How does ISO 27701:2025 address cross-border data transfers?
International transfers of personally identifiable information (PII) are a reality for most organisations. Whether you use cloud services hosted overseas, share data with international partners or serve customers across multiple jurisdictions, you need a structured approach to managing how PII crosses borders.
ISO 27701:2025 addresses cross-border transfers through its Annex A privacy controls, which include specific requirements for identifying, documenting and controlling international PII flows. The standard does not prescribe which legal transfer mechanism to use — that depends on the applicable regulations — but it provides the management framework to ensure transfers are properly governed.
As a standalone certifiable standard, ISO 27701:2025 gives organisations a comprehensive privacy management system that includes transfer controls as part of its broader governance framework.
Which Annex A controls apply to international transfers?
Several Annex A controls are directly relevant to cross-border data transfer governance. The specific controls that apply depend on whether your organisation acts as a PII controller, a PII processor or both.
| Control Area | Applies To | What It Covers |
|---|---|---|
| Identification of PII transfers | Controllers and Processors | Identifying and recording all countries and international organisations to which PII may be transferred |
| Countries and mechanisms of transfer | Controllers and Processors | Documenting the legal basis and transfer mechanism for each international transfer |
| Records of PII transfers | Controllers and Processors | Maintaining records of PII transfers including the recipient, purpose, type of PII and safeguards applied |
| Subcontractor management | Processors | Ensuring subcontractors who process PII in other jurisdictions have adequate transfer safeguards |
| Third-party disclosure | Controllers | Controlling disclosures of PII to third parties in other jurisdictions and recording the legal authority for such disclosures |
Your Statement of Applicability should declare which of these controls are applicable based on your organisation’s role and processing activities. The Clause 6 planning requirements ensure that transfer risks are assessed and treatment plans put in place.
How does ISO 27701:2025 support GDPR transfer mechanisms?
The GDPR restricts transfers of personal data outside the European Economic Area (EEA) unless adequate safeguards are in place. ISO 27701:2025 does not replace GDPR transfer mechanisms, but it provides the operational framework to implement and evidence them effectively.
The Annex D GDPR mapping shows how the standard’s controls align with GDPR requirements, including the transfer provisions in Articles 44 to 49.
| GDPR Transfer Mechanism | How ISO 27701:2025 Supports It |
|---|---|
| Adequacy decisions (Art. 45) | The PIMS scope definition requires you to identify where PII is processed and transferred, ensuring you know which transfers rely on adequacy decisions |
| Standard Contractual Clauses (Art. 46) | Supplier and processor management controls ensure contracts include appropriate data processing and transfer clauses |
| Binding Corporate Rules (Art. 47) | The management system framework supports the governance, monitoring and audit requirements that BCRs demand |
| Transfer Impact Assessments | The risk assessment methodology in Clause 6 provides a structured approach to evaluating transfer risks and documenting safeguards |
| Derogations (Art. 49) | Records of processing and transfer controls ensure that reliance on derogations is documented and justified |
Organisations pursuing GDPR compliance through ISO 27701 can use their PIMS as the operational backbone for managing transfer compliance alongside broader privacy obligations.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What practical steps should you take?
Managing cross-border transfers under ISO 27701:2025 requires a systematic approach. The following steps will help you build transfer controls into your PIMS effectively.
Step 1: Map your international data flows
Before you can control transfers, you need to know where PII goes. Create a comprehensive data flow map that identifies:
- All countries where PII is stored, processed or accessed
- The categories of PII involved in each transfer
- The purpose of each transfer
- Whether recipients are controllers, processors or sub-processors
- The volume and sensitivity of data transferred
Step 2: Identify the legal basis for each transfer
For each international transfer, document the legal mechanism that permits it. This could be an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules or another recognised mechanism under the applicable legislation.
Step 3: Assess and treat transfer risks
Use the risk assessment methodology defined in your PIMS (Clause 6) to evaluate the risks associated with each transfer. Consider the legal environment of the destination country, the nature of the data, the recipient’s security practices and any supplementary measures needed.
Step 4: Implement contractual safeguards
Ensure that contracts with recipients include appropriate data processing terms, security requirements and transfer clauses. For processors and sub-processors, contracts should address audit rights, breach notification obligations and data return or deletion requirements.
