What does control A.1.3.4 require?
The organisation shall provide PII principals with clear and easily accessible information identifying the PII controller and describing the processing of their PII.
This control sits within the Obligations to PII principals objective (A.1.3). Where A.1.3.3 Information for PII Principals determines what information to provide and when, A.1.3.4 focuses on the delivery: how the information is presented, formatted and made accessible to the people who need it.
What does the implementation guidance say?
Annex B (section B.1.3.4) provides guidance on the quality and delivery of information to PII principals:
- Concise and transparent — Information should be free from unnecessary jargon and presented in a way that is easy to understand
- Intelligible — Written for the intended audience, considering factors such as age, language and literacy
- Easily accessible — PII principals should not need to search extensively to find the information. It should be prominently placed and available without barriers
- Clear and plain language — Avoid legal or technical language wherever possible. If technical terms are necessary, provide explanations
- Layered notices — Consider using a layered approach for complex processing, with a short summary layer linking to more detailed information
- Designated contact point — Provide a specific contact for privacy-related enquiries, making it easy for PII principals to ask questions or exercise their rights
- See also A.1.3.7: Access, Correction or Erasure for related requirements
- See also A.1.3.8: Obligations to Inform Third Parties for related requirements
The guidance recognises that a single format may not work for all audiences and encourages organisations to consider multiple delivery channels and formats.
How does this map to GDPR?
Control A.1.3.4 maps to several GDPR provisions related to the form and quality of transparency:
- Article 12(1) — Transparency requirement: information must be concise, transparent, intelligible and easily accessible, using clear and plain language
- Article 12(7) — Information may be provided in combination with standardised icons to give a meaningful overview
- Article 11(2) — Provisions where the controller cannot identify the data subject
- Article 13(3) — Requirement to inform about changes of purpose
- Article 21(4) — Right to object must be explicitly brought to attention and presented clearly
GDPR Article 12(1) is the cornerstone transparency provision. Regulators have issued significant fines for privacy notices that fail the clarity and accessibility tests, even when the required information elements were technically present.
How does this relate to ISO 29100 privacy principles?
This control supports two ISO 29100 privacy principles:
- Openness, transparency and notice — Directly addresses the requirement for clear, accessible communication about processing practices
- Individual participation and access — Providing a designated contact point enables individuals to participate in managing their privacy
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.1.3.4, auditors will typically look for:
- Published privacy notices — Actual notices available to PII principals, assessed for clarity, accessibility and completeness
- Readability assessment — Evidence that notices have been reviewed for plain language, with consideration of the target audience
- Layered notice structure — Where processing is complex, evidence of a layered or progressive disclosure approach
- Multi-format delivery — Privacy information available across relevant channels (website, app, in-store, telephone)
- Designated contact details — A clearly published privacy contact point or data protection officer contact
- User testing or feedback — Any evidence that PII principals can actually find and understand the information provided
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.3.3 Determining information for PII principals | Determines the content; A.1.3.4 governs how it is presented and delivered |
| A.1.3.2 Obligations to PII principals | The overarching obligations that drive the information provision requirements |
| A.1.3.5 Modify or withdraw consent | Consent withdrawal mechanisms should be communicated clearly as part of the information provided |
| A.1.3.6 Object to PII processing | The right to object must be presented clearly and separately from other information |
| A.1.3.10 Handling requests | Contact details and request procedures should be part of the information provided |
| A.1.2.4 Determine consent | Consent collection points are key delivery moments for privacy information |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was part of Clause 7.3.3 (Providing information to PII principals). The 2025 edition retains the same principles but benefits from the clearer separation between A.1.3.3 Information for PII Principals (what to communicate) and A.1.3.4 (how to communicate it). The emphasis on layered notices and plain language remains central. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for delivering privacy information?
ISMS.online supports the entire lifecycle of privacy information delivery:
- Privacy notice templates — Start from professionally structured templates designed for clarity and completeness, with plain language prompts for each section
- Layered notice support — Create summary and detailed notice layers linked together, making complex processing easy to communicate
- Approval workflows — Route draft notices through legal, compliance and marketing review before publication, ensuring quality and consistency
- Change notifications — When processing activities change, receive prompts to update the corresponding privacy notices before changes go live
- Centralised contact management — Maintain your designated privacy contact details in one place, linked across all notices and request forms
- Audit trail — Demonstrate to auditors exactly what information was published, when it was updated and who approved each version
FAQs
What makes a privacy notice “easily accessible”?
Easily accessible means PII principals should not have to search for the information. On a website, this typically means a prominent link in the footer or header of every page. For mobile apps, it means accessible from within the app without requiring external navigation. For offline collection, it means printed notices available at the point of collection. The test is whether a reasonable person could find the information without difficulty.
When should you use a layered notice approach?
Layered notices are particularly useful when processing is complex, involves multiple purposes or categories of PII, or where space is limited (such as on mobile devices or at physical collection points). The short layer provides the most important information at a glance (who you are, what you are collecting and why, key rights) with a clear link to the full notice. This approach balances the need for completeness with the practical reality that most people will not read a lengthy document.
Can you use icons or visual elements in privacy notices?
Yes, and the GDPR specifically encourages it. Article 12(7) allows information to be provided in combination with standardised icons to give a meaningful overview in an easily visible, intelligible and clearly legible manner. Icons can help convey key messages quickly, but they should supplement the text rather than replace it. Any icons used should be consistent and easily understood by the target audience.
