Skip to content
AuditFront
P6.1 SOC 2

SOC 2 P6.1: Privacy - Disclosure to Third Parties

What This Control Requires

The entity discloses personal information to third parties with the consent of the data subject or as disclosed in the privacy notice to meet the entity's objectives related to privacy.

In Plain Language

Every time personal data leaves your organisation - whether to a cloud provider, analytics platform, marketing partner, or payment processor - you need authorisation for that transfer. Either the individual consented to it, or your privacy notice clearly discloses it. There is no middle ground.

In practice, this means keeping a live inventory of every third-party data sharing arrangement, confirming each one is reflected in your privacy notice or backed by explicit consent, putting proper contracts in place with every recipient, and limiting shared data to only what is genuinely needed.

Auditors will map your actual data flows against your privacy notice disclosures. If they find data going to a third party that is not mentioned in the notice and not covered by consent, that is a finding. They also check for data processing agreements and whether you are sharing more data than the stated purpose justifies.

How to Implement

Build and maintain an inventory of every third-party data sharing arrangement. For each one, record the third party's identity, what categories of personal data you share, why you share it, the legal basis (consent, privacy notice, contractual necessity), how often and by what method data moves, and what contractual protections are in place.

Compare your inventory against your privacy notice line by line. Any sharing arrangement not reflected in the notice needs to either be added to the notice or stopped. Make sure the notice describes categories of third parties and the purposes for sharing in plain language.

Put data processing agreements (DPAs) or equivalent contracts in place with every third party receiving personal information. These should specify the purpose and scope of data use, prohibit use beyond the stated purpose, require appropriate security measures, include breach notification obligations, address data subject rights, and define data return or destruction when the relationship ends.

Minimise what you share. Only send the personal data elements the third party actually needs. Use anonymisation, pseudonymisation, or aggregation wherever the recipient does not need individual-level data. Set up technical controls to restrict what third-party integrations can access.

Log all data transfers to third parties - what was shared, when, and how. Review these logs periodically to catch any drift from the stated purpose or contract terms. Deal with unauthorised or excessive sharing immediately.

Before sharing personal data with any new third party, run a privacy and security assessment, confirm the arrangement is covered by notice or consent, execute the right contracts, and document the approval.

Evidence Your Auditor Will Request

  • Third-party data sharing inventory documenting all arrangements with purposes and legal basis
  • Privacy notice disclosures covering all categories of third-party sharing
  • Data processing agreements or equivalent contracts with all third-party data recipients
  • Evidence of data minimisation in third-party sharing (limiting data to necessary elements)
  • Review and approval records for new third-party sharing arrangements

Common Mistakes

  • Third-party data sharing inventory is incomplete, with undocumented sharing arrangements
  • Privacy notice does not cover all actual third-party sharing, creating unauthorized disclosures
  • Data processing agreements are not in place with all third parties receiving personal data
  • More personal data is shared with third parties than necessary for the stated purpose
  • New sharing arrangements are established without privacy review or contractual protections

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.19 Related
ISO 27001 A.5.34 Partial overlap
nist-csf GV.SC-01 Partial overlap

Frequently Asked Questions

Do analytics tools like Google Analytics count as third-party disclosure?
Absolutely. If Google Analytics or a similar tool processes personal information - IP addresses, user identifiers, behavioural data - that is a third-party disclosure. Disclose it in your privacy notice, implement consent mechanisms where required (cookie consent under GDPR, for example), and make sure you have the right contractual protections in place. This is one of the most commonly missed disclosures auditors find.
What about sharing with sub-processors?
Sub-processors matter more than most people realise. Under GDPR, your processors need authorisation to engage sub-processors and must pass down the same data protection obligations. Include sub-processor management clauses in your DPAs, keep track of key sub-processors in the chain, and require notification when sub-processors change. Auditors may ask you to demonstrate awareness of the full processing chain.
Can we share personal data with law enforcement without consent?
Yes, most privacy frameworks carve out exceptions for lawful government requests and legal obligations. You can share data with law enforcement when compelled by valid legal process - a subpoena, court order, or warrant. But document every such disclosure, verify the request is legitimate before responding, and only hand over what is specifically requested. Always involve legal counsel before responding to law enforcement data requests.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment