ISO 27701:2019 · Annex B
PII
processor controls
If you process personal data on behalf of your customers, you are a PII processor. ISO 27701 Annex B adds the privacy controls for that role — built around acting only on documented instructions.
The defining principle is processing only on documented instructions — never for your own purposes.
ISO/IEC 27701:2019 Annex B · PII processors · Last reviewed June 2026
Direct Answer
What are the processor controls?
A PII processor handles personal data on a controller’s behalf and does not decide the purpose of processing. ISO 27701 Annex B adds the privacy controls specific to that role, grouped under four themes — all anchored in acting on the controller’s documented instructions, managing sub-processors, and returning or disposing of PII when the engagement ends.
The four themes
Annex B control themes
Conditions for collection and processing
Process PII strictly within the bounds the controller has set.
- Process PII only on the customer’s documented instructions
- Do not use PII for your own purposes such as marketing
- Flag any instruction that may infringe applicable law
- Keep records that support the controller’s obligations
Obligations to PII principals
Help the controller meet its duties to individuals.
- Assist the controller in meeting its obligations to PII principals
- Pass on access, correction, and erasure requests appropriately
- Support the controller’s response within agreed timelines
Privacy by design and by default
Protect PII through its lifecycle in your environment.
- Control temporary files and intermediate copies of PII
- Return, transfer, or securely dispose of PII as agreed
- Protect PII in transit with appropriate transmission controls
PII sharing, transfer, and disclosure
Govern onward transfer and the engagement of sub-processors.
- Establish the basis for transferring PII between jurisdictions
- Record disclosures and the jurisdictions PII may be disclosed to
- Handle legally binding requests for disclosure correctly
- Engage sub-processors only with authorisation and notify of changes
Frequently Asked Questions
Common questions about the ISO 27701 processor controls.
Who needs the ISO 27701 processor controls?
Any organisation that processes personally identifiable information on behalf of another party — a SaaS vendor, a BPO, a managed-service or offshore development provider. These are the PII processor controls in Annex B. If you also decide why data is processed, you apply the Annex A controller controls too.
What is the core principle for a PII processor?
Acting only on the controller’s documented instructions. A processor does not decide the purpose of processing and must not use PII for its own ends — Annex B builds the records, contracts, and sub-processor controls that make that demonstrable.
How does this help us win enterprise customers?
Enterprise buyers increasingly require privacy assurance from their vendors. An ISO 27701 certificate covering the processor controls answers most of the privacy section of a vendor security review with independent evidence rather than a questionnaire.
Continue your ISO 27701 research
- ISO 27701 controller controls (Annex A) — the controls for organisations that decide why and how PII is processed.
- ISO 27701 certification process — the path from gap analysis to the Stage 1 and Stage 2 audits.
- ISO 27701 hub — PIMS overview, controls, and certification in one place.
Written By Expert Auditors
Keep Exploring
Related Reading
ISO 27701 (PIMS)
The privacy extension to ISO 27001 — one audit, two certificates.
Read moreController Controls (Annex A)
PII controller-specific controls mapped to GDPR obligations.
Read morePIMS Framework Explained
How the Privacy Information Management System extends an ISMS.
Read moreISO 27701 × GDPR Alignment
How ISO 27701 maps onto GDPR Articles — and what it proves.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read moreBusiness Associate Agreements
What a BAA must contain and when you need one.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours