What does control A.2.2.2 require?
The organization shall ensure, where relevant, that the contract to process PII addresses the organization’s role in providing assistance with the customer’s obligations (taking into account the nature of processing and the information available to the organization).
This control sits within the PII Processor controls annex (A.2) and establishes the contractual foundation for the processor-controller relationship. It requires processors to go beyond simply processing data to actively assist controllers with their obligations — such as breach notification, data subject rights, DPIAs and security measures. The contract must define these assistance obligations clearly.
What does the Annex B implementation guidance say?
Annex B (section B.2.2.2) provides the following guidance on what the contract should include:
- Privacy by design and privacy by default — The contract should address the processor’s role in supporting privacy by design and privacy by default principles
- Security of processing — The contract should cover how the processor will help achieve appropriate security measures
- Breach notification to supervisory authorities — The contract should define the processor’s obligations to notify the controller of breaches involving PII, enabling the controller to meet its notification obligations
- Breach notification to customers and PII principals — The contract should address how the processor will assist the controller in notifying affected individuals
- Privacy impact assessments — The contract should include the processor’s role in conducting or contributing to DPIAs
- Prior consultation — The contract should cover assistance if the controller needs to consult with PII protection authorities
- See also A.2.2.4: Marketing and Advertising Use for related requirements
- See also A.2.2.5: Infringing Instruction for related requirements
Some jurisdictions require that the contract also includes the subject matter and duration of the processing, the nature and purpose of the processing, the type of PII and categories of PII principals.
How does this map to GDPR?
Control A.2.2.2 maps to the following GDPR articles:
- Article 28(3)(e) — The processor shall assist the controller in ensuring compliance with obligations relating to security, breach notification, DPIAs and prior consultation
- Article 28(3)(f) — The processor shall assist the controller in ensuring compliance with security, breach notification, DPIAs and prior consultation obligations, taking into account the nature of processing and information available
- Article 28(9) — The contract must be in writing, including electronic form
- Article 35(1) — Where processing is likely to result in a high risk, a DPIA is required, and the processor should assist
GDPR Article 28 is the primary legal basis for processor contracts, and A.2.2.2 provides a structured way to ensure contracts meet these requirements.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.2.2 as a standalone control with clearer implementation guidance in B.2.2.2 that explicitly lists the six areas the contract should cover. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.2.2.2, auditors will typically look for:
- Data processing agreements — Signed contracts with customers that include all six areas specified in the implementation guidance
- Contract templates — Standard contract templates or clauses that the organisation uses to ensure consistency across customer agreements
- Assistance capability — Evidence that the organisation has the operational capability to provide the assistance described in the contract (e.g. breach notification procedures, DPIA support processes)
- Contract review process — A documented process for reviewing contracts to ensure PII protection obligations are adequately addressed
- Jurisdictional compliance — Evidence that contracts include jurisdiction-specific requirements where applicable (e.g. subject matter, duration, PII types)
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.2.3 Organization’s purposes | The contract defines the purposes for which PII can be processed |
| A.2.2.6 Customer obligations | The processor must provide information to help the customer demonstrate compliance |
| A.1.2.7 Contracts with PII processors | The controller-side equivalent of processor contract requirements |
| A.3.11 Incident management planning | Breach notification assistance obligations depend on incident management capability |
| A.2.5.8 Engagement of subcontractor | Subcontractor arrangements must align with the customer contract terms |
Who does this control apply to?
A.2.2.2 applies exclusively to PII processors. It places the obligation on the processor to ensure that the contract adequately addresses its assistance role. While the controller typically drafts the data processing agreement, the processor has an independent obligation to verify that the contract covers the required areas and to flag any gaps.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing processor agreements?
ISMS.online provides practical tools for managing customer agreements as a PII processor:
- Contract register — Maintain a central register of all data processing agreements with review dates, compliance status and linked obligations
- Contract templates — Use pre-built DPA templates that include all six areas specified in B.2.2.2, customisable to your organisation’s services
- Obligation tracking — Track the specific assistance obligations in each customer contract with task assignments and status monitoring
- Review scheduling — Schedule periodic contract reviews with automated reminders to ensure agreements remain current
- Compliance evidence — Store signed agreements, review records and capability evidence in a structured, audit-ready format
FAQs
What happens if the customer’s contract does not cover all required areas?
The processor has an obligation to ensure the contract addresses its assistance role. If the customer provides a contract that is missing required elements, the processor should flag the gaps and request amendments. It is not sufficient for the processor to simply sign an incomplete contract — A.2.2.2 places the obligation on the processor to verify coverage. Where the customer is unwilling to amend the contract, the processor should document the gap and the risk, and consider whether entering into the arrangement is appropriate.
Is a standalone DPA required, or can terms be included in the main service agreement?
Either approach is acceptable. The key requirement is that the PII processing terms are documented in writing (including electronic form) and are clearly identifiable. Many organisations use a standalone DPA as an annex or schedule to the main service agreement, which makes it easier to review and update PII-specific terms without renegotiating the entire contract. The format matters less than the completeness and clarity of the obligations.
How should the processor scope its assistance obligations?
The control specifies that assistance should take into account “the nature of processing and the information available to the organization.” This means the processor’s assistance obligations should be proportionate to its role. A processor that only stores encrypted data may have limited ability to assist with data subject access requests, for example. The contract should clearly define the scope and limitations of assistance, avoiding open-ended commitments that the processor cannot practically fulfil.
