International PII Transfer Policy

The International PII Transfer Policy establishes requirements for identifying, approving, recording, reviewing, restricting and suspending international transfers of PII. It applies across controller, joint controller, processor and subprocessor activities where PII is made available to, accessed from, stored in, hosted in, disclosed to or otherwise transferred outside the approved processing boundary recorded in REG02 or REG09. The scope includes internal affiliates, external recipients, processors, subprocessors, service providers, support access, hosting locations, remote administration, onward transfers, public authority disclosure requests and transfer-related service changes. A central feature of the policy is its evidence-driven approach. The policy states that international transfers must be identified before processing begins or changes, and that approved transfer records must be maintained in REG09. REG09 is the primary transfer evidence object, while REG02, REG08 and REG12 provide supporting evidence for processing activities, vendor and processor relationships, exceptions, nonconformities, corrective actions and management review. Required REG09 fields include transfer destination, recipient, PIMS role, transfer mechanism, supporting evidence, review date and owner. This structure is intended to help the organization demonstrate accountable transfer governance without creating duplicate transfer impact assessment or SCC registers. The policy defines controls for transfer mechanism selection, approval and risk review. For controller transfers, the Privacy Lead / PIMS Manager records the approved transfer mechanism and supporting evidence in REG09 before the transfer begins. The Data Protection Officer / Privacy Advisor reviews transfer mechanism evidence before approval of new, materially changed or higher-risk international PII transfers and completes transfer risk review when triggered. Where technical safeguards are relied upon, the Information Security Lead records technical safeguard dependency status in REG09 or REG12. If residual transfer risk is high, Top Management must approve continued transfer operation in REG12 before that risk is accepted. Processor, subprocessor and onward transfer governance are also addressed. The Vendor / Procurement Owner must obtain documented customer authorization or instruction in REG08 and REG09 before initiating processor international PII transfers, record subprocessor authorization and flow-down transfer conditions, and prevent processor or subprocessor onward transfer until customer authorization is recorded. The policy also requires onward transfer routes, recipient categories, restrictions and obligations to be recorded before approval. Foreign public authority disclosure requests must be recorded in REG09 or REG12 before disclosure where practicable, or within one business day where prior recording is not practicable, and privacy-significant requests must receive privacy advisor review where practicable. Ongoing governance is handled through defined review, measurement, exception and enforcement requirements. Active transfer records are reviewed at least annually and within 30 days of material transfer change, while the Privacy Lead / PIMS Manager reviews overdue transfer reviews, incomplete records, suspended transfers and open transfer exceptions at least quarterly. Metrics include the percentage of active REG09 records with complete transfer mechanism evidence, overdue transfer reviews, suspended or deferred transfers, overdue processor or third-party evidence, and unmatched REG02 processing activities with potential international transfer indicators. Exceptions must be recorded in REG12 before becoming active, assigned an owner, expiry date, compensating control and review frequency, and reviewed at least monthly until closure. Nonconformities must be recorded when unrecorded transfers, unsupported mechanisms, missing authorization, overdue reviews, missing onward transfer evidence or unauthorized continuation are identified.