VND-010 Third-Party Data Disclosure Controls
Description
Disclosure of personal or sensitive data to third parties is authorised, documented and governed by data sharing agreements. Recipients are limited to the minimum data required for the disclosed purpose. Disclosures are logged and the record is maintained. Customers are notified of third-party disclosures in the privacy notice.
Rationale
Uncontrolled third-party data sharing is both a data protection violation and a breach of customer trust. Tracking disclosures is required for accountability and for supporting data subject rights requests.
Framework Mappings (5)
| DSP-10 | Sensitive Data Transfer | partial |
| GDPR-Art.44 | General Principle for Transfers to Third Countries | partial |
| GDPR-Art.5.1b | Purpose Limitation | partial |
| P6.2 | Third-Party Disclosure | full |
| P6.4 | Third-Party Agreements | partial |
Evidence (2)
Third-party data disclosure log recording all authorised disclosures of personal or sensitive data to external parties with disclosure purpose and recipient details.
Example: Data Disclosure Register (Confluence / spreadsheet) — listing each third-party disclosure event or standing disclosure relationship with: recipient name, data categories disclosed, disclosure purpose, legal basis, disclosure mechanism (API / file transfer / direct access), authorisation record, and date
Test: Request the data disclosure register or relevant RoPA extract. Verify: (1) all third-party disclosures are recorded, (2) each disclosure has a documented legal basis or authorisation, (3) data shared is consistent with the minimum necessary for the stated purpose, (4) disclosures to third parties align with what is stated in the privacy notice.
Data sharing agreements with all third parties who receive personal or sensitive data, establishing permitted use, handling obligations and return/deletion requirements.
Example: Executed Data Sharing Agreements or equivalent contractual provisions (DSAs, information sharing addenda) with third-party recipients — each specifying: permitted use of disclosed data, prohibition on onward sharing without consent, security obligations, retention limits, deletion/return on termination, and compliance with applicable data protection law
Test: Request data sharing agreements for the top 5 third parties identified in the disclosure register. Verify: (1) a written agreement governs each disclosure relationship, (2) each agreement restricts the recipient to the disclosed purpose only, (3) onward sharing is prohibited or requires approval, (4) deletion/return obligations are specified, (5) agreements are signed and current.
Questions (2)
Are all disclosures of personal or sensitive data to third parties authorised, documented in a disclosure register, and governed by a data sharing agreement specifying permitted use and handling obligations?
Every standing third-party disclosure relationship should appear in the data inventory or a dedicated disclosure register. Recipients must be restricted to the minimum data required for the stated purpose, and disclosures must be consistent with what is stated in the privacy notice.
What controls govern the disclosure of personal or sensitive data to third parties?
All six active controls indicate a mature third-party disclosure programme. Absence of a disclosure register makes it impossible to fulfil data subject requests or demonstrate accountability to a supervisory authority.