# ISO 27701 Privacy Policy Generator

> Generate a comprehensive privacy policy/notice aligned to ISO 27701 Clause 6 controller obligations. Uses PII inventory and controller controls as inputs to produce a legally-grounded, auditable privacy policy covering all 15 mandatory topics, plus a condensed privacy notice for user-facing communication.



Tags: ISO 27701, Privacy, Privacy Policy, Clause 6, Controller, Compliance, GDPR, LGPD, CCPA, CPRA


## Example Prompts

- Generate our privacy policy aligned to ISO 27701
- Create a privacy notice from our PII inventory
- Validate our privacy policy against Clause 6 requirements

URL: https://rakenne.app/skills/iso27701-privacy-policy-generator/index.md

Try this skill: https://rakenne.app/a/?skill=iso27701-privacy-policy-generator


## Overview

Generate a comprehensive privacy policy and condensed privacy notice aligned to ISO 27701 Clause 6 controller obligations. This skill uses your PII inventory and controller controls register as inputs to produce a legally-grounded, auditable privacy policy covering all 14 mandatory topics required by Clause 6, plus a condensed privacy notice summary suitable for website banners, app notices, and user-facing communication. The privacy policy is the primary transparency instrument auditors verify against Clause 6.3.1 — this skill ensures every required topic contains specific, organization-relevant content rather than generic boilerplate.

### What It Covers

- **Controller Identity and Contact** — Organization name, address, DPO contact details (Clause 6.3.1)
- **Purposes and Legal Basis** — Mapping each processing activity to its purpose and lawful basis (Clause 6.3.1)
- **Data Categories and Recipients** — What personal data is collected, who receives it, and third-party sharing (Clause 6.3.1 / 6.5.3)
- **International Transfers** — Cross-border transfer mechanisms and safeguards (Clause 6.5.2)
- **Data Subject Rights** — Access, rectification, erasure, portability, objection, restriction, and complaint mechanisms (Clauses 6.7, 6.8)
- **Consent and Automated Decisions** — Consent collection and withdrawal mechanisms, profiling disclosures (Clauses 6.2.3, 6.2.4, 6.9.1)
- **Privacy Notice Summary** — Condensed user-facing version cross-checked for consistency against the full policy

## Example Conversation

> **You:** We need to generate a privacy policy for MedSecure Health Technologies. We're a 200-employee SaaS health data platform. For our controller activities, we operate a patient engagement portal where individuals sign up directly. We also have a marketing website with cookie consent and a job application portal. We're subject to GDPR, LGPD, and need to cover all 14 Clause 6 topics.
>
> **Agent:** I'll generate a comprehensive privacy policy for MedSecure's controller activities. Let me start by loading your PII inventory and controller controls register to map each processing activity to the 14 Clause 6 topics.
>
> From your PII inventory, I can see the following controller processing activities:
>
> 1. **Patient engagement portal** — Health data, contact details, account credentials (Legal basis: Consent)
> 2. **Marketing website** — Cookies, analytics, contact form submissions (Legal basis: Consent / Legitimate interest)
> 3. **Job application portal** — CVs, employment history, references (Legal basis: Pre-contractual measures)
> 4. **Customer relationship management** — Business contact details for hospital client contacts (Legal basis: Legitimate interest)
>
> I'll now draft the privacy policy. For Section 5 on international transfers — your PII inventory shows data transfers to AWS (Ireland), Twilio (US), and CloudBR (Brazil). What transfer mechanisms are in place?
>
> **You:** We use Standard Contractual Clauses for Twilio in the US. AWS Ireland is within the EEA. For CloudBR, since Brazilian hospitals' data stays in Brazil, there is no outbound transfer from Brazil — but EU patient engagement portal data does not go to Brazil. We also use Google Analytics with IP anonymization enabled.
>
> **Agent:** Thank you. I'll document SCCs for the US transfer and confirm no EU-to-Brazil personal data transfer for the engagement portal.
>
> I've now written both the full privacy policy and the condensed privacy notice. Let me validate the policy against all 14 Clause 6 topics.
>
> `check_privacy_policy_clause6` on `output/Privacy-Policy.md`:
>
> ```
> === ISO 27701 CLAUSE 6 — PRIVACY POLICY COVERAGE ===
> Coverage: 14/14 topics (100%)
>
> --- PRESENT ---
>   [OK] Controller identity and contact details (6.3.1)
>   [OK] Purposes of processing (6.3.1)
>   [OK] Legal basis for each processing activity (6.3.1)
>   [OK] Data categories collected (6.3.1)
>   [OK] Recipients and recipient categories (6.3.1 / 6.5.3)
>   [OK] International transfers and safeguards (6.5.2)
>   [OK] Retention periods (6.5.3)
>   [OK] Data subject rights — access, rectification, erasure (6.7)
>   [OK] Data subject rights — portability, objection, restriction (6.8)
>   [OK] Consent and withdrawal mechanisms (6.2.3 / 6.2.4)
>   [OK] Automated decision-making and profiling (6.9.1)
>   [OK] DPO or privacy contact (6.3.1)
>   [OK] Complaints and supervisory authority (6.8)
>   [OK] Policy update / change notification (6.3.1)
>
>   [INFO] All 14 Clause 6 privacy policy topics are addressed.
> Errors: 0, Warnings: 0, Info: 1
> ```
>
> Now let me check the privacy notice for consistency against the full policy.
>
> `check_privacy_notice_consistency` on `output/Privacy-Notice-Summary.md`:
>
> ```
> === PRIVACY NOTICE CONSISTENCY CHECK ===
> Consistency score: 100% (8/8 checks passed)
>
> --- FINDINGS ---
>   [INFO] All 4 processing purposes from the policy are reflected in the notice.
>
> Overall: Notice is broadly consistent with the full policy.
> Errors: 0, Warnings: 0, Info: 1
> ```
>
> Both documents pass validation. The privacy policy covers all 14 mandatory Clause 6 topics, and the privacy notice is consistent with the full policy.

