The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
EDPB, Guidelines 7/2020 on the Concepts of Controller and Processor in the GDPR (2020).
Data Protection Commission (Ireland), Data Protection Considerations Relating to Receivership (2020).
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 29 GDPR:
8.2.2 Organization’s purposes
Control
The organization should ensure that PII processed on behalf of a customer are only processed for the purposes expressed in the documented instructions of the customer.
Implementation guidance
The contract between the organization and the customer should include, but not be limited to, the objective and time frame to be achieved by the service.
In order to achieve the customer’s purpose, there can be technical reasons why it is appropriate for the organization to determine the method for processing PII, consistent with the general instructions of the customer but without the customer’s express instruction. For example, in order to efficiently utilize network or processing capacity it can be necessary to allocate specific processing resources depending on certain characteristics of the PII principal.
The organization should allow the customer to verify their compliance with the purpose specification and limitation principles. This also ensures that no PII is processed by the organization or any of its subcontractors for other purposes than those expressed in the documented instructions of the customer.