What does control A.2.4.2 require?
The organization shall ensure that temporary files created as a result of the processing of PII are disposed of (e.g. erased or destroyed) following documented procedures within a specified, documented period.
This control sits within the PII Processor controls annex (A.2) and addresses a commonly overlooked privacy risk: temporary files. Information systems routinely generate temporary files during normal operations, and these files can contain PII that persists long after the original processing task has been completed. Without documented disposal procedures, temporary files become an uncontrolled source of personal data retention.
What does the Annex B implementation guidance say?
Annex B (section B.2.4.2) provides the following guidance:
- Periodic verification — The organisation should periodically verify that unused temporary files are deleted within the identified time period
- Types of temporary files — Information systems create temporary files in normal operation, including roll-back journals, database temporary files and application temporary files
- Retention after task completion — Temporary files are not needed after task completion but sometimes cannot be deleted immediately
- Garbage collection — A garbage collection process should identify temporary files and record how long since each was last used, enabling systematic disposal
- See also A.2.3.2: Comply with Obligations to PII Principals for related requirements
- See also A.2.4.4: PII Transmission Controls for related requirements
The guidance makes clear that organisations need a systematic approach to managing temporary files. Ad hoc cleanup is not sufficient. A garbage collection mechanism should regularly scan for temporary files, determine their age and dispose of those that have exceeded the documented retention period.
How does this map to GDPR?
Control A.2.4.2 maps to the following GDPR article:
- Article 5(1)(c) — Data minimisation — Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Retaining PII in temporary files beyond the point of necessity directly violates this principle
The data minimisation principle requires that personal data is not retained longer than necessary. Temporary files that contain PII but serve no ongoing purpose represent a clear breach of this principle. Automated disposal mechanisms ensure compliance by removing these files systematically.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this control mapped to ISO 27018 A.5.1 and ISO 29151 A.7.2. The 2025 edition consolidates these references into a standalone control A.2.4.2 with dedicated implementation guidance in B.2.4.2. The practical requirements remain consistent, but the 2025 structure provides clearer guidance on garbage collection mechanisms and periodic verification. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.2.4.2, auditors will typically look for:
- Documented disposal procedures — Written procedures specifying how temporary files are identified, the documented retention period and the method of disposal (erasure or destruction)
- Defined retention periods — A specified, documented time period within which temporary files must be disposed of after they are no longer needed
- Garbage collection mechanisms — Evidence of automated or scheduled processes that identify and dispose of temporary files, including logs showing when these processes run
- Periodic verification records — Records demonstrating that the organisation periodically checks whether unused temporary files are being deleted within the specified time period
- System inventory — An inventory of systems that create temporary files containing PII, including the types of temporary files generated (roll-back journals, database temp files, application temp files)
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.4.3 Return, transfer or disposal of PII | Broader PII disposal obligations that complement temporary file disposal |
| A.2.2.2 Customer agreement | The contract may specify temporary file retention periods and disposal requirements |
| A.3 Shared security controls | Security controls for data storage and media handling apply to temporary file management |
| A.2.2.7 Records of processing | Temporary file disposal should be recorded as part of processing records |
| Annex D GDPR mapping | Maps to GDPR Article 5(1)(c) on data minimisation |
Who does this control apply to?
A.2.4.2 applies exclusively to PII processors. Processors often create temporary files during data processing activities on behalf of controllers, and these files may contain copies of the PII being processed. The controller may not even be aware that these temporary files exist. This control places the obligation on the processor to manage and dispose of temporary files systematically, preventing PII from persisting in overlooked system artefacts.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for temporary file management?
ISMS.online provides practical tools for managing temporary file disposal obligations:
- Policy management — Create and maintain documented temporary file disposal procedures with version control, approval workflows and automated review reminders
- Asset inventory — Map systems that generate temporary files containing PII, linking each to its documented retention period and disposal method
- Task scheduling — Schedule periodic verification tasks to confirm that garbage collection processes are running and temporary files are being disposed of within the specified period
- Evidence collection — Store verification records and garbage collection logs as structured audit evidence, ready for internal or external review
- Control mapping — Link temporary file controls to related ISO 27701 requirements and GDPR articles, demonstrating a joined up approach to data minimisation
FAQs
What types of temporary files typically contain PII?
Common examples include database temporary tables used during query processing, roll-back journals that store transaction data for recovery purposes, application cache files, session files, print spool files, export staging files, ETL (extract, transform, load) intermediate files and log files that capture PII during processing. Any system that processes PII may generate temporary files as part of its normal operation, so a comprehensive inventory is essential.
How long should temporary files be retained?
The standard requires a “specified, documented period” but does not prescribe a specific duration. The appropriate retention period depends on the type of file and the processing context. Roll-back journals may need to be retained until a transaction is confirmed, while application cache files may be safe to delete immediately after the session ends. The key requirement is that the period is documented, justified and consistently enforced through automated garbage collection.
What is a garbage collection process in this context?
Garbage collection refers to a systematic process that identifies temporary files, determines how long since each was last used and disposes of files that have exceeded their documented retention period. This can be implemented through automated scripts, scheduled tasks, operating system cleanup utilities or application level cleanup routines. The process should run on a regular schedule and produce logs that can be reviewed during periodic verification and presented to auditors as evidence of compliance.
