Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Listing of non-recurring data disclosures and contractual commitment to informing them to customers


The organization must have clear procedures for situations where the organization is required by law to disclose personal information to the authorities. In addition, a list must be kept of these individual data disclosures.

The organization shall pay particular attention to the communication of these situations and the timing of the communication to interested customers, unless this is illegal due to, for example, an ongoing investigation or other legal matter.

These practices must be describeable to interested customers upon request. Procedures and reporting obligations must be described, e.g. contracts for offered digital services.

Connected other frameworks and requirements:
A.6.1: PII disclosure notification
ISO 27018
A.6.2: Recording of PII disclosures
ISO 27018
A.6: Use, retention and disclosure limitation
ISO 27018
A.8.5.1: Basis for PII transfer between jurisdictions
ISO 27701
A.8.5.4: Notification of PII disclosure requests
ISO 27701
No items found.