What does control A.1.3.3 require?
The organisation shall determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.
This control sits within the Obligations to PII principals objective (A.1.3). While A.1.3.2 Obligations to PII Principals identifies what obligations you have, A.1.3.3 drills into the specific information content that must be communicated and establishes the timing rules for when that information must be provided.
What does the implementation guidance say?
Annex B (section B.1.3.3) provides detailed guidance on both the content and timing of information provision:
Information to be provided
- Identity of the controller — The name and contact details of the organisation responsible for processing
- Purposes of processing — A clear explanation of why PII is being processed, aligned with A.1.2.2 Identify and Document Purpose
- Categories of PII — What types of personal data are collected and processed
- Recipients — Any third parties or categories of third parties who will receive the PII
- Retention periods — How long the PII will be stored, or the criteria used to determine retention
- Rights available — The specific rights PII principals can exercise (access, rectification, erasure, restriction, portability, objection)
- Automated decision-making — Whether any automated profiling or decision-making is carried out, and the logic involved
- International transfers — Details of any transfers to other jurisdictions, including the safeguards in place
- See also A.1.3.6: Object to PII Processing for related requirements
- See also A.1.3.8: Obligations to Inform Third Parties for related requirements
Timing of provision
- Direct collection — Information should be provided at the time of collection
- Indirect collection — Information should be provided within a reasonable period after obtaining the PII, and no later than the time of first communication with the PII principal or first disclosure to a third party
How does this map to GDPR?
Control A.1.3.3 maps extensively to GDPR transparency provisions:
- Article 13(1-4) — Information to be provided where personal data are collected from the data subject
- Article 14(1-5) — Information to be provided where personal data have not been obtained from the data subject
- Article 11(2) — Provisions where the controller cannot identify the data subject
- Article 15(1-2) — Right of access requirements (informing data subjects what information they can access)
- Article 18(3) — Informing data subjects before a restriction of processing is lifted
- Article 21(4) — Informing data subjects of the right to object
The GDPR distinction between Articles 13 and 14 (direct vs indirect collection) maps directly to the timing guidance in B.1.3.3.
How does this relate to ISO 29100 privacy principles?
This control supports the Openness, transparency and notice principle from ISO 29100. This principle requires that PII principals are informed about how their data is processed in a manner that is clear, accessible and timely. A.1.3.3 operationalises this by requiring organisations to document exactly what information is needed and when it must be delivered.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.1.3.3, auditors will typically look for:
- Privacy notice content matrix — A documented analysis of what information must be provided for each processing activity, mapped against legal requirements
- Timing documentation — Clear rules for when information is provided, distinguishing between direct and indirect collection scenarios
- Privacy notices — Actual notice documents (website privacy policies, collection notices, employee privacy notices) containing the required information elements
- Completeness review — Evidence that notices have been reviewed against the documented requirements to ensure nothing is missing
- Multi-channel coverage — Privacy notices appropriate to each collection channel (web forms, telephone, in-person, third-party sources)
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.3.2 Obligations to PII principals | Identifies the full set of obligations; A.1.3.3 determines the specific information content |
| A.1.3.4 Providing information to PII principals | Covers how to deliver the information determined under A.1.3.3 |
| A.1.2.2 Identify and document purpose | Purpose documentation feeds into the information provided to PII principals |
| A.1.2.9 Records related to processing PII | Processing records are a key source for the information to be communicated |
| A.1.3.5 Modify or withdraw consent | Consent withdrawal mechanisms should be communicated as part of the information package |
| A.1.3.7 Access, correction or erasure | Rights information is part of what must be communicated to PII principals |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered under Clause 7.3.2 (Determining information for PII principals). The 2025 edition gives this its own control number (A.1.3.3) with a clearer separation between determining the information content and the act of providing it (now A.1.3.4 Providing Information). The guidance content is substantively similar but benefits from the more structured format. See the Annex F correspondence table for the full mapping.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Why choose ISMS.online for managing privacy information requirements?
ISMS.online helps you systematically determine, document and maintain the information you owe PII principals:
- Privacy notice builder — Create and maintain privacy notices with prompts for each required information element, reducing the risk of omissions
- Collection channel mapping — Document what information is provided at each data collection point, ensuring consistent coverage across channels
- Timing rules engine — Set and track timing requirements for information provision based on direct or indirect collection, with alerts when deadlines approach
- Version-controlled documents — Maintain a full history of privacy notice changes with approval workflows, so you can demonstrate what information was provided and when
- Compliance gap detection — Compare your current notices against documented requirements to identify missing information before an auditor does
FAQs
What is the difference between A.1.3.3 and A.1.3.4 Providing Information?
A.1.3.3 is about deciding what information to include and when to provide it. A.1.3.4 Providing Information is about how you actually deliver that information to PII principals, covering format, clarity, accessibility and presentation. Think of A.1.3.3 as the content planning step and A.1.3.4 Providing Information as the delivery step.
How should timing differ for direct and indirect collection?
For direct collection (where PII is obtained from the individual), information should be provided at the point of collection, before or during the interaction. For indirect collection (where PII is obtained from a third party or public source), information should be provided within a reasonable period and no later than the first communication with the individual or the first disclosure to a third party. Under GDPR, the maximum for indirect collection is one month.
Do you need separate notices for different processing activities?
Not necessarily. A single comprehensive privacy notice can cover multiple processing activities, provided it is clear which information relates to which activity. However, where processing contexts are very different (e.g. customer data vs employee data), separate notices often provide better clarity. The key is that all required information elements are covered for every processing activity, regardless of how many documents you use.
