PII Principal Request Procedure
ISO/IEC 27701 Toolkit: Version 2
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This procedure describes how the organization will meet, as a minimum, the rights of the PII principal set out in applicable privacy legislation.
Areas of the standard addressed
The following areas of the ISO27701 standard are addressed by this document:
• Annex A
o A.1.3 Obligations to PII principals
▪
A.1.3.5 Providing mechanism to modify or withdraw consent
▪ A.1.3.6 Providing mechanism to object to PII processing
▪
A.1.3.7 Access, correction and/or erasure
▪ A.1.3.8 PII controllers’ obligations to inform third parties
▪
▪
▪
A.1.3.9 Providing copy of PII processed
A.1.3.10 Handling requests
A.1.3.11 Automated decision making
General guidance
Privacy legislation provides the PII principal with a wide range of rights that may be exercised over their PII, and it is important that the organization is ready for them to ask for these rights and can meet requests in the timescales required.
The way in which the various types of request are processed in your organization will vary according to the PII involved and the ways in which it is stored and processed. This procedure is intended to provide some initial structure to your own methods and to provide guidance about how the requirements of the relevant privacy legislation will affect the way in which you choose to handle PII principal requests.
Review frequency
We would recommend that this document is reviewed at least annually.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
• Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
• Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
• Press F9 on the keyboard to update all fields.
• When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
PII Principal Request Procedure [Insert classification]
PII Principal Request Procedure
DOCUMENT CLASSIFICATION [Insert classification]
DOCUMENT REF PIMS-DOC-A1-3-4
VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name]
DOCUMENT OWNER [Insert name/role]
PII Principal Request Procedure [Insert classification]
Revision history
Distribution
NAME
Approval
NAME
PII Principal Request Procedure
1 Introduction
This procedure is intended to be used when a PII principal exercises one or more of the rights, they are granted under applicable privacy law.
Each of the rights involved has its own specific aspects and challenges to [Organization Name] in complying with them and doing so within the required timescales. In general, a proactive approach will be taken that places as much control over PII in the hands of the PII principal as possible, with a minimum amount of intervention or involvement required on the part of [Organization Name]. This may be achieved by providing online access to the PII so that the PII principal can verify and amend it as required.
However, in some cases there is a decision-making process to be followed by [Organization Name] regarding whether a request will be allowed or not; where this is the case, the steps involved in these decisions are explained in this document.
This procedure should be considered in conjunction with the following related documents:
• PII Principal Request Register
• Privacy Impact Assessment Process
• Records Retention and Protection Policy
• Privacy and Data Protection Policy
• Legitimate Interest Assessment Procedure
• Privacy Notice Procedure
PII Principal Request Procedure [Insert classification]
2 PII principal request procedure overview
2.1 General points
The following general points apply to all of the requests described in this document and are based on the applicable privacy legislation:
[Note: these points are based on Article 12 of the EU GDPR]
1. Information shall be provided to the PII principal in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child
2. Information may be provided in writing, or electronically or by other appropriate means
3. The PII principal may request the information orally (for example, over the telephone or face to face), as long as the identity of the PII principal has been established
4. We must act on a request from a PII principal, unless we are unable to establish their identity
5. We must provide information without undue delay and within a maximum of one month from the receipt of the request
6. The response timescale may be extended by up to two further months for complex or a high volume of requests – the PII principal must be informed of this within one month of the request, and the reasons for the delay given
7. If a request is made via electronic form, the response should be via electronic means where possible, unless the PII principal requests otherwise
8. If it is decided that we will not comply with a request, we must inform the PII principal without delay and at the latest within a month, stating the reason(s) and informing the PII principal of their right to complain to the supervisory authority
9. Generally, responses to requests will be made free of charge, unless they are “manifestly unfounded or excessive” (GDPR Article 12), in which case we will either charge a reasonable fee or refuse to action the request
10. If there is doubt about a PII principal’s identity, we may request further information to establish it
Please refer to the exact text of the applicable privacy legislation if clarification of any of the above is required.
The procedure for responding to requests from PII principals is shown diagrammatically in Figure 1 and expanded on in the following sections. The specifics of each step in the procedure will vary according to the type of request involved – refer to the relevant section of this procedure for more detail. The following forms may be used in conjunction with this procedure:
• PII Principal Request Form
• PII Principal Request Rejection
PII Principal Request Procedure
[Insert classification]
• PII Principal Request Charge
• PII Principal Request Time Extension
PII Principal Request Procedure [Insert classification]
2.2 Procedure flowchart
Figure 1: PII principal request procedure
PII Principal Request Procedure
3 PII principal request procedure steps
The steps depicted in the flowchart in Figure 1 are expanded upon in this section and further under the section addressing each specific type of request.
3.1 PII principal request received
The PII principal may submit a request via a number of methods, including electronically (via email, our website or via a social media channel), by letter or on the telephone. Requests may be received by any part of the organization but should ideally be channelled through customer services. A PII Principal Request Form is available for this purpose, but this does not have to be used for the request to be valid, and there is no specific form of words that has to be used by the PII principal.
