PII controller

According to ISO/IEC 29100:2011, clause 2.10, a PII controller is a "privacy stakeholder that determines the purposes and means for processing PII." In the EU's GDPR, Article 4(7) defines this role as the "controller." This entity holds the ultimate decision-making authority over why and how personal data is collected and used.

Taiwanese companies face dual pressure. Domestically, Taiwan's Personal Data Protection Act (PDPA) has been amended with significantly higher fines, up to NT$15 million for severe violations, and a new independent supervisory authority is being established. Internationally, non-compliance with the EU's GDPR can lead to fines of up to 4% of global annual turnover. Furthermore, clients in global supply chains (e.g., semiconductor, automotive) increasingly require suppliers to demonstrate a compliant Privacy Information Management System (PIMS) to mitigate risks.

It is directly related to ISO/IEC 27701 (Privacy Information Management System), an extension to ISO/IEC 27001. Specifically, Clause 7 provides guidance for PII controllers on conditions for processing and obligations to PII principals. It is also central to regulations like the EU GDPR (Article 24 "Responsibility of the controller"), Japan's APPI, and California's CCPA/CPRA, all of which explicitly define the controller's legal responsibilities.

Winners Science Research is Taiwan's first consultancy to integrate ERM, industrial engineering, tech law, and data science. We don't just implement ISO 27701; leveraging our founder's preventive law background and experience with industry leaders like TSMC and MediaTek, we transform compliance requirements into process optimizations. Our interdisciplinary team ensures your PIMS seamlessly integrates with corporate governance and internal controls, preventing redundant systems and building true risk prevention and operational resilience.