What does control A.2.5.2 require?
The organization shall inform the customer in a timely manner of the basis for PII transfers between jurisdictions and of any intended changes in this regard, so that the customer can object to such changes or terminate the contract.
This control sits within the PII Processor controls annex (A.2) and addresses one of the most complex areas of data protection: cross border transfers. When a processor transfers PII across jurisdictional boundaries, the controller needs to know the legal basis for that transfer. If the basis changes, the controller must have the opportunity to object or terminate the arrangement before the change takes effect.
What does the Annex B implementation guidance say?
Annex B (section B.2.5.2) provides the following guidance:
- Document the legal basis — The organisation must document compliance with legal requirements as the basis for the transfer
- Inform customers of transfers — Must inform the customer of transfers to suppliers, other parties, other countries or other organisations
- Advance notification — Must inform the customer in advance so they can object to changes or terminate the contract
- Contractual flexibility clauses — Agreements can include clauses permitting the organisation to implement changes without prior notification, subject to defined limits
- Transfer mechanisms — For international transfers, identify model contract clauses, binding corporate rules (BCRs), cross border privacy rules and the specific countries and circumstances involved
- See also A.2.5.5: Notification of PII Disclosure Requests for related requirements
- See also A.2.5.6: Legally Binding PII Disclosures for related requirements
The guidance makes clear that transparency is the default position. The processor must proactively inform the controller about the legal basis for transfers, not wait for the controller to ask. Where contractual flexibility clauses exist, they must have defined limits and cannot be used to circumvent the controller’s right to oversight.
How does this map to GDPR?
Control A.2.5.2 maps to the following GDPR articles:
- Article 44 — General principle for transfers: transfers only take place if GDPR conditions are met
- Article 46(1) — Appropriate safeguards for transfers in the absence of an adequacy decision
- Article 46(2)(a-f) — Specific safeguards including binding corporate rules, standard contractual clauses, codes of conduct and certification mechanisms
- Article 46(3)(a-b) — Contractual clauses and administrative arrangements authorised by supervisory authorities
- Article 48 — Transfers or disclosures not authorised by Union law
- Article 49(1)(a-g) — Derogations for specific situations including explicit consent, contractual necessity and vital interests
- Article 49(2-6) — Conditions and limitations for derogation based transfers
This is one of the most extensively mapped controls in the standard, reflecting the complexity of GDPR’s transfer framework. Processors must be able to identify and document which specific GDPR mechanism applies to each transfer.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.5.2 as a standalone control with implementation guidance in B.2.5.2 that adds explicit coverage of binding corporate rules, model contract clauses and cross border privacy rules as transfer mechanisms. See the Annex F correspondence table for the full mapping.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What evidence do auditors expect?
When assessing compliance with A.2.5.2, auditors will typically look for:
- Transfer impact assessments — Documented assessments of the legal basis for each cross border transfer, including the specific GDPR mechanism relied upon
- Customer notifications — Records of notifications sent to customers about the basis for transfers, including dates sent and any customer responses or objections
- Change management records — Evidence that customers are informed in advance of any intended changes to transfer arrangements, with sufficient time to object or terminate
- Transfer mechanisms documentation — Copies of standard contractual clauses, binding corporate rules, adequacy decisions or other mechanisms relied upon for each transfer
- Contractual provisions — Contract clauses addressing cross border transfers, including any flexibility clauses and their defined limits
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.5.3 Countries for PII transfer | Documents the specific countries to which PII can be transferred |
| A.2.5.7 Disclosure of subcontractors | Subcontractor disclosures include the countries where they process PII |
| A.2.4.4 PII transmission controls | Technical controls for securing PII during cross border transmission |
| A.2.2.2 Customer agreement | Transfer basis and notification procedures should be specified in the contract |
| A.2.5.4 Records of PII disclosures | Cross border transfers to third parties should be recorded as disclosures |
Who does this control apply to?
A.2.5.2 applies exclusively to PII processors. Controllers are legally responsible for ensuring that cross border transfers comply with data protection law, but they cannot fulfil this obligation without transparency from their processors. This control ensures that processors inform controllers of the legal basis for transfers and give them the opportunity to object before any changes take effect.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for cross border transfer management?
ISMS.online provides practical tools for managing cross border PII transfers:
- Transfer mapping — Map all cross border data flows, documenting the legal basis, transfer mechanism and destination country for each transfer
- Notification workflows — Manage customer notifications about transfer arrangements and changes with tracked communications and response recording
- Document management — Store standard contractual clauses, BCRs and adequacy decision references alongside each transfer record
- Change management — Track proposed changes to transfer arrangements through approval workflows, ensuring customers are notified before changes take effect
- Compliance dashboard — Monitor the status of all cross border transfers, their legal bases and notification status from a single view
FAQs
What counts as a transfer between jurisdictions?
A transfer between jurisdictions occurs whenever PII moves from one legal jurisdiction to another. This includes physical transfers (shipping media between countries), electronic transfers (transmitting data to servers in another country), remote access (allowing staff in another country to access PII stored locally) and cloud processing (using cloud services that store or process data in multiple regions). Even temporary transfers, such as data passing through a network node in another jurisdiction, may qualify depending on the applicable law.
How much notice should customers receive before transfer changes?
The standard requires “timely” notification but does not specify a minimum notice period. The notice period should be sufficient for the customer to evaluate the change, conduct any necessary assessments (such as a transfer impact assessment), and either accept the change, negotiate modifications or terminate the contract. A minimum of 30 days is common practice, but the specific period should be defined in the contract based on the complexity and sensitivity of the processing.
Can a contract allow transfers without prior customer notification?
The Annex B guidance acknowledges that agreements can include clauses permitting the organisation to implement changes without prior notification, but these clauses must have defined limits. In practice, such clauses typically apply to transfers within the same legal framework (for example, between EU member states where adequacy is automatic) rather than to transfers to jurisdictions with significantly different data protection standards. The controller’s right to oversight should not be undermined by overly broad flexibility clauses.
