What does control A.2.2.4 require?
The organization shall not use PII processed under a contract for the purposes of marketing and advertising without establishing that prior consent was obtained from the appropriate PII principal. The organization shall not make providing such consent a condition for receiving the service.
This control sits within the PII Processor controls annex (A.2) and creates a specific, absolute prohibition: processors must not repurpose customer PII for their own marketing or advertising activities. This goes beyond the general purpose limitation in A.2.2.3 Organisation Purposes by explicitly naming marketing as a prohibited use and adding the non-bundling requirement — consent for marketing cannot be tied to service provision.
What does the Annex B implementation guidance say?
Annex B (section B.2.2.4) provides the following guidance:
- Document compliance — Compliance of PII processors with the customer’s contractual requirements should be documented, especially where marketing or advertising is planned
- No forced inclusion of marketing — Organisations should not insist on the inclusion of marketing or advertising uses where express consent has not been fairly obtained from PII principals
- See also A.2.2.5: Infringing Instruction for related requirements
- See also A.2.2.6: Customer Obligations for related requirements
The guidance also notes that this control complements the more general purpose limitation control in A.2.2.3 Organisation Purposes and does not replace or supersede it. Even if marketing consent is obtained, the processing must still comply with the customer’s documented instructions.
How does this map to GDPR?
Control A.2.2.4 maps to the following GDPR article:
- Article 7(4) — When assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract
Article 7(4) directly addresses the “bundling” problem: consent for marketing is unlikely to be freely given (and therefore valid) if it is a condition of receiving the service. This makes the non-bundling requirement in A.2.2.4 a GDPR compliance necessity, not just best practice.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.2.4 as a standalone control with clearer implementation guidance in B.2.2.4. The explicit note that this control complements but does not supersede A.2.2.3 Organisation Purposes is a useful clarification. See the Annex F correspondence table for the full mapping.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.2.2.4, auditors will typically look for:
- Marketing use policy — A documented policy prohibiting the use of customer PII for marketing or advertising without valid consent
- Consent records — Where marketing use does occur, evidence that prior, freely given consent was obtained from PII principals and that consent was not bundled with the service
- Contract terms — Evidence that service contracts do not make marketing consent a condition of service provision
- Technical controls — Evidence that technical measures prevent the use of customer PII in marketing systems without appropriate authorisation
- Staff training — Training records demonstrating that marketing and sales teams understand the prohibition on using processor PII for marketing
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.2.3 Organization’s purposes | Marketing use is a specific case of purpose limitation — both controls apply |
| A.2.2.2 Customer agreement | Marketing restrictions should be explicit in the customer contract |
| A.1.2.4 Determine consent | The controller-side requirements for determining when consent is needed |
| A.1.2.5 Obtain and record consent | Consent for marketing must be obtained and recorded properly |
| A.2.2.7 Records of processing | Marketing consent records form part of the processor’s processing records |
Who does this control apply to?
A.2.2.4 applies exclusively to PII processors. It directly prohibits processors from using PII obtained through service contracts for their own marketing purposes. This is particularly relevant for SaaS providers, cloud services and managed service providers that may be tempted to leverage customer data for cross-selling, product marketing or advertising targeting.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for marketing compliance management?
ISMS.online provides practical tools for ensuring marketing compliance as a processor:
- Policy management — Publish and enforce marketing restriction policies with staff acknowledgement and version control
- Consent tracking — Where marketing consent is obtained, track and manage consent records with expiry dates and withdrawal management
- Data flow mapping — Map data flows to identify where customer PII could potentially reach marketing systems, and implement appropriate controls
- Compliance monitoring — Monitor compliance with marketing restrictions across teams and systems
- Training management — Deliver and track marketing compliance training for relevant staff
FAQs
Can a processor include marketing consent in its terms of service?
A processor can seek marketing consent, but it must not make that consent a condition for receiving the service. This means the service must be fully available without marketing consent being granted. The consent request must be clearly separate from the service terms, freely given, specific and easy to withdraw. Pre-ticked consent boxes or opt-out mechanisms do not meet the standard for valid prior consent.
Does this control apply to aggregated or anonymised data?
If data has been truly anonymised to the point where PII principals can no longer be identified (directly or indirectly), it is no longer PII and falls outside the scope of this control. However, the threshold for anonymisation is high — pseudonymised data or aggregated data from which individuals could potentially be re-identified remains PII. Processors should be cautious about claiming data is anonymised and should have a documented methodology for verifying anonymisation effectiveness.
What are the consequences of violating this control?
Using customer PII for unauthorised marketing could result in: breach of contract with the customer (potentially triggering termination and damages); reclassification as a controller under GDPR (with full controller obligations and liabilities); enforcement action by the supervisory authority; and reputational damage. Under GDPR, a processor that determines its own purposes for processing (such as marketing) is treated as a controller for that processing under Article 28(10).
