GDPR Article 13 deals with the often extensive amount of information that needs to be provided to data subjects, by controllers, both at point of collection and throughout the processing operation.
Information to be provided where personal data are collected from the data subject
We can’t think of any company whose service can hold a candle to ISMS.online.
Article 13: Information to be provided where personal data are collected from the data subject
Organisations need to make the following information available at the point of collection, where it’s applicable (e.g. international transfers):
In accordance with the guidance outlined in Article 13, organisations also need to provide the following information:
Book a tailored hands-on session
based on your needs and goals
Book your demo
ISMS.online will save you time and money
Get your quoteOrganisations should outline a detailed set of requirements that govern how and when information is to be provided to PII principals.
Examples include:
All information should be provided error-free, and in language that is easily understood (e.g. lacking jargon, not overly technical) by the people who have the ability to read it (see ISO 27702 clause 7.3.2).
Mechanisms should be provided that cater to the rights of any PII principal who is seeking to withdraw consent.
Communication channels should mirror those that were used by the organisation to initially collect the data, and PII principals should be able to restrict the controller from performing certain actions.
Organisations should commit to a published response time for all modification or withdrawal of consent requests, and all such requests should be thoroughly documented.
Local and national laws vary between jurisdictions, but on the whole, PII principals should retain the ability to raise objections over how their data has been stored, processed or transferred.
Organisations should:
Organisations should document procedures that allow data subjects to perform three basic functions:
Organisations should commit to a published response time for all access, correction or deletion requests, and provide a reason as to why corrections aren’t able to be actioned, where relevant.
If PII has been transferred to a third party, organisations are obliged to relay any requests to them, and confirm acknowledgement (see ISO 27701 clause 7.3.7).
Depending on the jurisdiction, various regional and national rules can apply. As such, organisations should maintain a thorough understanding of any laws or regulations that apply to the access to, correction of or deletion of PII.
Organisations should address any legal obligations to PII principals that relate to the automated processing of PII.
Organisations should take into account jurisdictional variances in automated decision making regarding PII – more specifically, allowing PII principals to object and requesting human intervention in place of automated procedures.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Since migrating we’ve been able to reduce the time spent on administration.
Organisations need to delete and/or dispose of PII that it no longer requires, or no longer fulfils a specific purpose.
Organisations should operate with retention schedules that outline the exact period of time that PII is retained for, including adherence to any legal, statutory or contractual requirements.
GDPR Article | ISO 27701 Clause | Supporting Clauses |
---|---|---|
Article 14 (1)(a), (1)(b), (1)(c), (1)(d), (1)(e), (1)(f), (2)(b), (2)(e), (2)(f), (3)(a), (3)(b), (3)(c), (4), (5)(a), (5)(b), (5)(c) and (5)(d) | ISO 27701 7.3.2 | None |
Article (14)(2)(d) | ISO 27701 7.3.4 | None |
Article (14)(2)(c) | ISO 27701 7.3.5 | None |
Article (14)(2)(c) | ISO 27701 7.3.6 | ISO 27701 7.3.7 |
Article (14)(2)(g) | ISO 27701 7.3.10 | None |
Article (14)(2)(a) | ISO 27701 7.4.7 | None |
ROPA made easy
Our PIMS solution makes data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.
Built in Risk Bank
Managing risk is key to a successful PIMS. That’s why we’ve created a built-in risk bank and a range of other practical tools that’ll help with every part of the risk assessment and management process.
Secure space for DRR
Whatever privacy standards or regulation you’re working on, you’ll need to show how well you manage Data Subject Rights Requests (DRR). Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.
Find out more by booking a demo.
It helps drive our behaviour in a positive way that works for us
& our culture.
Request a quote