What does control A.1.5.4 require?
The organisation shall record transfers of PII to or from third parties and ensure cooperation with those parties to support future requests related to obligations to the PII principals.
This control sits within the PII transfer objective (A.1.5) in the PII controller controls. While A.1.5.2 Basis for PII Transfer identifies the legal basis and A.1.5.3 Countries for PII Transfer documents the destinations, A.1.5.4 creates the operational record of what actually moved.
What does the implementation guidance say?
Annex B (section B.1.5.4) provides the following guidance on what transfer records should contain:
- What PII was transferred — The categories and volume of PII included in each transfer
- To whom — The identity of the receiving party, including their role (controller, processor, sub-processor)
- When — The date and, where relevant, the time of the transfer
- Legal basis — The documented basis under which the transfer was made
- Cooperation provisions — Arrangements to ensure the receiving party can cooperate on PII principal requests, such as access, rectification or erasure
Records should be maintained for the retention period defined in the organisation’s data retention policy. The guidance emphasises that cooperation provisions are not optional extras; they are integral to fulfilling ongoing obligations to PII principals whose data has been transferred.
How does this map to GDPR?
Control A.1.5.4 maps to GDPR Article 30(1)(e), which requires records of processing activities to include information about transfers to third countries or international organisations, including the identification of the recipient and, where applicable, the documentation of suitable safeguards.
The cooperation element aligns with the broader GDPR requirement for controllers to facilitate the exercise of data subject rights (Articles 12–22), even when PII has been shared with third parties.
How does this relate to ISO 29100 privacy principles?
This control supports the ISO 29100 principle of Accountability. Maintaining detailed transfer records demonstrates that the organisation can account for where PII has gone and can trace it through the processing chain when questions arise.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.1.5.4, auditors will typically look for:
- Transfer log — A chronological record of PII transfers showing what was transferred, to whom, when, and under what legal basis
- Cooperation agreements — Contractual provisions or documented arrangements requiring receiving parties to cooperate on PII principal requests
- Data processing agreements — Executed agreements with third parties that include cooperation clauses for data subject rights
- Evidence of cooperation in practice — Records showing that cooperation has been tested, for example when a PII principal exercised their rights and the receiving party assisted
- Retention compliance — Evidence that transfer records are maintained for the defined retention period
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.5.2 Identify basis for PII transfer | The legal basis documented in A.1.5.2 Basis for PII Transfer is recorded against each transfer |
| A.1.5.3 Countries for PII transfer | Transfers should only go to documented and approved destinations |
| A.1.5.5 Records of PII disclosures | Disclosure records complement transfer records, covering disclosures that may not involve a formal transfer |
| A.1.3.7 Access, Correction or Erasure Access to PII | Cooperation provisions ensure PII principals can exercise access rights across the transfer chain |
| A.1.3.7 Access, Correction or Erasure | Cooperation is essential to ensure erasure requests can be fulfilled by receiving parties |
| A.1.2.9 Records of Processing PII | Transfer records form part of the broader records of processing activities |
What changed from ISO 27701:2019?
In the 2019 edition, this requirement was covered under Clause 7.5.3 (records of PII transfer). The core requirement is unchanged, but the 2025 guidance provides more explicit detail on the content of transfer records and places stronger emphasis on cooperation provisions with receiving parties. The restructured Annex A/B format separates the control statement from the detailed implementation guidance more clearly. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for recording PII transfers?
ISMS.online provides purpose-built tools for maintaining comprehensive transfer records:
- Transfer log — Record every PII transfer with structured fields for recipient, PII categories, date, legal basis and cooperation status
- Third-party management — Link transfer records to supplier profiles with data processing agreements and cooperation clauses attached
- Data subject request tracking — When a PII principal exercises their rights, trace their data through the transfer chain and coordinate with receiving parties
- Retention management — Automatically flag transfer records approaching their retention limit for review or disposal
- Compliance dashboards — See at a glance which transfers have complete documentation and which need attention
FAQs
What level of detail is needed in transfer records?
Transfer records should be detailed enough to identify the specific PII categories transferred, the receiving party, the date, and the legal basis. You do not need to record every individual data field, but the categories should be meaningful (e.g. “employee contact details and payroll data” rather than just “personal data”). The level of detail should support the organisation’s ability to respond to PII principal requests and demonstrate compliance to auditors.
How should cooperation with third parties be documented?
Cooperation provisions should be included in data processing agreements or equivalent contracts. These should specify response times for PII principal requests, the process for forwarding requests, responsibilities for assisting with erasure or rectification, and escalation procedures. It is good practice to test these cooperation mechanisms periodically rather than waiting for a live request to discover that they do not work.
Do internal transfers between group companies count?
Yes, if the group companies are separate legal entities. Each legal entity is a distinct controller or processor, so transfers between them are transfers to third parties for the purposes of this control. Intra-group data sharing agreements should include the same cooperation provisions as external agreements, and the transfers should be recorded in the transfer log.
