What does control A.2.3.2 require?
The organization shall provide the customer with the means to comply with its obligations related to PII principals.
This control sits within the PII Processor controls annex (A.2) and addresses a critical practical challenge: controllers have legal obligations to data subjects (such as responding to access requests, correcting data and deleting data), but they cannot fulfil these obligations if their processors do not provide the necessary capabilities. A.2.3.2 places the obligation on the processor to ensure that the technical and organisational means to fulfil data subject rights are available.
What does the Annex B implementation guidance say?
Annex B (section B.2.3.2) provides the following guidance:
- Obligations are defined by law or contract — A PII controller’s obligations can be defined by legal requirements or by contract. These obligations can include matters where the customer uses the services of the organisation for implementation
- Practical examples — For example, this can include the correction or deletion of PII in a timely fashion
- Contractual specification — Where a customer depends on the organisation for information or technical measures to facilitate meeting the obligations to PII principals, the relevant information or technical measures should be specified in a contract
- See also A.2.4.2: Temporary Files for related requirements
- See also A.2.4.4: PII Transmission Controls for related requirements
The guidance makes clear that this is not an abstract obligation — processors must provide concrete capabilities such as the ability to retrieve, export, correct and delete individual PII records on request. These capabilities should be defined in the contract so that both parties understand what the processor will provide.
How does this map to GDPR?
Control A.2.3.2 maps to the following GDPR articles:
- Article 15(3) — The right of access, including the right to obtain a copy of the personal data undergoing processing
- Article 17(2) — The controller’s obligation to inform other controllers processing the data about the data subject’s erasure request
- Article 28(3)(e) — The processor shall assist the controller in ensuring compliance with obligations relating to data subject rights (Articles 15 to 22)
GDPR Article 28(3)(e) explicitly requires processors to assist controllers with all data subject rights: access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), data portability (Article 20) and objection (Article 21). The processor must have the capability to support each of these rights.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.3.2 as a standalone control with implementation guidance in B.2.3.2 that includes practical examples and emphasises contractual specification of the processor’s obligations. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.2.3.2, auditors will typically look for:
- Data subject rights capability — Evidence that the organisation’s systems and processes can support all relevant data subject rights: access, rectification, erasure, restriction, portability and objection
- Contractual provisions — Contract clauses specifying the technical and organisational measures the processor provides to support data subject rights fulfilment
- Request handling procedures — Documented procedures for handling data subject right requests forwarded by customers, including response timeframes
- Technical capability — Evidence of technical capabilities such as data export functions, individual record deletion, data correction tools and audit trails of changes made
- Response records — Records of data subject right requests received from customers and the actions taken, demonstrating timely and complete fulfilment
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.2.2 Customer agreement | The contract should specify the processor’s obligations for supporting data subject rights |
| A.1.3.7 Access, correction or erasure | The controller-side rights that the processor must enable |
| A.1.3.10 Handling requests | The controller’s request handling process depends on processor support |
| A.2.4.3 Return, transfer or disposal | Data portability and erasure capabilities support data subject rights |
| A.2.2.6 Customer obligations | Supporting data subject rights is a key part of helping customers demonstrate compliance |
Who does this control apply to?
A.2.3.2 applies exclusively to PII processors. It recognises that controllers cannot fulfil their obligations to data subjects without processor cooperation. If a processor’s systems do not support individual record retrieval, correction or deletion, the controller is left unable to respond to data subject requests — which is a compliance failure for the controller but a contractual and potentially legal failure for the processor.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for supporting PII principal rights?
ISMS.online provides practical tools for supporting data subject rights as a processor:
- Request management — Track and manage data subject right requests received from customers with workflow management, assignment and deadline tracking
- Capability documentation — Document your data subject rights capabilities per service or system, showing customers exactly what you can support
- Response tracking — Log responses to each request with timestamps, actions taken and evidence, creating a complete audit trail
- SLA monitoring — Monitor response times against contractual SLAs, with alerts for requests approaching their deadline
- Evidence management — Store request handling evidence in a structured format for audit readiness and customer reporting
FAQs
What data subject rights must processors support?
Under GDPR, processors must be able to assist controllers with: the right of access (retrieving and exporting an individual’s data); the right to rectification (correcting inaccurate data); the right to erasure (deleting an individual’s data); the right to restriction of processing (marking data to restrict its use); the right to data portability (providing data in a structured, machine-readable format); and the right to object (ceasing processing of specific data). The processor’s systems should be designed to support all of these rights for individual records.
Who responds to data subjects — the controller or the processor?
The controller is responsible for responding to data subjects. The processor provides the means for the controller to fulfil the request. If a data subject contacts the processor directly, the processor should redirect the request to the relevant controller (unless the contract specifies otherwise). The processor should not communicate directly with data subjects about their rights unless authorised to do so by the controller.
What happens if the processor cannot technically fulfil a request?
If the processor’s systems cannot support a particular data subject right (for example, granular deletion of individual records from backup systems), this limitation should be disclosed to the customer before entering into the contract. The contract should clearly state what the processor can and cannot do, and what workarounds are available. Designing systems to support data subject rights from the outset (A.3.29 Secure System Architecture) is significantly easier and cheaper than retrofitting this capability later.
