How does ISO/IEC 27701 relate to GDPR?

GDPR sets binding legal obligations on EU controllers and processors; ISO/IEC 27701 is a voluntary management-system standard that gives organisations a structured way to operate against those obligations. ISO 27701 is not GDPR certification — only a supervisory authority can approve a GDPR certification scheme under Article 42 — but a certified PIMS demonstrates that the organisation runs a privacy management system that addresses the substance of GDPR. Annex D of ISO/IEC 27701 provides a clause-to-Article mapping.

What does Annex D of ISO/IEC 27701 contain?

Annex D is an informative mapping from ISO/IEC 27701 clauses and Annex A / Annex B controls to the corresponding GDPR Articles. It is informative (not normative) — auditors do not certify against it — but it is the canonical reference for showing how the PIMS supports specific GDPR Articles, particularly Articles 5 (principles), 6 (lawful basis), 12–22 (data subject rights), 24–28 (controller / processor obligations), 30 (RoPA), 32 (security), 33–34 (breach notification) and 35 (DPIA). The 2025 edition refreshes the mapping for current GDPR practice.

Does ISO/IEC 27701 certification satisfy GDPR?

No. GDPR is binding EU law; ISO/IEC 27701 is a voluntary standard. Article 42 GDPR provides for approved certification mechanisms (e.g. EU Data Protection Seal schemes); ISO/IEC 27701 is not one of those schemes. The PIMS gives you a management-system structure, evidence the supervisory authority can sample, and a baseline that maps to GDPR Articles via Annex D. Regulators commonly recognise an ISO 27701 certificate as evidence of due diligence, not as a substitute for GDPR compliance.

Where does the GDPR Article 35 DPIA fit inside the PIMS?

The DPIA is a GDPR obligation (Article 35) triggered when processing is likely to result in a high risk to data subjects. Inside the PIMS the DPIA outputs feed Clause 6.1.2 (privacy risk assessment) and Clause 6.1.3 (privacy risk treatment). In Modulos, DPIA records are stored as control-level evidence on ORF-264 (org-level) and on MRF-243 for the AI system at issue. The DPIA does not replace Clause 6.1.2 — the PIMS-wide risk method runs continuously; the DPIA is a triggered, processing-specific instrument inside that method.

How does evidence reuse work across ISO 27001, ISO 27701 and GDPR?

The Annex SL clauses (4–10) are shared across ISO 27001, 42001 and 27701, so document control, internal audit, management review and corrective action operate once and serve all three. Privacy-specific evidence (DPIAs, RoPA entries, breach records, supplier assessments) supports both ISO 27701 control execution and GDPR Articles 30 / 32 / 33–34 / 35 obligations. In Modulos, the same evidence file links to multiple controls and requirements across OFF-9 (ISMS), OFF-12 (PIMS) and GDPR control mappings — link once, reference many times.

When should I treat a record as PIMS evidence vs GDPR-only documentation?

Treat it as PIMS evidence whenever it supports a PIMS clause obligation (scope, role determination, risk method, control execution, audit, review). The same record can simultaneously satisfy a GDPR Article obligation — that is the integration pattern, not a separate workstream. The exception: documentation required only because a specific Article triggers (e.g., a Standard Contractual Clauses package for a transfer under Article 46) lives as GDPR-specific documentation but is referenced from the PIMS via the supplier / transfer evidence on ORF-275.

ISO/IEC 27701 and GDPR — Integration Guide for AI Governance

GDPR sets binding legal obligations on EU controllers and processors. ISO/IEC 27701 gives those obligations a management-system structure — scope, role determination, risk method, control execution, evidence, audit, review. This page covers how the PIMS operationalises GDPR work and how Modulos lets a single evidence file support both at once.

Quick decision

You need ISO 27701 to "cover" GDPR → it doesn't, and no voluntary standard can. The PIMS is a management-system layer that operationalises the substance of GDPR obligations; the binding legal obligations remain GDPR.
You need to show a regulator how the PIMS aligns with GDPR → point to Annex D (informative mapping from PIMS clauses + Annex A / Annex B controls to GDPR Articles).
You need to run a GDPR Article 35 DPIA → the DPIA is GDPR-driven; its output feeds Clause 6.1.2 / 6.1.3 in the PIMS. In Modulos store the DPIA as evidence on ORF-264 (org) and MRF-243 (AI system).
You want to reuse evidence across ISO 27001, ISO 27701 and GDPR → Annex SL Clauses 4–10 are shared; privacy evidence (DPIA, RoPA, breach records) maps to PIMS clauses and GDPR Articles simultaneously.

