What does control A.1.4.3 require?
The organisation shall limit the processing of PII to that which is adequate, relevant and necessary for the identified purposes.
This control sits within the PII minimization objective (A.1.4) and works alongside A.1.4.2 (limit collection) to create a comprehensive data minimisation approach. While A.1.4.2 Limit Collection controls what data enters the organisation, A.1.4.3 controls what the organisation does with that data once collected. Processing must not go beyond what is needed for the stated purpose.
What does the implementation guidance say?
Annex B (section B.1.4.3) provides the following guidance:
- Processing must not exceed stated purposes — Processing activities should not go beyond what is needed for the purposes that have been documented and communicated to PII principals
- Review processing activities — The organisation should periodically review its processing activities to ensure they remain proportional to the identified purposes and that no scope creep has occurred
- Cease unnecessary processing — Where processing is no longer necessary for the stated purpose, it should stop. This includes automated processing that may continue running after the original need has ended
- The organisation should be able to demonstrate, for each processing activity, why it is adequate (fit for purpose), relevant (connected to the purpose) and necessary (cannot be achieved without it)
In practice, this means every report, analysis, transfer, backup and automated workflow that touches PII should be traceable to a documented purpose under A.1.2.2 Identify and Document Purpose.
How does this map to GDPR?
Control A.1.4.3 maps to GDPR Article 25(2), which requires that the data controller implements appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed. This applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
This is the GDPR‘s “data protection by default” requirement, and A.1.4.3 provides a structured way to implement and evidence it.
How does this relate to ISO 29100 privacy principles?
This control directly supports the ISO 29100 principle of Data minimization, which requires that the processing of PII be limited to the minimum necessary to fulfil the specified purposes. The principle extends beyond collection to encompass all processing operations, including storage, use, transfer and disposal.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.1.4.3, auditors will typically look for:
- Processing activity records — A complete register of processing activities mapped to their stated purposes, showing the scope of processing for each
- Proportionality assessments — Evidence that each processing activity has been assessed for adequacy, relevance and necessity
- Review records — Documentation of periodic reviews confirming that processing remains within scope, with action items where issues were found
- Access controls — Technical measures limiting who can process PII and for what purposes, demonstrating that access is proportionate
- Decommissioning records — Evidence that processing activities are stopped and PII is disposed of when the purpose has been fulfilled
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.4.2 Limit collection | Collection limitation is the prerequisite; processing limitation extends the principle throughout the lifecycle |
| A.1.2.2 Identify and document purpose | Processing limits are defined by the documented purposes |
| A.1.4.5 PII minimization objectives | Provides the overarching minimisation framework that informs processing limits |
| A.1.4.8 Retention | Retention periods define when processing (including storage) should cease |
| A.1.3.11 Automated decision making | Automated processing must also be limited to what is necessary |
| A.1.2.9 Records of processing | Processing records provide the evidence base for demonstrating processing limits |
What changed from ISO 27701:2019?
In the 2019 edition, processing limitation was addressed under Clause 7.4.2 (limit processing). The 2025 control retains the same core requirement but benefits from the clearer structure of the new Annex A/B format. The implementation guidance now more explicitly addresses the need for periodic review and the obligation to cease processing when it is no longer necessary. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for managing PII processing limits?
ISMS.online helps you maintain ongoing control over how PII is processed across your organisation:
- Processing activity register — Map every processing activity to its documented purpose with clear scope boundaries, making proportionality visible at a glance
- Scheduled review cycles — Set automated review reminders for each processing activity so that scope creep is caught early
- Role-based access controls — Enforce technical limits on who can process PII for which purposes, aligning system access with documented processing scope
- Decommissioning workflows — Track the cessation of processing activities through to completion, including evidence of data disposal
- Compliance dashboards — See at a glance which processing activities are due for review, which have been approved and which have open action items
FAQs
How is “limit processing” different from “limit collection”?
Collection limitation (A.1.4.2 Limit Collection) governs what PII enters the organisation. Processing limitation (A.1.4.3) governs what happens to PII after it has been collected, including storage, analysis, transfer, reporting and any other operation performed on the data. Both are needed because an organisation may collect the right data but then use it for purposes beyond what was originally documented.
What practical steps prevent processing scope creep?
Effective measures include: requiring a change request and privacy assessment before any new use of existing PII; implementing role-based access so that only authorised personnel can process PII for approved purposes; conducting periodic reviews of processing activities against documented purposes; and maintaining processing logs that can be audited for unusual or unauthorised activity.
Does this control apply to PII stored in backups?
Yes. Backup storage is a form of processing. If PII is retained in backups beyond the period necessary for the stated purpose, the organisation should have documented justification (such as business continuity or legal retention requirements) and appropriate access controls. When the retention justification expires, PII in backups should be addressed through your disposal procedures under A.1.4.9 Disposal.