A request may also be submitted on another person’s behalf, as long as they have been given authority to do so, and evidence of this must be provided. Care must be taken when accepting a request from a child, but this is permitted if they appear mature enough to understand the process. Otherwise, the child may authorise a parent, guardian, or someone else they choose, to act on their behalf.
3.2 Log PII principal request
The fact that the request has been received is logged in the PII Principal Request Register, a unique reference assigned, and the date of the request recorded. The information to be recorded will depend upon the nature of the request (for example, access to information, consent withdrawal) and a check must be made that all of the information required to be able to comply with the specific type of request is provided and captured (for example the processing for which consent is being withdrawn).
3.3 Confirm identity of PII principal
The identity of the PII principal must be confirmed via an approved method. More information may be requested to confirm identity if required, and the allowed timescale for responding to a request does not start until the identity of the requester has been satisfactorily established.
If the identity of the PII principal cannot be confirmed, the request is rejected and the reason for this communicated to the PII principal, along with further information about their right to complain to the relevant supervisory authority.
3.4 Evaluate validity of request
The test of whether the request is “manifestly unfounded or excessive” must be applied. In general terms, a request may be considered manifestly unfounded if it appears malicious in its intention, for example to cause disruption or harm to an individual or the organization, or if there is no genuine desire on the part of the PII principal to exercise their rights. A manifestly excessive request is one which may be clearly judged to be unreasonable in the context of the request and the relationship between the organization and the PII principal, for example if it is a repeat of a recently submitted request for very similar information, or if the resources required to fulfil the request are excessive.
In those circumstances where a request is judged to meet these criteria, it must be escalated to management for review and, if confirmed, the reasons for classifying the request as such clearly recorded in the PII Principal Request Register.
In the case of requests for rectification, erasure, restriction of, or objection to, processing, a decision is also taken about whether the request is reasonable and lawful. If not, the request is rejected, and the PII principal informed of the decision and their right to complain to the supervisory authority.
[Note – under the UK Data (Use and Access) Act 2025 the time limit on requests may be paused in order to ask for clarification from the requester].
3.5 Charge for request
For requests that are identified as manifestly unfounded or excessive, a decision must be taken whether to reject the request outright or to apply a charge to it. The charge must be paid by the PII principal if they still want the request to be processed. For example, the EU GDPR allows the organization to “charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested” (GDPR Article 12 (5a)). In this event, the method of calculation of the fee will be documented.
If a charge is applied, the PII principal is informed of the charge and has an opportunity to decide whether to proceed. If the PII principal decides not to proceed, the request is rejected, and the reasons communicated.
3.6 Compile requested information
The relevant information is compiled according to the type of request. The organization must make reasonable and proportionate efforts to comply with the request, but there may be a limit to the amount of resource that it is fair to apply to it. This step may involve planning how the requested action, for example, erasure or restriction of processing, will be achieved.
PII Principal Request Procedure [Insert classification]
In the event that some or all of the requested information involves other identifiable individuals, then their consent may be required in order for it to be disclosed. If this is not available, a balanced decision must be taken regarding whether it is reasonable to disclose the information without their consent. It may be decided to provide some, but not all of the requested information in some circumstances. Techniques such as redaction may also be used where appropriate to remove information about other identifiable individuals.
A maximum of one month is permitted to comply; if the request will take longer than that then a maximum of two further months are allowed and the PII principal must be informed of the delay and the reasons for it within one month of the request being submitted. Time extensions and the reasons for them must be recorded in the PII Principal Request Register
3.7 Take requested action/provide requested information
The requested action is carried out (see the following sections of this document for details) or, for access requests, the information requested is provided to the PII principal, and they are informed of the completion of the request.
3.8 Close PII principal request
The fact that the request has been completed is logged in the PII Principal Request Register, together with the date of closure.
4 Types of PII principal requests
4.1 The right to withdraw consent
The PII principal has the right to withdraw consent where the basis for processing of their PII is that of consent (that is, the processing is not based on a different justification allowed by the applicable privacy legislation such as contractual or legal obligation).
Before excluding the PII principal’s PII from processing, it must be confirmed that consent is indeed the basis of the processing. If not, then the request may be rejected on the grounds that the processing does not require the PII principal’s consent. Otherwise, the request should be allowed.
In many cases, the giving and withdrawal of consent will be available electronically, that is, online, and a manual procedure will not be required.
Where consent involves a child (the definition of a child may be stated by a combination of applicable privacy legislation and in some cases local variations) the giving or withdrawal of consent must be authorised by the holder of parental responsibility over the child.
4.2 The right to be informed
At the point where PII is collected from the PII principal or obtained from another source, there is a requirement to inform the PII principal about our use of that data and their rights over it. Compliance with this right is addressed in a separate document, Privacy Notice Procedure, which describes the information that must be provided and sets out how and when this must be achieved.
