Skip to content
ISMS.online

ISO 27701:2019 – Clause 8.3 – Obligations to PII Principals

Clause 8.3 of ISO/IEC 27701 outlines the obligations of PII processors to PII principals, including transparency, consent management, data subject rights, and timely responses to requests, ensuring responsible and lawful handling of personal data.

Author
Mike Jennings
Updated March 19, 2026
4/5 Stars

ISO 27701:2025 Has Been Published

The updated ISO 27701:2025 standard was released in July 2025, replacing the 2019 edition. The content on this page relates to the 2019 edition, which remains valid during the transition period until October 2028.

View the updated ISO 27701:2025 version of this page

What’s new in ISO 27701:2025 | Transition guide

Understanding Clause 8.3: Obligations to PII Principals in ISO 27701

ISO 27701 clause 8.3 governs how organisations are obliged to provide information to PII principals about how their PII is being processed, and to meet a range of legal, contractual and regulatory requirements in doing so.

ISO 27701 Clause 8.3.1 – Obligations to PII principals

Purpose of Clause 8.3.1

Organisations need to ensure that customers are are given adequate means to fulfil their (the organisation’s) obligations as a PII controller.

Guidance on Clause 8.3.1

Controllers’ obligations are governed by three factors:

  1. Legislation.
  2. Regulation.
  3. Contracts.

Contracts should include any information or technical operations that allow the organisation to fulfil its obligations as a controller.



ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

An 81% Headstart from day one

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.

Get started


Supporting GDPR Articles

Various elements of ISO 27701 Clause 8.3 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.

ISO 27701 Clause Identifier ISO 27701 Clause Name Associated GDPR Articles
8.3.1 Obligations to PII Principals Articles (15), (17), (28)

How ISMS.online Helps

The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier. You will also benefit from a variety of time-saving features.

We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

You’ll be ready when the worst happens. We make it easy to plan and communicate your breach workflow, and document and learn from each and every incident.

Find out more by booking a demo.

Mike Jennings

Mike is the Integrated Management System (IMS) Manager here at ISMS.online. In addition to his day-to-day responsibilities of ensuring that the IMS security incident management, threat intelligence, corrective actions, risk assessments and audits are managed effectively and kept up to date, Mike is a certified lead auditor for ISO 27001 and continues to enhance his other skills in information security and privacy management standards and frameworks including Cyber Essentials, ISO 27001 and many more.

ISO 27701 Clauses

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Spring 2026
High Performer - Spring 2026 Small Business UK
Regional Leader - Spring 2026 EU
Regional Leader - Spring 2026 EMEA
Regional Leader - Spring 2026 UK
High Performer - Spring 2026 Mid-Market EMEA

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

Try it now
platform dashboard full on mint

Ready to get started?

Book a demo