Step 5: Monitor and review
Transfer risks are not static. Regulatory landscapes change, adequacy decisions can be invalidated (as happened with the EU-US Privacy Shield) and new processing activities may introduce new transfers. Build regular review into your PIMS to keep transfer controls current.
What about transfers outside the GDPR?
While GDPR is the most prominent data transfer regulation, many other jurisdictions impose restrictions on cross-border PII transfers. These include:
- Brazil (LGPD) — Restricts transfers to countries without adequate protection unless safeguards are in place
- China (PIPL) — Requires security assessments for transfers of significant volumes of personal information
- South Korea (PIPA) — Requires data subject consent or comparable safeguards for international transfers
- India (DPDP Act) — Permits transfers to most jurisdictions but can restrict specific countries by notification
- Middle East and Africa — Several countries including Saudi Arabia, South Africa and Kenya have data localisation or transfer restriction requirements
ISO 27701:2025 is jurisdiction-agnostic. Its transfer controls and risk assessment framework can be applied regardless of which regulation governs your transfers, making it particularly valuable for organisations operating across multiple regulatory environments.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
How does ISMS.online help manage cross-border transfers?
ISMS.online provides the tools you need to identify, document, control and evidence your international PII transfers as part of your ISO 27701:2025 PIMS.
- Data flow mapping — Document and visualise your international data flows, including recipients, purposes, PII categories and transfer mechanisms
- Risk assessment — Conduct transfer-specific risk assessments using the platform’s built-in risk management framework, linked directly to your treatment plans
- Supplier management — Track all processor and sub-processor relationships, manage contracts, conduct due diligence and schedule reviews
- Policy and procedure management — Create and maintain transfer policies with version control, approval workflows and staff acknowledgement tracking
- Evidence collection — Automatically capture audit trails for transfer-related activities, ready for your certification audit
- Regulatory mapping — Map your controls to multiple regulatory frameworks simultaneously, including GDPR, LGPD and other transfer regulations
To begin building your transfer controls into a broader PIMS, see our guide to getting started with ISO 27701:2025 implementation.
Why Choose ISMS.online for Cross-Border Transfer Compliance?
- Integrated data flow management — Map, document and control all international transfers in a single platform alongside your wider PIMS
- Built-in risk assessment framework — Evaluate transfer risks using a structured methodology aligned to ISO 27701:2025 Clause 6 requirements
- Multi-regulation support — Manage compliance with GDPR, LGPD and other transfer regulations from one place, avoiding duplication
- Supplier and processor oversight — Track contracts, due diligence and review schedules for every recipient of your PII
- Audit-ready evidence — Every transfer record, risk assessment and supplier review is timestamped and version-controlled for your auditor
- Pre-built frameworks and templates — Start with transfer policies, risk assessment templates and control mappings already aligned to the standard
- Trusted by organisations worldwide — ISMS.online supports businesses across multiple jurisdictions in achieving and maintaining ISO 27701 certification
FAQs
Does ISO 27701:2025 tell you which transfer mechanism to use?
No. ISO 27701:2025 is jurisdiction-agnostic. It requires you to identify, document and control international transfers, but the choice of legal transfer mechanism depends on the applicable regulation (e.g., GDPR, LGPD, PIPL). The standard provides the framework to govern whichever mechanism you use.
Do we need a Transfer Impact Assessment for every transfer?
Under GDPR, Transfer Impact Assessments are expected when relying on Standard Contractual Clauses or similar safeguards. ISO 27701:2025 supports this through its risk assessment requirements in Clause 6, which can be used to conduct and document TIAs as part of your broader privacy risk management.
How do cloud services fit into cross-border transfer controls?
Cloud services often involve PII being processed in multiple countries. Under ISO 27701:2025, you must identify all locations where your cloud provider (and their sub-processors) process PII, assess the transfer risks and ensure appropriate contractual and technical safeguards are in place.
What if a country loses its adequacy status?
Your PIMS should include a process for monitoring regulatory changes. If an adequacy decision is invalidated, you need to implement an alternative transfer mechanism (such as Standard Contractual Clauses) and update your risk assessment. ISMS.online helps you track these changes and trigger reviews when regulations shift.
Can ISO 27701:2025 help with data localisation requirements?
While ISO 27701:2025 does not directly address data localisation mandates, its data flow mapping and risk assessment framework helps you identify where localisation requirements apply and implement appropriate controls. This is particularly useful for organisations operating across jurisdictions with different localisation rules.
