Basis for PII transfer between jurisdictions

The organization should inform the customer in a timely manner of the basis for PII transfers between jurisdictions and of any intended changes in this... ... - Licensed content not shown -

GDPR (EU)

LGPD (BRA)

Art.9: The data subject has the right to easily access information regarding the processing of data, which must be made available in a clear, adequate, and ostensive manner, among other characteristics outlined in regulations to comply with the principle of free access: I – Specific purpose of processing; II – Form and duration of processing, respecting commercial and industrial secrecy; III – Identification of the controller; IV – The controller’s contact information; V – Information regarding the shared use of data by the controller and the purpose of the sharing; VI – Liabilities of the processing agents; and VII – The data subject’s rights with explicit mention of the rights contemplated in Article 18 of this Law. § 1 If consent is requested, such consent will be considered void in case the information provided to the data subject have misleading or abusive content or were not previously presented in a transparent, clear, and unambiguous manner. § 2 If consent is requested, if there is a change in the purpose of the processing of personal data that is not compatible with the original consent, the controller must inform the data subjects beforehand, who may revoke the consent, if they disagree with the changes. § 3 When the processing of personal data is a condition for the provision of a good or service or the exercise of a right, the data subjects will be informed in a highlighted manner regarding this fact and the means through which they may exercise the rights identified in Article 18 of this Law.
Art.33: The international transfer of personal data will only be permitted in the following cases: I – To countries or international organizations that offer a level of protection of personal data that is adequate to the protection provided in this Law; II – When the controller offers and proves guarantees of compliance with the principles, the rights of the data subject, and the data protection regime outlined in this Law, in the form of: a) Specific contractual clauses for a particular transfer; b) Standard contractual clauses; c) Binding corporate rules; d) Certificates, and codes of conduct regularly issued; III – When necessary for international legal cooperation between government intelligence, investigation, and prosecution bodies, according to instruments of international law; IV – When necessary for the protection of life or the physical safety of the data subject or third party; V – When authorized by the National Data Protection Authority; VI – When resulting from a commitment made in an international cooperation agreement; VII – When necessary for the execution of a public policy or the fulfillment of a government legal duty, being publicly disclosed under the terms of item I of the head provision of Article 23 of this Law; VIII – When the data subject has provided specific and highlighted consent for the transfer, with prior information on the international character of the operation, clearly distinguishing this from the other purposes; or IX – When necessary to answer to scenarios outlined in items II, V, and VI Article 7 of this Law. Sole Paragraph. For the purposes of item I of this Article, public legal entities referred to in the sole paragraph of Article 1 of Law. 12,527, dated of November 18, 2011 (Information Access Law), within the scope of their legal powers, and responsible individuals, within the scope of their activities, may request from the National Data Protection Authority an evaluation of the level of protection of personal data provided by a country or international organization.