Answer yes if you have processes or policies which ensure data is only processed in the way in which your data controller has requested, and you have written instructions from the controller describing this. Please describe in the notes how you obtain these instructions from data controllers and how you ensure data is not processed in any way outside of the documented written instructions.
If you process personal data on behalf of another party, you must only do so under their specific, documented instructions. This means you cannot make decisions about what data is collected, how the data is used, who to share the data with or how long it is kept for.
You must have provisions in place to ensure you can identify data for which you cannot make these decisions and provisions to ensure that data is only processed in ways explicitly requested by the data controller.
The ICO has published guidance detailing the responsibilities of a data processor here.
You should ensure you have mechanisms in place to identify data which you are processing on behalf of others and technical and procedural controls to ensure this data is not processed in any other way. There are many ways you could do this, depending on your organisation and the nature of the processing. It could include technical tags on certain data sets, training and education for relevant personnel, checkpoints for personal data within change management processes etc.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.