Legally binding PII disclosures

The organization should reject any requests for PII disclosures that are not legally binding, consult the corresponding customer where legally permissible before making any PII disclosures... ... - Licensed content not shown -

GDPR (EU)

48: Article(48): Transfers or disclosures not authorised by Union law: Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

LGPD (BRA)

Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...

Art.46: Processing agents must adopt security measures, both technical and administrative, suitable to protect personal data from unauthorized access and accidental or illegal destruction, loss, change, communication, or dissemination events, or any other occurrence resulting from inappropriate or illegal processing. § 1 The National Data Protection Authority may determine minimum technical standards for the purposes of the provisions this Article, considering the nature of the information processed, the specific. characteristics of the processing, and the current state of technology, especially in the case of sensitive personal data, as well as the principles outlined in Article 6 of this Law.§ 2 The measures contemplated in the head provision of this Article must be considered from the phase of the development of the good or service until its execution.

Art.49: The systems used to process the personal data must be structured in order to meet security requirements, best practice and governance standards and the general principles outlined in this Law and other regulatory rules.

CCPA (US, CA)

S.1798.145.h: (h) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.

APP (Australian Privacy Principles)

APP.5: Must notify certain matters on the collection of personal information (APP 5)

APP.6: Must only use or disclose personal information as permitted under the APPs (e.g. as notified to individual at time of collection) ...

APA (Australian Privacy Act)

APA.15: Must not do an act, or engage in a practice, that breaches an APP (S.15)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

Division 1 5 (1): Every organisation must comply with the obligations (i.e. principles) in Schedule 1

4.5: Personal information must not be used or disclosed for other than the purposes for which it was collected, except with the consent of the individual...

DPP (Data Protection Principles) - Hong Kong

DPP.4.1: All practicable steps shall be taken to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to— (Amended 18 of 2012 s. 40; 17 of 2018 s. 129) (a) the kind of data and the harm that could result if any of those things should occur; (b) the physical location where the data is stored; (Amended 18 of 2012 s. 40) (c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored; (Amended 18 of 2012 s. 40) (d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and (e) any measures taken for ensuring the secure transmission of the data.

Personal Data Protection Act - Singapore

S.4.3: Organisations have the same obligations in respect of personal data processed for them by a 'data intermediary' as if it was processed by them (S.4(3))

S.18: Collection, use and/or disclosure of personal data must be reasonable in the circumstances and the individual must be informed of the purposes for collection, use and disclosure

Personal Information Protection Act - South Korea

A.19: A recipient of personal information cannot use it or disclose it for any other purpose, except as permitted for by law or where additional consent is provided by the individual

A.26: On outsourcing the processing of personal information to a third party, must satisfy certain formalities in writing and prevent processing for purposes other than the purposes for which the processing was outsourced and ensure technical and managerial safeguards