What does control A.1.3.2 require?
The organisation shall determine and document its legal, regulatory and business obligations to PII principals related to the processing of their PII and provide the means to meet these obligations.
This control sits within the Obligations to PII principals objective (A.1.3), which ensures that organisations fulfil their duties to the individuals whose data they process. A.1.3.2 is the foundational control in this group: you must first understand what rights and obligations apply before you can implement the mechanisms to fulfil them.
What does the implementation guidance say?
Annex B (section B.1.3.2) provides guidance on the types of obligations that organisations should identify and document. These vary by jurisdiction but commonly include:
- Right to be informed — Providing PII principals with clear information about how their data is processed (see A.1.3.3 and A.1.3.4)
- Right of access — Allowing individuals to obtain a copy of their PII (see A.1.3.7 and A.1.3.9)
- Right to rectification — Correcting inaccurate or incomplete PII (see A.1.3.7)
- Right to erasure — Deleting PII when it is no longer necessary or consent is withdrawn (see A.1.3.7)
- Right to restrict processing — Limiting processing in certain circumstances
- Right to data portability — Providing PII in a structured, machine-readable format (see A.1.3.9)
- Right to object — Allowing individuals to object to processing (see A.1.3.6)
The guidance emphasises that obligations differ across jurisdictions. Organisations operating in multiple territories must map the specific rights that apply in each and ensure they have appropriate mechanisms in place.
How does this map to GDPR?
Control A.1.3.2 maps to GDPR Article 12(2), which requires controllers to facilitate the exercise of data subject rights. While A.1.3.2 is about determining and documenting the full set of obligations, Article 12(2) specifically requires that the means provided to PII principals are practical and accessible. Under GDPR, the rights listed above are codified in Articles 15 through 22.
How does this relate to ISO 29100 privacy principles?
This control supports the Individual participation and access principle from ISO 29100. This principle requires that PII principals have the ability to access their data, challenge its accuracy and have it amended or deleted where appropriate. A.1.3.2 is the planning layer that ensures you know what participation rights apply before implementing the mechanisms.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.1.3.2, auditors will typically look for:
- Obligations register — A documented register of all legal, regulatory and business obligations to PII principals, mapped to applicable jurisdictions
- Jurisdictional analysis — Evidence that the organisation has identified which privacy laws apply based on where PII principals are located or where processing occurs
- Mechanisms in place — Documented procedures, forms or systems that enable PII principals to exercise each applicable right
- Policy documentation — A data subject rights policy or equivalent describing how each obligation is fulfilled
- Staff training records — Evidence that staff responsible for handling requests understand the obligations and procedures
- Regular reviews — Evidence that obligations are reassessed when legislation changes or the organisation enters new markets
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.3.3 Determining information for PII principals | Once obligations are identified, determine what information to provide |
| A.1.3.4 Providing information to PII principals | Deliver the required information in a clear and accessible way |
| A.1.3.5 Modify or withdraw consent | Consent withdrawal is one of the obligations to be identified and fulfilled |
| A.1.3.7 Access, correction or erasure | Implements the access, rectification and erasure obligations identified here |
| A.1.3.10 Handling requests | Operational procedures for responding to the requests arising from these obligations |
| A.1.2.9 Records related to processing PII | Processing records should reflect the obligations identified for each activity |
What changed from ISO 27701:2019?
In the 2019 edition, this requirement was part of Clause 7.3.1 (Determining and fulfilling obligations to PII principals). The 2025 edition restructures this into a distinct control (A.1.3.2) that focuses specifically on determining and documenting the full scope of obligations, separate from the information provision controls that follow. This gives the planning and analysis step its own audit checkpoint. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing PII principal obligations?
ISMS.online provides the structure and tools you need to identify, document and fulfil your obligations to PII principals:
- Obligations mapping — Map PII principal rights across multiple jurisdictions in a single register, so you can see at a glance which rights apply where
- Data subject request portal — Give PII principals a clear mechanism to exercise their rights, with automated routing to the right team
- Workflow automation — Track each request from receipt to completion with built-in deadlines and escalation paths
- Regulatory change tracking — Stay informed of legislative changes that affect your obligations, with prompted reviews when laws are updated
- Cross-control linking — Connect obligations to the specific controls, policies and procedures that fulfil them, creating a complete compliance picture
FAQs
How do you determine which obligations apply to your organisation?
Start by identifying where your PII principals are located, where your organisation operates, and which privacy laws have extra-territorial reach. For each applicable jurisdiction, map the specific data subject rights that the law grants. Common frameworks include GDPR (EU/EEA), UK GDPR, CCPA/CPRA (California), LGPD (Brazil) and POPIA (South Africa). Each imposes slightly different obligations, so a jurisdictional analysis is essential.
What are business obligations as distinct from legal obligations?
Business obligations are commitments your organisation has made voluntarily, such as promises in your privacy notice, contractual terms with customers, or industry codes of conduct you have signed up to. These may go beyond what the law strictly requires. For example, you might promise to respond to access requests within 14 days even though the law allows 30 days. These self-imposed obligations must also be documented and met.
Does this control apply to PII processors?
A.1.3.2 is a PII controller control. PII processors have related obligations under A.2.3 (Obligations to PII principals for PII processors), which require them to assist the controller in fulfilling these obligations. However, processors should still understand the controller’s obligations so they can provide effective support when required.
