ISO 27701 – Clause 7.5 – PII Sharing, Transfer, and Disclosure

ISO 27701 Clause 7.5 outlines requirements for managing the sharing, transfer, and disclosure of Personally Identifiable Information (PII), ensuring compliance with jurisdictional laws, maintaining records of PII transfers, and documenting disclosures to third parties.

We need the information you provide to us to contact you about our services.
Unsubscribe at any time. For more information please check our Privacy Policy.

Author
Max Edwards
Updated 26 February 2025
LinkedIn Twitter Twitter

ISO 27701 Clause 7.5.1 – Identify Basis for PII Transfer Between Jurisdictions

Purpose of Clause 7.5.1

From time to time, the need may arise to transfer PII between two distinct jurisdictions. When this occurs, organisations should justify and document the need for doing so.

Guidance on Clause 7.5.1

Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.

Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.



Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo


ISO 27701 Clause 7.5.2 – Countries and International Organizations to Which PII Can Be Transferred

Purpose of Clause 7.5.2

Organisations should keep a documented list of the countries and organisations that they could potentially transfer their PII to, under reasonable circumstances.

Guidance on Clause 7.5.2

Once they’ve formulated a list, organisations should made the information available to their customers, including any subcontracted PII operations (see ISO 27701 Clause 7.5.1)

In certain circumstances – especially in the case of criminal investigations – confidentiality laws may prevent the organisation from revealing the identity of destination countries and organisations in advance (see ISO 27701 Clauses 8.5.4 and 8.5.5).

Relevant ISO 27701 Clauses

  • ISO 27701 7.5.1
  • ISO 27701 8.5.4
  • ISO 27701 8.5.5

ISO 27701 Clause 7.5.3 – Identify Basis for PII Transfer Between Jurisdictions

Purpose of Clause 7.5.3

It’s vitally important that organisations keep an accurate record of PII transfers to third party organisations.

Guidance on Clause 7.5.3

Organisations should be able to record PII that has been amended in any way (in line with the controllers obligations and objectives), or transfers that are required before enacting a request from the PII principal to change or erase the PII.

Records should be subject to a proportional retention period, and should be subject to data minimisation rules that return only that which is needed to fulfil a specific objective.



Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo


ISO 27701 Clause 7.5.4 – Records of PII Disclosure to Third Parties

Purpose of Clause 7.5.4

Organisations should log any disclosure of PII to third parties, including the following three pieces of information:

  • What’s been disclosed.
  • Who has the information been disclosed to.
  • When the disclosure was made (date and time).

Guidance on Clause 7.5.4

It’s standard practice to disclose PII for a variety of reasons, throughout an organisation’s information processing operation.

Logs should be made of disclosures that occur during normal business practices, and any special circumstances that arise (i.e. regulatory or legal investigations).

Supporting GDPR Articles

Various elements of ISO 27701 Clause 7.5 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.

ISO 27701 Clause Identifier ISO 27701 Clause Name Associated GDPR Articles
7.5.1 Identify Basis for PII Transfer Between Jurisdictions Articles (15), (44), (45), (46), (47), (49)
7.5.2 Countries and International Organisations to Which PII Can Be Transferred Articles (15), (30)
7.5.3 Records of Transfer of PII Article (30)
7.5.4 Records of PII Disclosure to Third Parties Article (30)

How ISMS.online Helps

The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier.

You will also benefit from a variety of time-saving features.

We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

It’s easy to set up and run different kinds of privacy assessment, from data protection impact assessments to regulatory or compliance readiness ones.

Find out more by booking a demo.

Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

DORA is here! Supercharge your digital resilience today with our powerful new solution!