What does control A.2.5.5 require?
The organization shall notify the customer of any legally binding requests for disclosure of PII.
This control sits within the PII Processor controls annex (A.2) and addresses an important transparency obligation. When a processor receives a legally binding request for PII disclosure (for example, from a law enforcement agency, court or regulatory authority), the controller must be notified. This allows the controller to understand the impact on their data, seek legal advice if necessary and fulfil their own obligations to data subjects.
What does the Annex B implementation guidance say?
Annex B (section B.2.5.5) provides the following guidance:
- Nature of requests — The organisation may receive legally binding requests for disclosure, for example from legal authorities
- Notification procedure — The customer must be notified within agreed timeframes and following an agreed procedure, which can be defined in the contract
- Notification prohibition — Some legally binding requests include a prohibition on notification, for example under criminal law provisions designed to preserve investigation confidentiality
- See also A.2.5.3: Countries and International Organizations for PII Transfer for related requirements
- See also A.2.5.7: Disclosure of Subcontractors Used to Process PII for related requirements
The guidance recognises the tension between the processor’s obligation to notify the customer and situations where notification is legally prohibited. Where a court order or law enforcement request includes a non-disclosure provision (sometimes called a gagging order), the processor may be unable to notify the customer without breaking the law. In such cases, the processor should comply with the legal prohibition and notify the customer as soon as the prohibition is lifted.
How does this map to GDPR?
Control A.2.5.5 maps to the following GDPR article:
- Article 28(3)(a) — The processor shall process the personal data only on documented instructions from the controller, unless required to process by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest
GDPR Article 28(3)(a) requires processors to inform controllers when they are legally required to process (including disclose) personal data. The exception is where the law itself prohibits notification on public interest grounds. This mirrors the Annex B guidance about notification prohibitions in criminal law contexts.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was addressed within the broader clause structure. The 2025 edition provides A.2.5.5 as a standalone control with implementation guidance in B.2.5.5 that explicitly addresses notification timeframes, contractual procedures and the challenge of notification prohibitions under criminal law. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.2.5.5, auditors will typically look for:
- Notification procedure — A documented procedure for notifying customers when legally binding disclosure requests are received, including the notification timeframe and communication channel
- Request register — A register of legally binding disclosure requests received, recording the requesting authority, date received, scope of request, notification date and any notification prohibitions
- Customer notifications — Records of notifications sent to customers, including the date sent and the information provided
- Contractual provisions — Contract clauses specifying the notification procedure, timeframes and the customer’s preferred communication channel for disclosure notifications
- Prohibition handling — Documented procedures for handling situations where notification is legally prohibited, including how the prohibition is tracked and how the customer is notified once the prohibition is lifted
What are the related controls?
| Control | Relationship |
|---|---|
| A.2.5.6 Legally binding PII disclosures | Governs how the processor handles the disclosure itself after notification |
| A.2.5.4 Records of PII disclosures | All disclosures resulting from legally binding requests must be recorded |
| A.2.2.2 Customer agreement | The contract should define the notification procedure and timeframes |
| A.2.2.6 Customer obligations | Notification of disclosure requests helps customers demonstrate compliance |
| A.2.5.2 Basis for PII transfer | Legally compelled disclosures may involve cross border transfers |
Who does this control apply to?
A.2.5.5 applies exclusively to PII processors. When a processor receives a legally binding disclosure request, the controller has a direct interest in knowing about it. The controller may need to inform the data subjects, seek legal advice, challenge the request or update their own records. Without notification from the processor, the controller is unaware that their data has been demanded and cannot take appropriate action.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for disclosure request management?
ISMS.online provides practical tools for managing legally binding disclosure requests:
- Request tracking — Log and track legally binding disclosure requests with structured fields for requesting authority, scope, date received and notification status
- Notification workflows — Trigger automated customer notification workflows when a disclosure request is received, with configurable timeframes and communication channels
- Prohibition management — Flag requests with notification prohibitions, set review dates for when the prohibition expires and automatically trigger delayed notifications
- Audit trail — Maintain a complete audit trail of every disclosure request, notification and response, ready for regulatory or customer review
- Contract linkage — Link disclosure notification procedures to the relevant customer contract provisions, ensuring consistent compliance
FAQs
What qualifies as a legally binding disclosure request?
A legally binding disclosure request is one that the processor is legally compelled to comply with. This includes court orders, subpoenas, warrants, regulatory investigation demands and statutory disclosure obligations. Informal requests from authorities (where compliance is voluntary) are addressed separately under A.2.5.6 Legally Binding Disclosures. The key distinction is whether the processor has a legal obligation to disclose, not whether the request comes from a government body.
What if the processor is prohibited from notifying the customer?
Some legally binding requests include a non-disclosure provision that prohibits the processor from notifying anyone about the request. This is common in criminal investigations where notification could compromise the investigation. In such cases, the processor must comply with the prohibition. However, the processor should track the prohibition, review whether it has been lifted or has expired and notify the customer as soon as legally permitted. The processor’s procedures should document how these situations are handled.
How quickly should customers be notified?
The standard does not specify a notification timeframe, stating that customers should be notified within “agreed timeframes” per the contract. In practice, notification should be prompt enough for the customer to take action before the disclosure occurs, if possible. Many contracts require notification within 24 to 72 hours of receiving the request. The specific timeframe should balance the urgency of the request, the customer’s need to respond and any legal deadlines.
