Basis for PII transfer between jurisdictions

The organization should inform the customer in a timely manner of the basis for PII transfers between jurisdictions and of any intended changes in this... ... - Licensed content not shown -

GDPR (EU)

44: Article(44): Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

46.1: Article(46)(1): In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

46.2.a: Article(46)(2)(a): The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: (a) a legally binding and enforceable instrument between public authorities or bodies;

46.2.b: Article(46)(2)(b): The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: (b) binding corporate rules in accordance with Article 47;

46.2.c: Article(46)(2)(c): The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: (c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

46.2.d: Article(46)(2)(d): The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: (d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

46.2.e: Article(46)(2)(e): The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: (e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

46.2.f: Article(46)(2)(f): The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

46.3.a: Article(46)(3)(a): Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by: (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

46.3.b: Article(46)(3)(b): Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by: (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

48: Article(48): Transfers or disclosures not authorised by Union law: Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

49.1.a: Article(49)(1)(a): In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

49.1.b: Article(49)(1)(b): In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

49.1.c: Article(49)(1)(c): In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

49.1.d: Article(49)(1)(d):In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (d) the transfer is necessary for important reasons of public interest;

49.1.e: Article(49)(1)(e):In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (e) the transfer is necessary for the establishment, exercise or defence of legal claims;

49.1.f: Article(49)(1)(f): In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent

49.1.g: Article(49)(1)(g): IIn the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

49.2: A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

49.3: Article(49)(3): Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.

49.4: Article(49)(4): The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.

49.5: Article(49)(5): In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.

49.6: Article(49)(6): The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.

LGPD (BRA)

Art.9: The data subject has the right to easily access information regarding the processing of data, which must be made available in a clear, adequate, and ostensive manner, among other characteristics outlined in regulations to comply with the principle of free access: I – Specific purpose of processing; II – Form and duration of processing, respecting commercial and industrial secrecy; III – Identification of the controller; IV – The controller’s contact information; V – Information regarding the shared use of data by the controller and the purpose of the sharing; VI – Liabilities of the processing agents; and VII – The data subject’s rights with explicit mention of the rights contemplated in Article 18 of this Law. § 1 If consent is requested, such consent will be considered void in case the information provided to the data subject have misleading or abusive content or were not previously presented in a transparent, clear, and unambiguous manner. § 2 If consent is requested, if there is a change in the purpose of the processing of personal data that is not compatible with the original consent, the controller must inform the data subjects beforehand, who may revoke the consent, if they disagree with the changes. § 3 When the processing of personal data is a condition for the provision of a good or service or the exercise of a right, the data subjects will be informed in a highlighted manner regarding this fact and the means through which they may exercise the rights identified in Article 18 of this Law.

Art.33: The international transfer of personal data will only be permitted in the following cases: I – To countries or international organizations that offer a level of protection of personal data that is adequate to the protection provided in this Law; II – When the controller offers and proves guarantees of compliance with the principles, the rights of the data subject, and the data protection regime outlined in this Law, in the form of: a) Specific contractual clauses for a particular transfer; b) Standard contractual clauses; c) Binding corporate rules; d) Certificates, and codes of conduct regularly issued; III – When necessary for international legal cooperation between government intelligence, investigation, and prosecution bodies, according to instruments of international law; IV – When necessary for the protection of life or the physical safety of the data subject or third party; V – When authorized by the National Data Protection Authority; VI – When resulting from a commitment made in an international cooperation agreement; VII – When necessary for the execution of a public policy or the fulfillment of a government legal duty, being publicly disclosed under the terms of item I of the head provision of Article 23 of this Law; VIII – When the data subject has provided specific and highlighted consent for the transfer, with prior information on the international character of the operation, clearly distinguishing this from the other purposes; or IX – When necessary to answer to scenarios outlined in items II, V, and VI Article 7 of this Law. Sole Paragraph. For the purposes of item I of this Article, public legal entities referred to in the sole paragraph of Article 1 of Law. 12,527, dated of November 18, 2011 (Information Access Law), within the scope of their legal powers, and responsible individuals, within the scope of their activities, may request from the National Data Protection Authority an evaluation of the level of protection of personal data provided by a country or international organization.

Personal Data Protection Act - Singapore

S.18: Collection, use and/or disclosure of personal data must be reasonable in the circumstances and the individual must be informed of the purposes for collection, use and disclosure

Personal Information Protection Act - South Korea

A.26: On outsourcing the processing of personal information to a third party, must satisfy certain formalities in writing and prevent processing for purposes other than the purposes for which the processing was outsourced and ensure technical and managerial safeguards

Turkish Data Protection Law numbered 6698

A.9: Personal data may only be transferred abroad without explicit consent if (i) sufficient protection is provided in the foreign country where the data is to be transferred, or (ii) the data controller in Turkey and in the related foreign country must guarantee a sufficient protection in writing and the Data Protection Board has authorized such transfer, where sufficient protection is not provided