TL;DR

GDPR is binding law; ISO 27701 is a voluntary management-system standard. The PIMS gives GDPR a management-system structure, not a legal substitute.
Annex D is the canonical informative mapping from PIMS to GDPR Articles. Use it as the audit-trail reference, not as a compliance claim.
DPIA (Article 35) lives inside Clause 6.1.2 / 6.1.3. The DPIA is triggered, processing-specific; the PIMS risk method is continuous.
Controller / processor distinction matches GDPR Articles 4(7) / 4(8). Annex A applies to controller activities, Annex B to processor activities.
Evidence reuses across ISO 27001 + 27701 + GDPR. One file, many links. Modulos models this through control-level evidence references.

Primary source

ISO/IEC 27701:2025 — Privacy information management — Requirements and guidance, Annex D (informative GDPR mapping). Withdrawn prior edition: ISO/IEC 27701:2019. Available via the ISO Online Browsing Platform. © ISO. Regulation (EU) 2016/679 (GDPR) — binding regulation; primary source at eur-lex.europa.eu.

GDPR obligation	PIMS clause / control	What the PIMS adds
Article 5 principles	Clause 5.2 privacy policy + Clause 6.2 objectives	Documented, reviewed, communicated principles statement
Article 6 lawful basis	Clause 6.1.2 + 6.1.3 + Annex A.7.2.x	Lawful-basis determination per processing activity
Article 24 controller obligations	Annex A (controllers)	Structured controller-side control set
Article 28 processor obligations	Annex B (processors)	Structured processor-side control set; sub-processor governance
Article 30 RoPA	Clause 8.1 operational planning	RoPA entries as control-level evidence
Article 32 security of processing	Annex A.6.x / B.6.x; cross-mapped to ISO 27001 Annex A	Security controls shared with the ISMS
Articles 33–34 breach notification	Annex A.5.x / B.5.x	Breach process with timing evidence
Article 35 DPIA	Clause 6.1.2 + 6.1.3 + DPIA evidence on ORF-264 / MRF-243	DPIA outputs flow into the PIMS risk method
Articles 12–22 data-subject rights	Annex A.7.3.x	Rights-handling process with statutory-deadline evidence
Articles 44–49 transfers	Annex A.7.5.x / B.8.5.x	Cross-border transfer impact assessment + safeguards

What the PIMS does not give you: a binding legal compliance verdict. The PIMS shows that the organisation operates a privacy management system that addresses GDPR substance. Whether a specific processing activity complies with a specific GDPR Article remains a legal question, not a certification question.

Controller vs processor — same distinction, two standards

ISO 27701 and GDPR use the same controller / processor model. The standards line up:

Concept	GDPR	ISO/IEC 27701
Controller	Article 4(7)	PII controller; Annex A applies
Processor	Article 4(8)	PII processor; Annex B applies
Joint controllers	Article 26	Documented role determination per Clause 4.3
Sub-processors	Article 28(2)–(4)	Annex B + supplier governance (Clause 8.1)

Operating practice: per processing activity, determine the role and document it in the PIMS scope (ORF-258). Then apply Annex A or Annex B per activity. A single organisation typically operates both.

DPIA inside the PIMS

The Article 35 DPIA is a GDPR instrument. Inside the PIMS:

Trigger — Article 35(1) criteria (high risk to rights and freedoms), Article 35(3) examples, supervisory-authority blacklists.
Method — re-uses the Clause 6.1.2 privacy risk method; the DPIA is one instantiation of that method applied to a specific processing activity.
Output — feeds Clause 6.1.3 (risk treatment) and may require Article 36 prior consultation if residual high risk remains.
In Modulos — DPIA records stored as control-level evidence on ORF-264 (org-level method) and on MRF-243 (AI-system-level instance). Updates to the DPIA over the AI lifecycle are versioned through the same control / evidence model.

The pattern avoids the common failure mode of running DPIA work as a parallel process that the PIMS audit can't see.

Annex D — informative mapping

Annex D of ISO/IEC 27701 maps PIMS clauses and Annex A / Annex B controls to GDPR Articles. It is informative — the certification body does not certify against it — but it is the canonical reference for showing how the PIMS supports GDPR.

How to use Annex D in Modulos:

treat Annex D as the audit-trail reference between PIMS evidence and GDPR Articles
store the Annex D mapping (an internal version maintained against the ISO publication) as control-level evidence on ORF-275 (operational planning) or ORF-272 (documented information)
when supervisory-authority inquiries arrive, the Annex D mapping points the regulator directly to the PIMS evidence backing the relevant Article

Evidence reuse — one file, many references

The integration pattern that pays off across ISO 27001, ISO 27701 and GDPR:

Framework mapping

Four layers, one reusable spine.