## Sample Output Excerpt

Below is a representative excerpt from the Privacy Policy covering data subject rights and retention. The full policy covers all 14 Clause 6 topics with organization-specific content.

---

# Privacy Policy — MedSecure Health Technologies

**Effective date:** 2026-03-21
**Last updated:** 2026-03-21
**Controller:** MedSecure Health Technologies Ltd., 42 Innovation Drive, Munich, Germany
**DPO contact:** dpo@medsecure.com

## 7. Your Rights — Access, Rectification, and Erasure

*Clause reference: ISO 27701, 6.7*

You have the right to:

- **Access** your personal data — Request a copy of the personal data we hold about you. We will respond within 30 days (GDPR) or 15 days (LGPD).
- **Rectification** — Request correction of inaccurate or incomplete personal data. Submit corrections through your account settings or by contacting our DPO.
- **Erasure ("right to be forgotten")** — Request deletion of your personal data when it is no longer necessary for the purpose it was collected, you withdraw consent, or there is no overriding legitimate ground for processing.

To exercise these rights, contact our Data Protection Officer at dpo@medsecure.com or use the self-service portal in your account settings. We will verify your identity before processing any request.

## 8. Your Rights — Portability, Objection, and Restriction

*Clause reference: ISO 27701, 6.8*

- **Data portability** — You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV). This applies to data processed based on consent or contract performance.
- **Objection** — You may object to processing based on legitimate interest at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
- **Restriction** — You may request restriction of processing while we verify accuracy of your data, assess an objection, or where processing is unlawful but you prefer restriction over erasure.

## 6. Retention Periods

*Clause reference: ISO 27701, 6.5.3*

| Data Category | Retention Period | Basis |
|---------------|-----------------|-------|
| Patient engagement portal account data | Duration of account + 2 years | Contract performance + regulatory requirement |
| Health data submitted through engagement portal | Duration of account + 5 years | Clinical record retention obligations |
| Marketing website cookies | 13 months (analytics), session (functional) | Consent |
| Job application data | 6 months after position filled | Legitimate interest (defense of legal claims) |
| Customer relationship management contacts | Duration of business relationship + 3 years | Legitimate interest |

After the retention period expires, data is securely deleted using cryptographic erasure for encrypted stores and overwrite procedures for unencrypted stores.

## 13. Changes to This Policy

*Clause reference: ISO 27701, 6.3.1*

We may update this privacy policy to reflect changes in our processing activities, legal requirements, or organizational practices. When we make material changes, we will notify you by email (for account holders) and post a prominent notice on our website at least 30 days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised.

