What does control A.1.5.2 require?
The organisation shall identify and document the relevant basis for transfers of PII between jurisdictions.
This control sits within the PII transfer objective (A.1.5), which ensures organisations have robust mechanisms for managing the cross-border movement of personal data. It is one of the final controller-specific controls in Annex A and underpins every other transfer control in the group.
What does the implementation guidance say?
Annex B (section B.1.5.2) provides the following guidance:
- Identify the legal mechanisms available for international transfers, such as adequacy decisions, standard contractual clauses, binding corporate rules, explicit consent, or statutory derogations
- Document the specific basis used for each transfer of PII between jurisdictions
- Review the documented basis whenever legal frameworks change, for example when an adequacy decision is revoked or new legislation comes into force
- Where multiple mechanisms are available, select and justify the most appropriate one based on the nature, volume and sensitivity of the PII being transferred
The guidance makes clear that simply relying on one blanket mechanism is unlikely to be sufficient. Each transfer flow should be assessed on its own merits, and the chosen basis should be defensible to both regulators and auditors.
How does this map to GDPR?
Control A.1.5.2 maps to a substantial block of GDPR provisions:
- Article 44 — General principle for international transfers (transfers only with appropriate safeguards)
- Article 45(1–9) — Transfers on the basis of an adequacy decision
- Article 46(1–5) — Transfers subject to appropriate safeguards (SCCs, BCRs, codes of conduct)
- Article 47(1–3) — Binding corporate rules
- Article 48 — Transfers not authorised by Union law
- Article 49(1–6) — Derogations for specific situations (explicit consent, contract necessity, public interest)
- Article 30(1)(e) — Records of processing must include transfers to third countries
- Article 15(2) — Right of access includes information about international transfers and safeguards
The breadth of this mapping reflects how central transfer mechanisms are to GDPR compliance. Organisations operating under both frameworks will find that satisfying A.1.5.2 goes a long way toward meeting Chapter V of the GDPR.
How does this relate to ISO 29100 privacy principles?
This control supports two ISO 29100 privacy principles:
- Accountability — Documenting the legal basis for each transfer demonstrates accountability for cross-border data flows
- Use, retention and disclosure limitation — Transfer basis documentation ensures PII is only disclosed across borders where there is a justified and documented reason to do so
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.1.5.2, auditors will typically look for:
- Transfer mechanism register — A documented list of all cross-border PII transfers with the legal mechanism identified for each
- Due diligence records — Evidence that the organisation assessed the adequacy of protection in the receiving jurisdiction
- Executed transfer agreements — Copies of standard contractual clauses, BCRs, or equivalent instruments
- Review records — Evidence of periodic reviews, especially following changes to legal frameworks (e.g. adequacy decisions being withdrawn)
- Transfer impact assessments — Where required, documented assessments of the risks associated with specific transfers
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.5.3 Countries and international organizations for PII transfer | Specifies where PII can be transferred; the basis identified in A.1.5.2 determines which destinations are permissible |
| A.1.5.4 Records of transfer of PII | Records each actual transfer, building on the basis documented here |
| A.1.5.5 Records of PII disclosures to third parties | Broader disclosure records that include cross-border transfers |
| A.1.2.9 Records of Processing PII | Transfer basis feeds into the overall records of processing activities |
| A.1.3.3 Information for PII Principals Determining information for PII principals | PII principals have the right to know the transfer basis and safeguards in place |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered under Clause 7.5.1 (identify basis for PII transfer between jurisdictions). The 2025 control is substantively the same, but the restructured Annex A/B format provides a cleaner separation between the control statement and implementation guidance. The guidance now places additional emphasis on reviewing transfer mechanisms when legal frameworks change, reflecting the turbulence in international transfer law since 2019. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing international PII transfers?
ISMS.online provides practical tools for documenting and managing cross-border transfer mechanisms:
- Transfer mechanism register — Map every cross-border data flow with its legal basis, receiving country and safeguards in a centralised register
- Automated review reminders — Set review dates for transfer mechanisms and receive alerts when legal frameworks change or reviews are due
- Document management — Store signed SCCs, BCRs and transfer impact assessments alongside the relevant transfer record
- Audit-ready evidence packs — Export transfer documentation with full version history for certification audits
- Cross-referencing — Link transfer records to processing activities, privacy impact assessments and data subject rights requests
- Regulatory mapping — See how your transfer controls map to GDPR, ISO 27701 and other frameworks side by side
FAQs
What counts as a transfer between jurisdictions?
Any movement or disclosure of PII from one legal jurisdiction to another. This includes sending data to a cloud provider whose servers are in a different country, sharing PII with a group company in another jurisdiction, or allowing remote access from a different country. Even if data does not physically move, remote access from another jurisdiction can constitute a transfer under some privacy laws.
How often should transfer mechanisms be reviewed?
At planned intervals (typically annually) and whenever there is a significant change to the legal landscape. Examples of triggers include a court ruling invalidating a transfer mechanism, a new adequacy decision being issued or revoked, or changes to the data protection law in the receiving jurisdiction. The organisation should also review when the nature or volume of transferred PII changes materially.
Can consent be used as the sole basis for international transfers?
Consent is one of the recognised transfer mechanisms, but under GDPR it is treated as a derogation for specific situations (Article 49) rather than a primary mechanism. It must be explicit, informed and freely given. Regulators generally expect organisations to rely on more robust mechanisms such as adequacy decisions or SCCs for ongoing, systematic transfers, reserving consent for occasional or non-repetitive transfers.
