Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Restriction of processing for personal data processed on behalf of a customer


When an organization offers e.g. digital services to its customer, the contract between the organization and the customer must specify e.g. the goal of the service and the schedule related to its delivery.

The organization must ensure that personal data processed on behalf of the customer is processed only for the purposes stated in the customer's written instructions.

The customer must also be offered the opportunity to verify the organization's operation in relation to the instructions. This ensures that the organization and its subcontractors process personal data only for the purposes indicated by the customer.

Connected other frameworks and requirements:
A.8.2.2: Organization's purposes
ISO 27701
No items found.