What does control A.2.4.3 require?
The organization shall be able to return, transfer or dispose of PII in a secure manner. It shall also make its policy available to the customer.
This control sits within the PII Processor controls annex (A.2) and addresses what happens to PII at the end of a processing relationship. When a contract ends, the processor must be capable of returning the data to the controller, transferring it to another processor or securely disposing of it. The processor’s policy for handling end of contract data must be transparent and available to the customer.
What does the Annex B implementation guidance say?
Annex B (section B.2.4.3) provides the following guidance:
- Multiple options — End of contract data handling can involve returning PII to the customer, transferring it to another organisation, deleting it, de-identifying it or archiving it
- Comprehensive erasure — The organisation must provide assurance that PII is erased from everywhere, including backups, as soon as it is no longer necessary for the original purpose
- Disposal policy — The organisation must develop a disposal policy and make it available to customers
- Post-termination retention — The disposal policy should cover the retention period after contract termination, specifying how long data will be retained before final disposal
- See also A.2.4.4: PII Transmission Controls for related requirements
The guidance emphasises completeness. Disposing of PII from production systems while leaving copies in backups is insufficient. The processor must ensure that all copies of the PII, including those in backup systems, disaster recovery environments and archived storage, are identified and disposed of within the documented retention period.
How does this map to GDPR?
Control A.2.4.3 maps to the following GDPR articles:
- Article 28(3)(g) — The processor shall, at the choice of the controller, delete or return all personal data to the controller after the end of the provision of services and delete existing copies unless Union or Member State law requires storage
- Article 30(1)(f) — A general description of the technical and organisational security measures, including those for data disposal
GDPR Article 28(3)(g) gives the controller the right to choose between deletion and return of data. The processor must support both options. The only exception is where Union or Member State law requires the processor to retain certain data, in which case the legal basis for retention must be documented.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.4.3 as a standalone control with implementation guidance in B.2.4.3 that specifically addresses backup erasure, policy transparency and post-termination retention periods. The explicit requirement to make the disposal policy available to customers is a notable emphasis. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.2.4.3, auditors will typically look for:
- Documented disposal policy — A written policy covering the return, transfer and disposal of PII, including methods of secure deletion, de-identification and archiving
- Customer availability — Evidence that the disposal policy has been made available to customers, whether through contractual annexes, customer portals or direct provision
- Post-termination procedures — Documented procedures for handling PII after contract termination, including defined retention periods and the sequence of return, transfer and disposal steps
- Backup erasure capability — Evidence that the organisation can identify and erase PII from backup systems, disaster recovery environments and archived storage
- Disposal records — Records of past PII disposal activities, including certificates of destruction, confirmation of data return and evidence of backup erasure
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.4.2 Temporary files | Temporary file disposal is a component of the broader PII disposal obligation |
| A.2.2.2 Customer agreement | The contract should specify data return, transfer and disposal procedures |
| A.2.3.2 Obligations to PII principals | Data portability and erasure rights connect to disposal capabilities |
| A.2.2.6 Customer obligations | Disposal policies are part of the compliance information provided to customers |
| A.2.5.8 Engagement of subcontractors | Subcontractors must also comply with PII disposal requirements |
Who does this control apply to?
A.2.4.3 applies exclusively to PII processors. At the end of a processing relationship, the controller needs assurance that their data has been handled appropriately. If the processor cannot return or securely dispose of the data, the controller faces an ongoing compliance risk. This control ensures that processors have both the capability and the documented procedures to handle end of contract data management.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for PII disposal management?
ISMS.online provides practical tools for managing PII return, transfer and disposal:
- Policy management — Create and maintain your PII disposal policy with version control, approval workflows and automated review schedules, ensuring it stays current
- Contract tracking — Track disposal obligations per customer contract, including post-termination retention periods and the customer’s chosen disposal method
- Disposal workflow — Manage end of contract data disposal with structured workflows covering production systems, backups, disaster recovery and archived storage
- Evidence management — Store disposal certificates, return confirmations and backup erasure evidence as structured audit records
- Compliance mapping — Link disposal procedures to GDPR Article 28(3)(g) and related ISO 27701 controls, demonstrating a comprehensive approach
FAQs
How do you dispose of PII in backup systems?
Disposing of PII from backups is one of the most challenging aspects of this control. Options include: allowing backup tapes to expire naturally within a defined rotation period (documenting the maximum retention time); using backup systems that support granular deletion of individual records; encrypting PII with customer specific keys and destroying the key at contract end; or implementing a backup exclusion policy that prevents PII from being backed up after the disposal trigger. The chosen approach should be documented in the disposal policy and communicated to the customer.
What if legal requirements prevent disposal?
GDPR Article 28(3)(g) permits processors to retain personal data after contract termination if Union or Member State law requires it. Examples include tax records, financial transaction data or data subject to litigation hold. Where legal retention applies, the processor should document the specific legal basis, the scope of data retained, the retention period and the access restrictions applied. The customer should be informed of any legally mandated retention that will prevent complete disposal at contract end.
Should the disposal policy be included in the contract?
Yes. The disposal policy should either be included as a contractual annex or referenced in the data processing agreement with a mechanism for the customer to access the current version. This ensures that both parties have agreed on the disposal approach before processing begins. The contract should also specify the customer’s right to choose between return and deletion, any post-termination retention period and the format in which data will be returned if requested.
