Identify basis for PII transfer between jurisdictions
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
...
- Licensed content not shown - GDPR (EU)
45.2.a: Article(45)(2)(a): When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred; 45.3: Article(45)(3): The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2). LGPD (BRA)
Art.9: The data subject has the right to easily
access information regarding the processing of data,
which must be made available in a clear, adequate,
and ostensive manner, among other characteristics
outlined in regulations to comply with the principle of
free access:
I – Specific purpose of processing;
II – Form and duration of processing, respecting
commercial and industrial secrecy;
III – Identification of the controller;
IV – The controller’s contact information;
V – Information regarding the shared use of data by
the controller and the purpose of the sharing;
VI – Liabilities of the processing agents; and
VII – The data subject’s rights with explicit mention
of the rights contemplated in Article 18 of this Law. § 1 If consent is requested, such consent will be
considered void in case the information provided to
the data subject have misleading or abusive content or
were not previously presented in a transparent, clear,
and unambiguous manner.
§ 2 If consent is requested, if there is a change in the
purpose of the processing of personal data that is not
compatible with the original consent, the controller
must inform the data subjects beforehand, who may
revoke the consent, if they disagree with the changes.
§ 3 When the processing of personal data is a
condition for the provision of a good or service or the
exercise of a right, the data subjects will be informed in
a highlighted manner regarding this fact and the means
through which they may exercise the rights identified in
Article 18 of this Law. Art.33: The international transfer of personal data
will only be permitted in the following cases:
I – To countries or international organizations that
offer a level of protection of personal data that is
adequate to the protection provided in this Law;
II – When the controller offers and proves
guarantees of compliance with the principles, the
rights of the data subject, and the data protection
regime outlined in this Law, in the form of:
a) Specific contractual clauses for a particular
transfer;
b) Standard contractual clauses;
c) Binding corporate rules;
d) Certificates, and codes of conduct regularly
issued; III – When necessary for international legal
cooperation between government intelligence,
investigation, and prosecution bodies, according to
instruments of international law;
IV – When necessary for the protection of life or the
physical safety of the data subject or third party;
V – When authorized by the National Data
Protection Authority;
VI – When resulting from a commitment made in an
international cooperation agreement;
VII – When necessary for the execution of a public
policy or the fulfillment of a government legal duty,
being publicly disclosed under the terms of item I of
the head provision of Article 23 of this Law;
VIII – When the data subject has provided specific
and highlighted consent for the transfer, with prior
information on the international character of the
operation, clearly distinguishing this from the other
purposes; or
IX – When necessary to answer to scenarios
outlined in items II, V, and VI Article 7 of this Law.
Sole Paragraph. For the purposes of item I of this
Article, public legal entities referred to in the sole
paragraph of Article 1 of Law. 12,527, dated of
November 18, 2011 (Information Access Law), within
the scope of their legal powers, and responsible
individuals, within the scope of their activities, may
request from the National Data Protection Authority an
evaluation of the level of protection of personal data
provided by a country or international organization. Art.46: Processing agents must adopt security
measures, both technical and administrative, suitable
to protect personal data from unauthorized access
and accidental or illegal destruction, loss, change,
communication, or dissemination events, or any other
occurrence resulting from inappropriate or illegal
processing.
§ 1 The National Data Protection Authority may
determine minimum technical standards for the
purposes of the provisions this Article, considering
the nature of the information processed, the specific.
characteristics of the processing, and the current
state of technology, especially in the case of sensitive
personal data, as well as the principles outlined in
Article 6 of this Law.§ 2 The measures contemplated in the head provision
of this Article must be considered from the phase
of the development of the good or service until its
execution. APP (Australian Privacy Principles)
PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
Personal Data Protection Act - Singapore
Personal Information Protection Act - South Korea
Turkish Data Protection Law numbered 6698