What does control A.1.3.9 require?
The organisation shall be able to provide a copy of the PII that is processed, when requested by the PII principal.
This control sits within the Obligations to PII principals objective (A.1.3). While A.1.3.7 Access, Correction or Erasure covers the broader right of access, A.1.3.9 focuses specifically on the practical delivery of PII copies and introduces data portability requirements. This is the control that turns the abstract right of access into a tangible deliverable.
What does the implementation guidance say?
Annex B (section B.1.3.9) provides guidance on how to fulfil copy and portability requests effectively:
- Structured and machine-readable format — Where technically feasible, provide PII in a structured, commonly used and machine-readable format. Common formats include CSV, JSON and XML
- Right to transmit — Consider the PII principal’s right to transmit data directly to another controller. Where technically feasible, provide a mechanism for direct controller-to-controller transfer
- First copy free — The first copy should be provided free of charge. For additional copies, a reasonable fee based on administrative costs may be applied
- Secure delivery — Copies must be delivered securely, using encrypted channels or secure download links, to prevent unauthorised access during transmission
- Scope of data — Clarify what PII is in scope for copy requests vs portability requests. Portability typically applies to PII provided by the individual and processed by automated means on the basis of consent or contract
- See also A.1.3.3: Determining Information for PII Principals for related requirements
- See also A.1.3.6: Object to PII Processing for related requirements
The guidance recognises that the format and method of delivery should be practical for both the organisation and the PII principal. Where multiple formats are available, the PII principal should be able to choose their preferred format.
How does this map to GDPR?
Control A.1.3.9 maps to GDPR provisions covering both access copies and data portability:
- Article 15(3) — The controller shall provide a copy of the personal data undergoing processing. For further copies, the controller may charge a reasonable fee based on administrative costs
- Article 15(4) — The right to obtain a copy shall not adversely affect the rights and freedoms of others
- Article 20(1) — Right to receive personal data in a structured, commonly used and machine-readable format (data portability)
- Article 20(2) — Right to have personal data transmitted directly from one controller to another, where technically feasible
- Article 20(3) — Portability does not create an obligation to delete data from the original controller
- Article 20(4) — Portability shall not adversely affect the rights and freedoms of others
Note the important distinction: Article 15 (access copy) applies to all personal data processed by the controller. Article 20 (portability) applies only to data provided by the individual, processed by automated means, on the basis of consent or contract.
How does this relate to ISO 29100 privacy principles?
This control supports the Individual participation and access principle from ISO 29100. Access is not meaningful if the individual cannot obtain a usable copy of their data. The principle requires practical, effective access, and A.1.3.9 ensures that access translates into a deliverable output that the PII principal can review, verify and, where applicable, transfer to another provider.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.1.3.9, auditors will typically look for:
- Format documentation — Documented formats available for providing PII copies (CSV, JSON, XML, PDF) with rationale for each
- Technical capability — Evidence that systems can extract PII into the documented formats without manual workarounds that risk errors or omissions
- Secure delivery mechanisms — Documented procedures for securely transmitting PII copies to requesters (encrypted email, secure portal, encrypted file transfer)
- Fee policy — Where fees are charged for additional copies, a documented and reasonable fee schedule based on administrative costs
- Portability assessment — Documentation identifying which PII is subject to portability requirements (data provided by the individual, processed automatically, on consent or contract basis)
- Completed request examples — Sample completed requests showing the data delivered, format used and secure delivery method
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.3.7 Access, correction or erasure | A.1.3.7 Access, Correction or Erasure establishes the right of access; A.1.3.9 specifies how to deliver the copy |
| A.1.3.10 Handling requests | Copy requests are managed within the broader request handling framework |
| A.1.3.2 Obligations to PII principals | The right to a copy and portability are among the obligations to be identified |
| A.1.3.4 Providing information to PII principals | PII principals must be informed of their right to obtain a copy of their data |
| A.1.2.9 Records related to processing PII | Processing records help identify the scope of data to include in a copy request response |
| A.3 Shared Security Controls | Secure delivery of PII copies requires appropriate technical measures |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, providing a copy of PII was covered within Clause 7.3.8 (Providing copy of PII processed). The 2025 edition gives this its own control number (A.1.3.9) with dedicated guidance in B.1.3.9. The separation from the broader access right in A.1.3.7 Access, Correction or Erasure allows for more targeted auditing of data delivery capabilities. The emphasis on structured, machine-readable formats and secure delivery remains central. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing PII copy and portability requests?
ISMS.online streamlines the delivery of PII copies while maintaining security and auditability:
- Multi-format export — Generate PII copies in structured formats (CSV, JSON, PDF) from your data register, ensuring machine-readability where required
- Secure delivery portal — Provide PII copies through a secure, time-limited download link, removing the risk of sending sensitive data via unencrypted email
- Scope identification — Use your data mapping to quickly identify which data falls within scope for a copy request vs a portability request, ensuring accurate and complete responses
- Request tracking — Log every copy request with the format delivered, delivery method used and confirmation of receipt, building a robust audit trail
- Fee management — Where additional copy fees apply, track charges and provide the PII principal with a clear cost breakdown
FAQs
What is the difference between an access copy and data portability?
An access copy (GDPR Article 15) covers all personal data the controller processes about the individual, regardless of how it was obtained or the lawful basis. Data portability (Article 20) is narrower: it applies only to personal data the individual has provided, processed by automated means, on the basis of consent or contract. Portability also includes the right to transmit data directly to another controller. In practice, you may need to provide different data sets depending on which right is being exercised.
What format should you use for providing PII copies?
For access copies, any clear and readable format is acceptable, including PDF. For portability requests, the data must be in a structured, commonly used and machine-readable format. CSV and JSON are the most widely accepted options. Where possible, offer the PII principal a choice of format. The format should allow the data to be re-used or imported into another system without requiring specialist tools.
Can you charge for providing a copy of PII?
The first copy must be provided free of charge. For additional copies of the same data, you may charge a reasonable fee based on administrative costs. The fee must be proportionate and documented. You cannot use fees as a deterrent to discourage individuals from exercising their rights. If you charge a fee, you must inform the PII principal of the amount before proceeding.
