Countries and organizations to which PII might be transferred

The organization should specify and document the countries and international organizations to which PII might possibly be transferred. ... - Licensed content not shown -

LGPD (BRA)

Art.9: The data subject has the right to easily access information regarding the processing of data, which must be made available in a clear, adequate, and ostensive manner, among other characteristics outlined in regulations to comply with the principle of free access: I – Specific purpose of processing; II – Form and duration of processing, respecting commercial and industrial secrecy; III – Identification of the controller; IV – The controller’s contact information; V – Information regarding the shared use of data by the controller and the purpose of the sharing; VI – Liabilities of the processing agents; and VII – The data subject’s rights with explicit mention of the rights contemplated in Article 18 of this Law. § 1 If consent is requested, such consent will be considered void in case the information provided to the data subject have misleading or abusive content or were not previously presented in a transparent, clear, and unambiguous manner. § 2 If consent is requested, if there is a change in the purpose of the processing of personal data that is not compatible with the original consent, the controller must inform the data subjects beforehand, who may revoke the consent, if they disagree with the changes. § 3 When the processing of personal data is a condition for the provision of a good or service or the exercise of a right, the data subjects will be informed in a highlighted manner regarding this fact and the means through which they may exercise the rights identified in Article 18 of this Law.
Art.11: The processing of sensitive personal data may only be performed in the following scenarios: I – When the data subject or their legal guardian consents, in a specific and explicit manner, for specific purposes; II – Without the provision of the data subject’s consent, in scenarios in which it is indispensable for: a) The compliance with legal or regulatory obligation on the part of the controller; b) Shared processing of data deemed necessary for the execution, by the public administration, of public policies outlined in laws and regulations; c) In conducting studies by research organizations, ensuring, whenever possible, the anonymization of the personal data; d) The regular exercise of rights in court, administrative, or arbitration proceedings; considering that arbitration proceedings must follow the provisions of Law 9,307, dated of September 23, 1996 (Arbitration Law); e) The protection of life or the physical safety of the data subject or third party; f) The protection of health, exclusively, in procedures performed by health care professionals, health services or sanitary authorities; or (New wording included by Law No. 13,853 of 2019) g) Ensuring fraud prevention and data subject’s safety, in the identification and authentication process of registration in electronic systems, preserving the rights mentioned in Article 9 of this Law and except in cases where the data subject’s fundamental rights and freedoms require the protection of personal data prevail. § 1 The provisions of this Article apply to any processing of personal data that reveal sensitive personal data and that may cause damage to the data subject, with the exception of the provisions of specific laws. § 2 In cases when letters “a” and “b” of item II of the head provision of this Article are applied by public legal entities and bodies, the aforementioned waiver of consent under the terms of item I of the head provision of Article 23 of this Law will be disclosed. § 3 The communication or shared use of sensitive personal data between controllers with the purpose of obtaining economic advantages may be subject to prohibition or regulation by the National Data Protection Authority, consulting the public authorities’ sectorial bodies, within the scope of their powers. § 4 The communication or shared use of sensitive personal related to health between controllers with the purposes of obtaining economic advantages is prohibited, except when related to the provision of health services, pharmaceutical assistance and health care, provided that § 5 of this Article is observed, including auxiliary services of diagnosis and therapy, to the benefit of the data subjects’ interest, and to allow: (New wording included by Law No. 13,853 of 2019) I – data portability when the data subject requests; or (New wording included by Law No. 13,853 of 2019) II – the financial and administrative transactions resulting from the use and provision of the services referred to in this paragraph. (New wording included by Law No. 13,853 of 2019) § 5 The operators of private health care plans are prohibited from processing health data for the practice of risk selection in the engaging of any modality, as well as in the inclusion or exclusion of beneficiaries. (New wording included by Law No. 13,853 of 2019)

CCPA (US, CA)

S.1798.120: (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out. (b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the right to opt out of the sale of their personal information. (c) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information. (d) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”