4.3 The right of access
A PII principal has the right to ask [Organization Name] whether we process data about them, to have access to that data and in addition the following information:
1. The purposes of the processing
2. The categories of the PII concerned
3. The recipients, or categories of recipients, of the data, if any, in particular any third countries or international organizations
4. The length of time that the PII will be stored for (or the criteria used to determine that period)
5. The PII principal’s rights to rectification or erasure of their PII and restriction of, or objection to, its processing
6. The PII principal’s right to lodge a complaint with a supervisory authority
7. Information about the source of the data, if not directly from the PII principal
PII Principal Request Procedure
8. Whether the PII will be subject to automated processing, including profiling and, if so, the logic and potential consequences involved
9. Where the data are transferred to a third country or international organization, information about the safeguards that apply
In most cases, the decision-making process for such requests will be straightforward unless it is judged that the request is manifestly unfounded or excessive. The compilation of the information is likely to require the input of the data owner.
4.4 The right to rectification
Where PII is inaccurate, the PII principal has the right to request that it be corrected, and incomplete PII completed based on information they may provide.
Where necessary, [Organization Name] will take steps to validate the information provided by the PII principal to ensure that it is accurate before amending it.
4.5 The right to erasure
Also known as “the right to be forgotten”, the PII principal has the right to require [Organization Name] to erase PII about them without undue delay where one of the following applies:
• The PII is no longer necessary for the purpose for which it was collected
• The PII principal withdraws consent and there is no other legal ground for processing
• The PII principal objects to the processing of the PII
• The PII has been unlawfully processed
• For compliance reasons, that is, to meet the legal obligations of [Organization Name]
• Where the PII was relevant to the PII principal as a child
Reasonable efforts must be made to ensure erasure where the PII has been made public.
[Organization Name] will need to decide on each case of such requests as to whether the request can or should be declined for one of the following reasons:
• Right of freedom of expression and information
• Compliance with a legal obligation
• Public interest in the area of public health
• To protect archiving purposes in the public interest
• The PII is relevant to a legal claim
It is likely that such decisions will require the involvement of the [Organization Name] Data Protection Officer (if appointed) and in some cases senior management.
PII Principal Request Procedure
4.6 The right to restrict processing
The PII principal can exercise the right to a restriction of processing of their PII in one of the following circumstances:
• Where the PII principal contests the accuracy of the data, until we have been able to verify its accuracy
• As an alternative to erasure in the circumstances that the processing is unlawful
• Where the PII principal needs the data for legal claims, but it is no longer required by us
• Whilst a decision on an objection to processing is pending
[Organization Name] will need to decide on each case of such requests as to whether the request should be allowed. It is likely that such decisions will require the involvement of the [Organization Name] Data Protection Officer and in some cases senior management.
Where a restriction of processing is in place, the data may be stored but not processed without the PII principal’s consent, unless for legal reasons (in which case the PII principal must be informed). Other organizations who may process the data on our behalf must also be informed of the restriction.
4.7 The right to data portability
The PII principal has the right to request that their PII be provided to them in a structured, commonly used and machine-readable format and to transfer that data to another party, for example, an alternative service provider. This applies to PII for which processing is based on the PII principal’s consent and the processing carried out by automated means.
Where feasible, the PII principal can also request that the PII be transferred directly from our systems to those of another provider.
For services that come under this category, little decision-making is required for each case, and it is highly desirable that this process is automated in its execution.
4.8 The right to object
The PII principal has the right to object to processing that is based on the following legal justifications:
• For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• For the purposes of the legitimate interests of the controller
PII Principal Request Procedure [Insert classification]
Once an objection has been made, [Organization Name] must justify the grounds on which the processing is based and suspend processing until this is done. Where the PII is used for direct marketing, we have no choice but to no longer process the data.
4.9 Rights in relation to automated decision making and profiling
The PII principal has the right to not be the subject of automated decision-making where the decision has a significant effect on them and can insist on human intervention where appropriate. The PII principal also has the right to express their point of view and contest decisions.
There are exceptions to this right, which are if the decision:
• Is necessary for a contract
• Is authorised by law
• Is based on the PII principal’s explicit consent
In assessing these types of request, a judgement needs to be made about whether the above exceptions apply in the case in question.
4.10 The right to complain (UK only)
In the UK under the Data (Use and Access) Act 2025 the PII Principal has the right to complain if they think the organisation is using their PII in a way that does not comply with the law. The organisation has an obligation to provide an electronic method of submitting such complaints and they must be acknowledged within 30 days. This is the subject of a separate procedure.
4.11 Summary of PII principal rights by lawful basis of processing
The following table shows which rights of the PII principal are relevant to each basis of lawful processing. It should be used as a general guide only, as the specific circumstances may affect the validity of the request.
[Note: the EU GDPR has been used as the basis for this table]
RIGHT OF THE PII PRINCIPAL
consent
BASIS OF LAWFUL PROCESSING
Table 1: Applicable rights based on lawful basis of processing
Note: All the above assume that:
1. the PII is being lawfully processed
2. the PII is necessary in relation to the purposes for which it was collected or otherwise processed
If this is not the case, then further investigation must be made regarding the validity of the request.