PII Controller vs. PII Processor in ISO/IEC 27701
Organizations rely heavily on personal data to deliver services, and privacy has become a key aspect of modern operations. Regulatory frameworks like the GDPR have raised expectations globally — but beyond legal compliance, many organizations look for a for structured, auditable framework for privacy accountability.
Enter ISO/IEC 27701, the international standard for privacy information management. It helps organizations develop and implement a Privacy Information Management System (PIMS) and clarifies the two possible roles an organization may have in relation to a specific PII processing activity: PII controller or PII processor.
Understanding the difference between these roles is essential — not just for compliance but for designing processes that respect privacy and distribute responsibilities appropriately.
PII Controller vs. PII Processor — What’s the difference?
PII Controller: the decision maker
A PII controller is the entity that determines why and how personal data is processed.
Think of the controller as the architect of the processing activity — setting the purpose, deciding the means, and defining the rules under which PII is used.
ISO/IEC 27701 expects a controller to:
- Identify and document the purpose of processing
- Determine the lawful basis for processing
- Inform individuals about the processing of their PII
- Support rights such as access, correction, objection, erasure, or consent withdrawal
- Define retention periods and ensure secure disposal
- Select, instruct, and oversee PII processors
- Maintain records of processing, disclosures and transfers
- Apply privacy-by-design and privacy-by-default principles
Example of a PII controller
A health clinic that collects patient information for diagnosis and treatment is a PII controller. It decides why the data is collected (healthcare services), how it is processed (electronic medical records), and who may access it (clinic staff).
Even if the clinic uses an external cloud provider to store records, it remains the controller because it determines the purpose and the means.
PII Processor: the service provider
A PII processor is an entity that processes personal data on behalf of a PII controller.
Processors do not decide the purpose of processing — they operate strictly according to the controller’s documented instructions.
ISO/IEC 27701 expects a processor to:
- Follow the controller’s instructions
- Implement privacy controls specified in contracts
- Assist the controller in responding to PII principal requests
- Support breach notifications
- Protect PII during processing
- Maintain records of processing and disclosures
- Inform the controller if instructions conflict with privacy requirements
Example of a PII processor
A payroll provider that receives employee data from a client company acts as a processor. It processes salaries and tax calculations only as instructed and cannot use employee data for unrelated purposes such as marketing or analytics.
When an organization Is both controller and processor
An organization can be both controller and processor, but not for the same PII processing activity.
Example
A cloud software provider acts as PII processor for customer-uploaded data and as PII controller for data related to its own employees or marketing.
This is normal. Every organization that has employees is a controller for at least that internal processing activity.
However, within ISO/IEC 27701, the organization must identify its role — controller or processor — for each processing activity included in the scope of the PIMS.
Real-world scenarios
Here are some quick examples that help distinguish the two roles of PII controller and processor.
Online retailer + cloud hosting provider
- Retailer determines what customer data is collected → Controller
- Cloud provider stores the data based on instructions → Processor
Hospital + external imaging analysis service
- Hospital determines purpose of processing → Controller
- Imaging service analyses scans on behalf of hospital → Processor
Marketing agency analyzing customer data for a client
- If the agency follows the client’s instructions → Processor
- If the agency decides which data to collect and for what purpose → Controller
Final Thoughts
Understanding the difference between a PII controller and a PII processor is fundamental for any organization that handles personal data and wants to implement a Privacy Information Management System according to ISO/IEC 27701.
This standard includes specific privacy controls for processors and controllers as well as information security controls that must be implemented by all organizations regardless of their role.
To demonstrate compliance with ISO/IEC 27701 an organization can apply for certification. It must undergo an audit conducted by competent auditors and if the results of this audit are positive then the Privacy Information Management System can be certified for compliance to ISO/IEC 27701.
Whether you are a SaaS provider, a global enterprise, a data-service company, or a public institution, implementing a PIMS is a way of proving that personal data is managed responsibly and in accordance with the relevant privacy legislation.
Interested to know more about ISO/IEC 27701 and the framework for privacy information management proposed by the standard? Our online course will provide you with a comprehensive presentation of the subject.
