Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Customer-oriented description of personal data return, transfer and disposal processes for offered cloud services


Personal data related to the offered cloud services will need to be disposed properly and obeying storage limitation principles. Disposal can involve returning the data to the customer by request, transferring it to another company (e.g. as a result of a merger) or either securely destroying, anonymizing or archiving it.

Organisation should have a clear written description about the retention period and the return, transfer and disposal mechanisms of personal data. This description should be made available to the customer.

By using this description the customer should be able to understand how the organisation will ensure the personal data processed under a contract is erased (also by any of its sub-contractors) from all storage locations (including e.g. backup purposes) as soon as they are no longer necessary for the customer.

Connected other frameworks and requirements:
A.10.3: PII return, transfer and disposal
ISO 27018
A.8.4.2: Return, transfer or disposal of PII
ISO 27701
No items found.