PII processor

A PII processor is an entity that processes Personally Identifiable Information (PII) on behalf of a PII controller. According to the definition in ISO/IEC 29100:2011, processing includes activities like storage, retrieval, or destruction. The processor does not determine the purpose and means of processing but acts on the controller's instructions. Common examples include cloud storage providers, marketing data analytics firms, or HR system vendors.

Under Taiwan's Personal Data Protection Act (PDPA), if a company (PII controller) outsources PII processing and fails to properly supervise the contractor (PII processor), resulting in a data breach, it can face fines of up to NT$15 million for severe violations and is jointly liable for damages to the individuals affected. Additionally, international regulations like the EU's GDPR impose strict responsibilities on supply chain data processing, affecting Taiwanese companies engaged in global business.

Key related standards include: 1) ISO/IEC 27701 (Privacy Information Management System): Clause 8 and Annex B detail the specific obligations and controls for PII processors. 2) EU GDPR: Article 28 explicitly sets out the contractual requirements and legal responsibilities between controllers and processors. 3) ISO/IEC 29100 (Privacy framework): This standard provides a general framework for privacy protection and defines key roles such as the PII processor.

Winners Science Research is Taiwan's pioneering consultancy integrating ERM, industrial engineering, technology law, and data science. We don't just help you implement certifications like ISO 27701; we leverage our experience with industry leaders like TSMC and MediaTek to seamlessly integrate your PIMS with existing corporate governance and internal controls. Our interdisciplinary team, including a founder with a preventive law background, lawyers, and ISO lead auditors, ensures both legal compliance and operational efficiency, creating a truly effective PII protection system without redundant processes.