Home · Synthesis · cl-pims-processor-obligations

Processor (PII Processor) obligations — ISO 27701 controller relationship

CCPA CSA CCM v4 DPDPA GDPR ISO 27701 ISO 27018

Primary statement

Processor obligations per ISO 27701 A.2.x: written contract (A.1.2.7 + A.2.2.1) + processor own-purposes restriction (A.2.2.2) + infringing instruction notification (A.2.2.4) + customer obligations support (A.2.2.5). Plus DPDPA processor agreement flow-down (Section 8(2)) + GDPR Article 28 + CCPA service provider qualification + CSA cloud-specific processor controls. Processor obligations are layered with controller flow-down.

Audit-fatigue payoff

A unified processor controls programme — ISO 27701 A.2.x compliance + DPDPA flow-down + GDPR Art 28 + CCPA Reg 7050 — satisfies processor obligations across all 6 contributing frameworks. ISO 27701 A.2 IS the processor-side certification standard.

Strictness matrix

Scope

Scope: all PII processing on behalf of customers (controllers). Written contract or equivalent customer agreement governs every processing engagement. Ceiling source: iso27701:A.2.2.1 Rationale: ISO 27701 A.2.2.1 universal-contract scope is the audit-defensible specification.

Threshold

Threshold: PII processed on behalf of customer SHALL NOT be used for processor own purposes — including marketing, profiling, derived datasets, ML training. Binary qualifier. Ceiling source: iso27701:A.2.2.2 Rationale: ISO 27701 A.2.2.2 own-purposes restriction is the binary threshold separating processor from controller.

Method

Method: written contract with mandatory terms (scope, duration, purposes, security, sub-processors, deletion); own-purposes restriction; infringing-instruction notification (A.2.2.4); customer obligations support to PII principals (A.2.2.5); DPDPA Section 8(2) flow-down; GDPR Art 28 sub-processor management. Ceiling source: iso27701:A.1.2.7 Rationale: ISO 27701 A.1.2.7 + A.2.2.x combined are the most prescriptive method.

Frequency

Contract review: annual minimum + on material change. Sub-processor authorisation: per engagement. Infringing instruction notification: real-time. Ceiling source: iso27701:A.2.2.1 Rationale: Annual contract review with per-engagement sub-processor authorisation is the cadence.

Evidence

Evidence: processor agreements + own-purposes restriction implementation + infringing-instruction notification procedure + customer obligations support records + sub-processor authorisation records. Ceiling source: iso27701:A.2.2.1 Rationale: ISO 27701 A.2.2.1 evidence is the audit-defensible specification.

Auditor test pattern

Step 1: Inspect processor agreement template. Step 2: Sample 3 active customer engagements; verify contract compliance. Step 3: Verify own-purposes restriction implementation. Step 4: Verify infringing-instruction notification procedure. Step 5: Verify sub-processor authorisation.

Common findings

Common findings: (1) Pre-existing contracts not updated; (2) Own-purposes restriction theoretical — derived datasets used for ML training; (3) Infringing-instruction notification absent; (4) Sub-processor authorisation skipped.