What does control A.2.5.4 require?
The organization shall record disclosures of PII to third parties, including which PII has been disclosed, to whom and when.
This control sits within the PII Processor controls annex (A.2) and addresses accountability for third party data sharing. Every time a processor discloses PII to a third party, whether to a subcontractor, a legal authority, an auditor or any other recipient, a record must be created. This record must capture the scope of data disclosed, the identity of the recipient and the date of disclosure.
What does the Annex B implementation guidance say?
Annex B (section B.2.5.4) provides the following guidance:
- Normal operations — Record disclosures made during normal processing operations, such as transfers to subcontractors or data returns to customers
- Non-routine disclosures — Also record additional disclosures arising from legal investigations or external audits
- Source and authority — Records should include the source of the disclosure (who initiated it) and the source of authority (what legal or contractual basis authorised it)
- See also A.2.5.2: Basis for PII Transfer Between Jurisdictions for related requirements
- See also A.2.5.8: Engagement of a Subcontractor to Process PII for related requirements
The guidance makes clear that disclosure records must cover both routine and non-routine disclosures. Routine disclosures include regular data transfers to subcontractors as part of normal processing. Non-routine disclosures include responses to legal authority requests, external audit access and any other ad hoc sharing of PII with third parties.
How does this map to GDPR?
Control A.2.5.4 maps to the following GDPR article:
- Article 30(1)(d) — The record of processing activities shall contain the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations
While GDPR Article 30 requires records of categories of recipients, ISO 27701 A.2.5.4 goes further by requiring records of specific disclosures, including exactly what PII was disclosed, to which specific recipient and on what date. This provides a more granular audit trail than the minimum GDPR requirement.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.5.4 as a standalone control with implementation guidance in B.2.5.4 that specifically addresses the recording of non-routine disclosures from legal investigations and external audits, and requires records to include the source of disclosure and authority. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.2.5.4, auditors will typically look for:
- Disclosure register — A maintained register or log of all PII disclosures to third parties, with entries for each disclosure event
- Record completeness — Each record should include: the categories or specific items of PII disclosed, the identity of the recipient, the date and time of disclosure, the source of the disclosure (who initiated it) and the authority for the disclosure (legal basis or contractual provision)
- Routine and non-routine coverage — Evidence that the register covers both routine operational disclosures (such as subcontractor transfers) and non-routine disclosures (such as legal authority requests and audit access)
- Retention of records — Disclosure records retained for the period required by applicable law and the customer contract
- Customer reporting — Evidence that disclosure records can be provided to customers on request, enabling them to fulfil their own transparency obligations
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.5.5 Notification of PII disclosure requests | Customers must be notified of legally binding disclosure requests, which should also be recorded |
| A.2.5.6 Legally binding PII disclosures | Legally binding disclosures must be recorded with the legal authority that compelled them |
| A.2.5.7 Disclosure of subcontractors | Subcontractor disclosures are a category of third party disclosure requiring records |
| A.2.2.7 Records of processing | Disclosure records form part of the broader processing records |
| A.2.5.3 Countries for PII transfer | Disclosures to recipients in other countries should cross reference the country register |
Who does this control apply to?
A.2.5.4 applies exclusively to PII processors. Processors regularly disclose PII to third parties as part of their operations, whether through subcontractor arrangements, data returns to customers, responses to legal authorities or external audit access. Without a systematic record of these disclosures, neither the processor nor the controller can demonstrate accountability for how PII has been shared.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Why choose ISMS.online for PII disclosure tracking?
ISMS.online provides practical tools for recording and managing PII disclosures:
- Disclosure register — Maintain a centralised register of all PII disclosures with structured fields for PII categories, recipient identity, date, source and authority
- Automated logging — Create disclosure records from workflow triggers, ensuring routine disclosures are captured systematically without manual intervention
- Authority tracking — Link each disclosure to its legal basis or contractual provision, demonstrating that every disclosure was authorised
- Customer reporting — Generate disclosure reports for individual customers, showing all disclosures of their PII to third parties
- Audit readiness — Present disclosure records in a structured format for internal and external audits, with filters by date, recipient, PII category and authority
FAQs
What counts as a disclosure to a third party?
A disclosure occurs whenever PII is made available to an entity outside the organisation. This includes: transfers to subcontractors for processing; data returns to the customer (the controller); responses to legal authority requests; access provided to external auditors; sharing with other processors or controllers; and any other situation where PII leaves the organisation’s control. Internal transfers between departments or systems within the organisation are not third party disclosures, but transfers to separate legal entities within a group may be.
How detailed should disclosure records be?
At minimum, records should capture: what PII was disclosed (categories or specific data elements); to whom (the specific recipient organisation); when (date and time); who initiated the disclosure; and the authority under which it was made (contract clause, legal requirement or customer instruction). For non-routine disclosures such as legal authority requests, additional detail should include the reference number of the request, the specific legal provision cited and any restrictions on notifying the customer.
How long should disclosure records be retained?
Retention periods for disclosure records should align with the applicable data protection law (GDPR does not specify a period but requires records to be available to the supervisory authority on request), the customer contract (which may specify a retention period) and the organisation’s own retention policy. A common approach is to retain disclosure records for the duration of the processing relationship plus a period sufficient to cover potential legal claims (typically 6 years in the UK). Records should not be destroyed while any related investigation or dispute is ongoing.
