What does control A.1.3.8 require?
The organisation shall inform third parties with whom PII has been shared of any modification, withdrawal or objections pertaining to the shared PII, and implement appropriate policies, procedures or mechanisms to do so.
This control sits within the Obligations to PII principals objective (A.1.3). It recognises that data subject rights are only effective if they cascade beyond the controller. When you correct, erase or restrict PII in your own systems, third parties holding copies of that data need to be told to do the same.
What does the implementation guidance say?
Annex B (section B.1.3.8) provides guidance on establishing effective third-party notification procedures:
- Disclosure tracking — Maintain records of which third parties have received each category of PII. Without this, you cannot know who needs to be notified when a right is exercised
- Notification triggers — Establish clear triggers for third-party notification, including correction of inaccurate PII, erasure of PII, restriction of processing, and consent withdrawal
- Notification procedures — Document how notifications will be sent to third parties (email, API, portal) and the expected timeframes
- Confirmation of action — Where feasible, obtain confirmation from third parties that they have acted on the notification
- Exceptions — Document any circumstances where notification is impossible or involves disproportionate effort, and inform the PII principal accordingly
- See also A.1.3.2: Obligations to PII Principals for related requirements
- See also A.1.3.3: Determining Information for PII Principals for related requirements
The practical challenge of this control increases with the number of third parties and the complexity of data sharing arrangements. Automated notification systems and clear contractual obligations with processors and recipients are essential for organisations with extensive data sharing.
How does this map to GDPR?
Control A.1.3.8 maps directly to GDPR Article 19:
- Article 19 — Notification obligation regarding rectification or erasure of personal data or restriction of processing. The controller shall communicate any rectification, erasure or restriction to each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort
- Article 19 also requires that the controller shall inform the data subject about those recipients if the data subject requests it
This is a frequently overlooked GDPR obligation. Supervisory authorities have noted that many organisations fulfil erasure requests in their own systems but fail to cascade the request to third parties who received the data. A robust notification process is essential for genuine compliance.
How does this relate to ISO 29100 privacy principles?
This control supports the Individual participation and access principle from ISO 29100. The principle requires that individuals can challenge the accuracy of their data and have it amended or deleted. For this right to be meaningful, amendments and deletions must propagate to all parties holding the data, not just the original controller.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What evidence do auditors expect?
When assessing compliance with A.1.3.8, auditors will typically look for:
- Disclosure register — A maintained record of which third parties have received PII, linked to categories of data and PII principals
- Notification procedures — Documented procedures for how and when third parties are notified of corrections, erasures, restrictions and objections
- Notification records — Evidence that notifications have actually been sent, with dates, content and recipient details
- Confirmation tracking — Where obtained, confirmation from third parties that they have acted on the notification
- Contractual provisions — Data processing agreements or data sharing agreements that obligate third parties to act on notification
- Exception documentation — Where notification was not possible, documented reasoning and evidence that the PII principal was informed
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.3.7 Access, correction or erasure | Corrections and erasures carried out under A.1.3.7 Access, Correction or Erasure trigger the notification obligation |
| A.1.3.5 Modify or withdraw consent | Consent withdrawal affecting shared PII triggers third-party notification |
| A.1.3.6 Object to PII processing | Upheld objections affecting shared PII trigger third-party notification |
| A.1.2.9 Records related to processing PII | Processing records should document recipients, supporting the disclosure tracking needed here |
| A.1.5.2 Basis for PII Transfer Countries and international organisations transfers | International transfer records help identify third-party recipients in other jurisdictions |
| A.1.3.10 Handling requests | Third-party notification should be integrated into the request handling workflow |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was part of Clause 7.3.7 (Controllers’ obligations to inform third parties). The 2025 edition retains the core obligation under A.1.3.8 with guidance in B.1.3.8. The emphasis on maintaining disclosure records and having documented notification procedures remains central. The restructured format provides a clearer audit checkpoint for this specific obligation. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for third-party notification management?
ISMS.online helps you track disclosures and cascade data subject rights to third parties efficiently:
- Third-party disclosure register — Log every PII disclosure to third parties with dates, categories and purposes, so you always know who needs to be notified
- Automated notification workflows — When a correction, erasure or restriction is actioned, automatically generate notification tasks for each affected third party
- Confirmation tracking — Record when third parties acknowledge and act on notifications, creating a complete evidence chain from request to resolution
- Contract linkage — Link third-party relationships to data processing agreements that include notification obligations, ensuring contractual backing for operational procedures
- Disproportionate effort log — Where notification is not feasible, document the reasoning in a structured format that satisfies regulatory scrutiny
FAQs
How do you track which third parties have received specific PII?
This requires a disclosure log or register that records each time PII is shared with a third party, including the date, the category of PII shared, the identity of the recipient and the purpose. For bulk or ongoing data sharing (such as with processors), the record can be at the category level rather than individual record level. The key is that when a PII principal exercises a right, you can quickly identify all third parties who hold their data.
What counts as “disproportionate effort” for notification?
This is assessed on a case-by-case basis. Factors include the number of recipients, the cost of notification, the age of the data, the nature of the data and the potential impact on the PII principal. For example, notifying a small number of known business partners is unlikely to be disproportionate. Attempting to notify hundreds of unknown internet users who accessed publicly available data might be. The organisation must document its reasoning and inform the PII principal if notification cannot be carried out.
Does the PII principal have the right to know who the third parties are?
Yes. Under GDPR Article 19, the controller must inform the data subject about the recipients if the data subject requests it. This means you should be prepared to provide a list of third parties who have received the individual’s PII. This further reinforces the importance of maintaining accurate disclosure records. In your privacy notice, you should already be listing the categories of recipients, but on request you may need to provide specific identities.
