(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 5(1)(a) GDPR:
7.2.2 Identify lawful basis
Control
The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.
Implementation guidance
Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.
The legal basis for the processing of PII can include:
— consent from PII principals;
— performance of a contract;
— compliance with a legal obligation;
— protection of the vital interests of PII principals;
— performance of a task carried out in the public interest;
— legitimate interests of the PII controller.
The organization should document this basis for each PII processing activity (see 7.2.8).
The legitimate interests of the organization can include, for instance, information security objectives, which should be balanced against the obligations to PII principals with regards to privacy protection.
Whenever special categories of PII are defined, either by the nature of the PII (e.g. health information) or by the PII principals concerned (e.g. PII relating to children) the organization should include those categories of PII in its classification schemes.
The classification of PII that falls into these categories can vary from one jurisdiction to another and can vary between different regulatory regimes that apply to different kinds of business, so the organization needs to be aware of the classification(s) that apply to the PII processing being performed.
The use of special categories of PII can also be subject to more stringent controls.
Changing or extending the purposes for the processing of PII can require updating and/or revision of the legal basis. It can also require additional consent to be obtained from the PII principal.
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 5(1)(a) GDPR:
8.2.2 Organization’s purposes
Control
The organization should ensure that PII processed on behalf of a customer are only processed for the purposes expressed in the documented instructions of the customer.
Implementation guidance
The contract between the organization and the customer should include, but not be limited to, the objective and time frame to be achieved by the service.
In order to achieve the customer’s purpose, there can be technical reasons why it is appropriate for the organization to determine the method for processing PII, consistent with the general instructions of the customer but without the customer’s express instruction. For example, in order to efficiently utilize network or processing capacity it can be necessary to allocate specific processing resources depending on certain characteristics of the PII principal.
The organization should allow the customer to verify their compliance with the purpose specification and limitation principles. This also ensures that no PII is processed by the organization or any of its subcontractors for other purposes than those expressed in the documented instructions of the customer.
(EN) EDPB, Guidelines 8/2020 on the targeting of social media users (2020).
(EN) Example of lawful processing:
Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).
(EN) Example of transparency measures:
Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).
(EN) Examples of fairness considerations:
Example 1
Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).