<!-- /excerpt -->

## Extension Tools

### `check_privacy_policy_clause6`

Validates a privacy policy against all 14 ISO 27701 Clause 6 mandatory topics. Each topic is classified as CRITICAL (must be present for a compliant policy) or WARNING (should be present for best practice).

| # | Topic | Clause | Severity | What It Checks |
|---|-------|--------|----------|----------------|
| 1 | Controller identity and contact details | 6.3.1 | CRITICAL | Organization name, address, email, or contact information |
| 2 | Purposes of processing | 6.3.1 | CRITICAL | Statement of why personal data is collected and processed |
| 3 | Legal basis for each activity | 6.3.1 | CRITICAL | Lawful basis (consent, contract, legitimate interest, legal obligation) |
| 4 | Data categories collected | 6.3.1 | CRITICAL | Types of personal data collected per activity |
| 5 | Recipients and recipient categories | 6.3.1 / 6.5.3 | CRITICAL | Third parties, sharing arrangements, and disclosure recipients |
| 6 | International transfers and safeguards | 6.5.2 | WARNING | Cross-border transfers with adequacy, SCCs, or BCR references |
| 7 | Retention periods | 6.5.3 | CRITICAL | How long data is kept and deletion criteria |
| 8 | Access, rectification, erasure rights | 6.7 | CRITICAL | Data subject rights to access, correct, and delete their data |
| 9 | Portability, objection, restriction | 6.8 | CRITICAL | Additional data subject rights |
| 10 | Consent and withdrawal mechanisms | 6.2.3 / 6.2.4 | WARNING | How consent is collected, recorded, and withdrawn |
| 11 | Automated decision-making and profiling | 6.9.1 | WARNING | Disclosure of any automated decisions or profiling |
| 12 | DPO or privacy contact | 6.3.1 | WARNING | Data Protection Officer or privacy team contact details |
| 13 | Complaints and supervisory authority | 6.8 | CRITICAL | Right to lodge complaints and supervisory authority details |
| 14 | Policy update notification | 6.3.1 | WARNING | How individuals are notified of policy changes |

Returns coverage percentage (X/14) with detailed findings. Missing CRITICAL topics are flagged as errors; missing WARNING topics are flagged as warnings.

### `check_privacy_notice_consistency`

Cross-checks the condensed privacy notice summary against the full privacy policy to ensure consistency.

| Check | What It Validates |
|-------|-------------------|
| Document completeness | Both the notice and the policy are substantive (not empty or stub documents) |
| Purpose coverage | Every processing purpose in the full policy appears in the notice summary |
| Data subject rights | Rights described in the policy are also referenced in the notice |
| Controller contact | Contact information in both documents is present |
| Complaints mechanism | Complaint and supervisory authority information appears in both |
| Retention information | Retention periods or criteria referenced in both documents |
| Legal basis | Lawful basis information present in both documents |
| Contradiction detection | Retention period numbers in the notice match those in the full policy |

Returns a consistency score (percentage of checks passed) and detailed findings. Scores above 80% indicate broad consistency; lower scores require review and reconciliation.

## Getting Started

To generate a privacy policy that passes Clause 6 validation, prepare the following:

1. **PII inventory** — Run the ISO 27701 PII Inventory skill first. The privacy policy draws directly from your processing activities, purposes, legal bases, data categories, retention periods, and recipient information.

2. **Controller controls register** — Run the ISO 27701 Controller Controls skill. The policy references specific control implementations for consent mechanisms (6.2.3/6.2.4), data subject rights procedures (6.7, 6.8), and automated decision-making disclosures (6.9.1).

3. **Transfer mechanism details** — Know which international transfers occur and what safeguards are in place (adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules).

4. **DPO and contact information** — Have your Data Protection Officer's name and contact details (email, postal address) ready. If you do not have a DPO, identify the privacy contact point.

5. **Supervisory authority details** — Know which data protection authorities have jurisdiction over your processing activities (e.g., BfDI for Germany, CNIL for France, ANPD for Brazil).

6. **Jurisdiction-specific requirements** — If you operate under multiple regulations, be prepared to discuss specific disclosure requirements for each (GDPR Articles 13/14, LGPD Article 9, CCPA).

Start by telling the agent about your organization, your controller processing activities, and the jurisdictions you serve. The agent will generate the full policy, create the condensed notice, and validate both documents.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)