Frameworks

EU AI ActRegulatory

ISO 42001Standard

Requirements

Art. 9.1Risk management

Art. 10.2Data governance

6.1.1Risk assessment

Components

Risk identification

Impact analysis

Evidence

Risk registerDocument

Test resultsArtifact

Controls

The reusable spine

One control satisfies many requirements across many frameworks, and groups the components and evidence beneath them.

Risk assessment process

Data validation checks

Reusable

Edge from any layer card crosses into the Controls spine — the same control may serve a regulatory article, a standards clause, a downstream component, and the evidence that closes it.

Mechanics in Modulos:

Create one privacy artefact (DPIA, RoPA entry, breach record, vendor DPA, transfer-impact assessment).
Link it as evidence to each relevant requirement on each relevant template (OFF-9 ISMS, OFF-12 PIMS, GDPR control mappings).
Each linked controls keeps its own approvals and residual-risk decisions, so the auditor or supervisory authority can follow the thread from artefact to obligation to decision.

Evidence linking

One evidence file, attached to component-level claims, reused across two controls.

Evidence

model_validation.pdfUploaded 2025-12-15

Reusable

Control components

CTRL-001 group

Component A

Component B

Component C

CTRL-002 group

Component D

Component E

Controls

CTRL-001Model validation

CTRL-002Data quality

1 evidence · 3 linked components · 2 controlsAttach evidence to the smallest meaningful claim — the same file then satisfies parts of every control whose components it covers.

The point is not "save effort" — it's that the same fact (the DPIA, the breach decision, the supplier assessment) should be the answer everywhere the question is asked.

Modulos requirement	GDPR / PIMS evidence
`ORF-258`	PIMS scope + controller / processor role determination linked to GDPR Articles 4(7) / 4(8) / 26
`ORF-264`	Privacy risk assessment and DPIA evidence for Article 35
`ORF-265`	Privacy risk treatment and Annex A / Annex B selection (Articles 24 / 28)
`ORF-272` / `ORF-275`	Annex D mapping, RoPA, transfer-impact assessments (Articles 30 / 44–49)
`MRF-243`	AI-system privacy risk assessment / DPIA evidence
`MRF-244`	AI-system privacy risk treatment evidence

Cross-framework mapping (preview)

ISO 27701 element	GDPR Article	Adjacent ISO
Clause 4.3 scope + role determination	Articles 4(7) / 4(8) / 26	ISO 27001 Clause 4.3 scope
Clause 6.1.2 privacy risk assessment	Article 35 DPIA (triggered)	ISO 27001 Clause 6.1.2
Annex A (controllers)	Article 24	—
Annex B (processors)	Articles 28(2)–(4)	—
Annex A.6.x / B.6.x security	Article 32	ISO 27001 Annex A (normative)
Annex A.5.x / B.5.x breach process	Articles 33–34	ISO 27001 Annex A.5.24–A.5.28
Annex A.7.5.x / B.8.5.x transfers	Articles 44–49	—
Clause 9.2 internal audit	—	ISO 27001 / 42001 Clause 9.2
Clause 9.3 management review	—	ISO 27001 / 42001 Clause 9.3

ISO 27701 overview

Hub: PIMS structure, controller / processor distinction, GDPR alignment

Annexes (controls reference)

Annex A (controllers) + Annex B (processors) + Annex D (informative GDPR mapping)

Operationalizing in Modulos

OFF-12 + MFF-13 rollout, evidence reuse, IMS integration

GDPR overview

Key GDPR principles and how they intersect with AI systems

Source attribution

ISO/IEC 27701:2025 — Privacy information management — Requirements and guidance, Annex D (informative mapping to GDPR Articles). © ISO/IEC. Available via the ISO Online Browsing Platform. Regulation (EU) 2016/679 (GDPR) — Articles 4, 5, 6, 24, 28, 30, 32, 33, 34, 35, 44–49. Primary source: eur-lex.europa.eu.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

ISO/IEC 27701 and GDPR — integration guide ​

Quick decision ​

TL;DR ​

What the PIMS gives a GDPR programme ​

Controller vs processor — same distinction, two standards ​

DPIA inside the PIMS ​

Annex D — informative mapping ​

Evidence reuse — one file, many references ​

How to operationalise GDPR integration in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

ISO/IEC 27701 and GDPR — integration guide