basis for the processing has been established.
2.3 Infringing instruction Based on our understanding of the applicable legislation, the PII involved and the purpose of the processing (amongst other factors), [Organization Name] will form an opinion regarding the legality of the processing instructions provided by the customer and, if reasonable doubt exists regarding this, the customer must be informed of the concerns. Processing of the PII must be paused until those concerns are adequately addressed to both parties’ satisfaction.
2.4 Assistance to the customer in fulfilling their obligations As the controller of the PII, the customer will have obligations under the relevant privacy legislation and [Organization Name] is committed to ensuring that all appropriate assistance is given so that these obligations may be met. Such assistance may include: • • • • • • • •
Participation in audits conducted by the customer, or by a customer-appointed third party Provision of PII to the customer so that PII principal access requests may be facilitated within required timescales Warnings and notifications in the event that a breach of PII within [Organization Name] is suspected or has occurred Information about the security controls used by [Organization Name] to protect the PII processed on the customer’s behalf Details of international transfers of PII undertaken as part of the services provided Information about methods of processing used to provide service to the customer and if appropriate PII principals Liaison with supervisory authorities for activities such as approvals, consultations and investigations Participation in privacy impact assessments carried out by the customer with regard to PII processed by [Organization Name]
Version 1
Page 11 of 12
[Insert date]
PII Processor Policy [Insert classification]
2.5 Records of processing customer PII Where required by applicable legislation, [Organization Name] will maintain records of the processing of PII on behalf of the customer. These records may include: • • • • • • • •
Contractual information covering the controller-processor relationship with the customer Categories of PII and PII principals processed on behalf of the customer Audit logs of processing carried out, for example emails sent and batch jobs completed Transfers of PII between countries and the lawful basis under which they were carried out Application of specific controls to the processing of PII for the customer Records of deletion or disposal of PII according to customer instructions Details of communication with supervisory authorities or other agencies where permitted to do so by law Audit reports relating to third party certifications, for example to ISO standards
2.6 Use of subcontractors to process customer PII [Organization Name] may use subcontractors as part of the provision of processing services involving PII. The subcontractors used and any associated international transfers of PII will be listed as a schedule to the contract with the customer and will form part of the agreement. Where appropriate, a non-disclosure agreement between [Organization Name] and the customer may be used to protect the identity of subcontractors. An appropriate agreement will be in place with subcontractors who act as sub-processors of customer PII, such that the requirements of all relevant privacy legislation are met, and [Organization Name] commitments to the customer are passed on through the supply chain. Only subcontractors that have been declared to the customer will be used to process customer PII. In the event that a subcontractor is changed, or a new one introduced, [Organization Name] will inform the customer and give them an opportunity to object to such changes.
Version 1
Page 12 of 12
[Insert date]