8.5 PII sharing, transfer and disclosure

ISO/IEC 27701:2019 Clause 8.5 defines requirements for controlling the sharing, transfer and disclosure of personally identifiable information (PII) within an organization's privacy information management system. It mandates that PII be released only for legitimate purposes, with documented consent, appropriate contractual safeguards and compliance with applicable legal and regulatory obligations. The clause also outlines procedures for evaluating third-party arrangements, applying risk-based controls and maintaining records of all PII exchanges.