What does control A.2.2.3 require?
The organization shall ensure that PII processed on behalf of a customer are only processed for the purposes expressed in the documented instructions of the customer.
This control sits within the PII Processor controls annex (A.2) and establishes the most fundamental processor obligation: purpose limitation. A processor exists to carry out the controller’s instructions, not to pursue its own objectives with the data. Any processing beyond what the customer has documented and instructed represents a breach of this control and potentially a breach of data protection law.
What does the Annex B implementation guidance say?
Annex B (section B.2.2.3) provides the following guidance:
- Document the service objective and timeframe — The contract between the organisation and the customer should include, but not be limited to, the objective and time frame to be achieved by the service
- Allow technical discretion within general instructions — There can be technical reasons why it is appropriate for the organisation to determine the method for processing PII, consistent with the general instructions of the customer but without the customer’s express instruction. For example, allocating specific processing resources depending on certain characteristics of the PII principal
- Enable customer verification — The organisation should allow the customer to verify its compliance with the purpose specification and limitation principles
- Extend to subcontractors — This also ensures that no PII is processed by the organisation or any of its subcontractors for other purposes than those expressed in the documented instructions of the customer
- See also A.2.2.6: Customer Obligations for related requirements
The guidance strikes a pragmatic balance: processors may make technical decisions about how to process data efficiently, but they must not change the purpose for which data is processed. The customer must be able to verify that this boundary is being respected.
How does this map to GDPR?
Control A.2.2.3 maps to the following GDPR articles:
- Article 5(1)(a) — The lawfulness, fairness and transparency principle
- Article 5(1)(b) — The purpose limitation principle, requiring that personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
- Article 28(3)(a) — The processor shall process personal data only on documented instructions from the controller
- Article 29 — The processor shall not process personal data except on instructions from the controller
- Article 32(4) — Any person acting under the authority of the processor who has access to personal data shall not process them except on instructions from the controller
Under GDPR, a processor that processes data beyond the customer’s documented instructions risks being reclassified as a controller for that processing, with all the legal obligations that entails.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.2.3 as a standalone control with implementation guidance in B.2.2.3 that clarifies the boundary between legitimate technical discretion and unauthorised purpose expansion. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.2.2.3, auditors will typically look for:
- Documented customer instructions — Clear, written instructions from each customer specifying the purposes for which PII may be processed
- Processing records — Records demonstrating that actual processing activities align with documented customer instructions
- Verification mechanisms — Evidence that customers can verify purpose compliance, such as audit rights, reporting capabilities or transparency dashboards
- Subcontractor controls — Evidence that the purpose limitation obligation is flowed down to any subcontractors involved in PII processing
- Staff training — Training records showing that personnel understand they must not process PII beyond the customer’s documented purposes
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.2.2 Customer agreement | The contract should document the processing purposes and instructions |
| A.2.2.4 Marketing and advertising use | A specific prohibition on using PII for marketing beyond customer instructions |
| A.2.2.5 Infringing instruction | The processor must flag customer instructions that may infringe the law |
| A.2.5.8 Engagement of subcontractor | Subcontractors must also be bound by the customer’s purpose limitations |
| A.2.2.7 Records of processing | Records should demonstrate processing aligns with documented purposes |
Who does this control apply to?
A.2.2.3 applies exclusively to PII processors. It is the processor-side implementation of the purpose limitation principle. Controllers define the purposes; processors must stay strictly within those boundaries. Any processing for the organisation’s own purposes (analytics, product improvement, AI training) without explicit customer authorisation would violate this control.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for purpose limitation compliance?
ISMS.online provides practical tools for demonstrating purpose limitation as a processor:
- Processing register — Document and maintain a register of processing activities per customer, linked to their documented instructions and purposes
- Customer instruction tracking — Record customer instructions with version control, ensuring you can demonstrate which instructions were in force at any point in time
- Subcontractor management — Flow purpose limitations down to subcontractors with contract tracking and compliance monitoring
- Audit support — Provide customers with evidence packs demonstrating purpose compliance, supporting their verification rights
- Policy management — Publish and distribute purpose limitation policies to staff with acknowledgement tracking
FAQs
Can a processor use PII for its own analytics or product improvement?
Not without explicit authorisation from the customer. Using customer PII for the processor’s own purposes — such as training machine learning models, benchmarking, product improvement or analytics — is processing beyond the documented instructions and violates A.2.2.3. Under GDPR, a processor that unilaterally decides to process data for its own purposes may be treated as a controller for that processing, inheriting all controller obligations and potential liability.
What is the boundary between technical discretion and purpose expansion?
Technical discretion means the processor can decide how to achieve the customer’s purpose efficiently — for example, choosing which servers to use, how to allocate processing resources or which caching strategy to apply. Purpose expansion means the processor uses the data for a purpose the customer did not instruct — for example, analysing PII patterns for the processor’s own business insights. The test is whether the processing serves the customer’s documented purpose or the processor’s own interests.
How should purpose limitations be communicated to staff?
All personnel who have access to customer PII should understand that they may only process it for the purposes documented in the customer’s instructions. This should be covered in onboarding training, reinforced in regular awareness sessions and reflected in role-based access controls. Technical controls should also enforce purpose limitation where possible — for example, restricting data exports, preventing bulk downloads and logging all access for audit purposes.
