What does control A.2.2.5 require?
The organization shall inform the customer if, in its opinion, a processing instruction infringes applicable legal requirements.
This control sits within the PII Processor controls annex (A.2) and creates a critical safety net. While processors generally act on the customer’s instructions (A.2.2.3 Organisation Purposes), this control recognises that blindly following every instruction could lead to legal violations. If a processor identifies that an instruction would infringe applicable law, it has an obligation to raise the concern with the customer rather than simply complying.
What does the Annex B implementation guidance say?
Annex B (section B.2.2.5) provides the following guidance:
- Context-dependent capability — The organisation’s ability to verify whether an instruction infringes legal requirements can depend on the technological context, on the instruction itself and on the contract between the organisation and the customer
- See also A.2.2.4: Marketing and Advertising Use for related requirements
- See also A.2.2.7: Records Related to Processing PII for related requirements
The guidance acknowledges a practical reality: processors are not legal advisors and their ability to identify infringing instructions will vary. A processor with deep domain expertise in healthcare data may be well-placed to identify instructions that violate health data regulations, while a general-purpose cloud provider may not. The qualifier “in its opinion” recognises this limitation — the obligation is to flag concerns, not to provide definitive legal analysis.
How does this map to GDPR?
Control A.2.2.5 maps to the following GDPR article:
- Article 28(3)(h) — The processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions
GDPR Article 28(3)(h) makes this an explicit legal obligation for processors operating under EU law. The GDPR adds the word “immediately,” emphasising the urgency of the notification requirement.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.2.5 as a standalone control with concise but clear implementation guidance in B.2.2.5. See the Annex F correspondence table for the full mapping.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What evidence do auditors expect?
When assessing compliance with A.2.2.5, auditors will typically look for:
- Escalation procedure — A documented procedure for staff to raise concerns when they believe a customer instruction may infringe applicable legal requirements
- Notification records — Records of any occasions where the processor has informed a customer that an instruction may infringe the law, including the instruction in question, the concern raised, the customer’s response and the outcome
- Legal awareness — Evidence that key personnel have sufficient understanding of applicable data protection law to identify potentially infringing instructions
- Contract terms — Contract clauses that establish the processor’s right and obligation to flag infringing instructions, and that protect the processor from liability for refusing to comply with unlawful instructions
- Training records — Training covering staff awareness of the obligation to flag potentially unlawful instructions
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.2.3 Organization’s purposes | Instructions that expand purposes beyond what is lawful should be flagged |
| A.2.2.2 Customer agreement | The contract should address the processor’s obligation to flag infringing instructions |
| A.3.13 Legal and regulatory requirements | Understanding applicable legal requirements is a prerequisite for identifying infringements |
| A.2.2.6 Customer obligations | Flagging infringing instructions helps the customer meet its own compliance obligations |
| A.3.17 Awareness and training | Staff need training to recognise potentially infringing instructions |
Who does this control apply to?
A.2.2.5 applies exclusively to PII processors. It places the obligation on the processor to proactively flag concerns about the legality of customer instructions. This does not make the processor a legal advisor, but it does require the processor to exercise reasonable judgement based on its knowledge and expertise. The control applies to all customer instructions, whether given at contract inception, during the engagement or as ad-hoc requests.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing compliance obligations?
ISMS.online provides practical tools for managing your obligation to flag infringing instructions:
- Escalation workflows — Create documented escalation procedures for staff to raise concerns about customer instructions, with audit trail and resolution tracking
- Notification register — Maintain a register of all notifications sent to customers about potentially infringing instructions, including the instruction, concern, response and outcome
- Legal requirement tracking — Track applicable legal requirements across jurisdictions, so your team knows which rules to watch for when assessing customer instructions
- Training management — Deliver and track training on recognising infringing instructions, with competency assessment
- Contract management — Ensure your contract templates include clauses addressing the right and obligation to flag infringing instructions
FAQs
What should the processor do if the customer insists on the instruction?
If the customer insists on an instruction that the processor believes infringes applicable law, the processor has fulfilled its obligation by informing the customer. The processor should document the notification and the customer’s response. However, the processor should not blindly comply: knowingly participating in unlawful processing could expose the processor to its own legal liability. In serious cases, the processor may need to seek legal advice and may ultimately need to refuse the instruction or terminate the contract, depending on the severity of the potential infringement.
Does the processor need to proactively monitor for infringements?
The control requires the processor to inform the customer when, in its opinion, an instruction infringes the law. This implies a reasonable level of awareness rather than comprehensive legal monitoring. The guidance acknowledges that the processor’s ability to verify infringements depends on context, the instruction and the contract. Processors are not expected to perform legal audits of every instruction but should flag concerns that arise through normal business operations and professional judgement.
How quickly must the processor notify the customer?
ISO 27701:2025 does not specify a timeframe, but GDPR Article 28(3)(h) requires immediate notification. Best practice is to notify the customer as soon as the concern is identified, before carrying out the instruction. This allows the customer to reconsider the instruction, seek legal advice or provide clarification before any potentially infringing processing takes place.
