PIMS cross-border PII transfers
Primary statement
PIMS transfers per ISO 27701 A.1.5.1 + A.1.5.2 + A.2.5.1 + A.2.5.2 + DPDPA notice (DPDP.16) + GDPR + CSA. PIMS transfer controls layered with regulatory addenda.
Audit-fatigue payoff
A unified cross-border programme — lawful basis + transfer mechanism + records + government request handling — satisfies transfer requirements across all 4 contributing frameworks.
Strictness matrix
Scope
Scope: ALL PII transfers outside relevant jurisdiction. Identify lawful basis + transfer mechanism.
Ceiling source: iso27701:A.1.5.1
Rationale: ISO 27701 A.1.5.1 universal scope is foundational.
Threshold
Threshold: lawful basis identified BEFORE transfer. Per-transfer documentation.
Ceiling source: iso27701:A.1.5.1
Rationale: ISO 27701 A.1.5.1 before-transfer threshold is binary.
Method
Method: lawful basis + transfer mechanism (SCCs, adequacy, BCRs) + records (A.1.5.2) + government request procedure (A.2.5.2) + DPDPA notice content + GDPR Arts 44-49.
Ceiling source: iso27701:A.1.5.1
Rationale: ISO 27701 + GDPR + DPDPA combined are most prescriptive.
Frequency
Records refresh continuous + annual completeness. Transfer mechanism review annual.
Ceiling source: iso27701:A.1.5.2
Rationale: Annual records + transfer mechanism review is the cadence.
Evidence
Evidence: transfer register + per-transfer lawful basis + mechanism documentation + government request log.
Ceiling source: iso27701:A.1.5.2
Rationale: ISO 27701 A.1.5.2 records evidence is the anchor.
Auditor test pattern
Step 1: Inspect transfer register. Step 2: Sample 3 transfers; verify lawful basis + mechanism. Step 3: Inspect government request procedure. Step 4: Verify DPDPA notice covers cross-border.
Common findings
Common findings: (1) Register incomplete — SaaS-default routings missed; (2) SCCs reference superseded EU decision; (3) Government request procedure absent; (4) DPDPA notice silent on cross-border.