Support Centre
Data Transfers
workspace-icon
Back

Data Transfers

Data Transfer Requirements

Request a jurisdiction

Data Transfer Requirements

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.
    title
  • Law
  • Restriction
  • Exemptions
  • Localisation Requirement
  • Regulatory Guidelines
  • Transfers Note
  • Afghanistan

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

  • Albania

    • Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) ('the Law')

    • According to Article 8(1) of the Law, data transfers to countries outside of the EU/EEA, to third countries which have not been deemed adequate by decision of the Office of the Information and Data Protection Commissioner ('IDP'), are restricted.

    • According to Article 8(2) of the Law, data transfers are permitted when: 

      1. it is authorised by international acts ratified by the Republic of Albania and are directly applicable;
      2. the data subject has given his/her consent for the international transfer;
      3. the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken in addressing the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract between the controller and a third party, in the interest of the data subject;
      4. it is a legal obligation of the controller;
      5. it is necessary for protecting vital interests of the data subject;
      6. it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal right; or
      7. the transfer is done from a register that is open for consultation and provides information to the general public.

      In cases other than those provided above, the international transfer of personal data with a state that does not have an adequate level of data protection, shall be carried out upon an authorisation from the KMDP. Consideration is also given to states which have ratified Convention 108.

    • No further information.

    • Guidelines on international data transfers issued by the Office of the Information and Data Protection Commissioner ('IDP') (only available in Albanian here).

    • No Transfers Note currently available.

  • Alberta

    • The Personal Information Protection Act (Statutes of Alberta 2003 chapter P-6.5) ('AB PIPA')

    • AB PIPA does not specifically regulate data transfers. However, it does regulate 'disclosure', which, according the the Official Guidelines, involves 'sharing personal information with another entity.' According to Section 19 of AB PIPA, an organisation may disclose personal information only: 

      1. for purposes that are reasonable for meeting the purposes for which the information is disclosed; or 
      2. with the consent of the individual.

    • According to Section 20 of AB PIPA, an organisation may disclose personal information about an individual without their consent if: 

      1. a reasonable person would consider that the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent; 
      2. the disclosure of the information is required by law; 
      3. to a public body, debt collection agency or other organisations; 
      4. the disclosure is for the purposes of contacting the next of kind or a friend of an injured, ill or deceased individual; the disclosure of the information is reasonable for the purposes of an investigation or legal proceeding or for the purposes of the prevention, detection or suppression of, fraud, and the information is disclosed to an organisation that is permitted or otherwise empowered to carry out any of those purposes; 
      5. the disclosure of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;
      6. the information is publicly available, as prescribed or otherwise determined by the regulations; or 
      7. the disclosure is in accordance with Section 20.1, 21 or 22 (see below). 

      Under Section 21(1) of AB PIPA, an organisation may disclose personal employee information about an individual without the consent of the individual if the information is disclosed solely for the purposes of (a) establishing, managing or terminating an employment or volunteer-work relationship, or (b) managing a post-employment or post-volunteer-work relationship, between the organisation and the individual. The disclosure must also be reasonable for the particular purpose for which it is being disclosed, and, in the case of an individual who is a current employee of the organisation, the organisation has, before disclosing the information, provided the individual with reasonable notification that his/her personal information is going to be disclosed and of the purposes for which the information is going to be disclosed. 

      Additionally, it can disclosure personal information about an individual who is a current or former employee of the organisation to a potential or current employer of the individual without the consent of the individual if: 

      1. the personal information that is being disclosed was collected by the organisation as personal employee information; and 
      2. the disclosure is reasonable for the purpose of assisting that employer to determine the individual's eligibility or suitability for a position with that employer. According to Section 22, personal information may be disclosed for the purposes of a business transaction, if: 
        1. the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction; and 
        2. the information is necessary: for the parties to determine whether to proceed with the business transaction; and if the determination is to proceed with the business transaction, for the parties to carry out and complete the business transaction.

    • No further information.

    • Official Guidelines on the general application of AB PIPA issued by the Office of the Information and Privacy Commissioner in November 2008 and Official Guidelines on collection, use and disclosure of personal information under AB PIPA issued by the Office of the Information and Privacy Commissioner of Alberta in 2009.

    • Please see Canada - Data Transfers Note

  • Algeria

    • Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data (only available in French here) ('the Law')

    • Data controllers cannot transfer data abroad unless it has obtained authorisation from the Algerian data protection authority and the recipient country provides an adequate level of protection for the persons affected by the transfer. In addition, it is prohibited to transfer personal data if such transfer poses a danger for the vital interests of the State or public security (Article 44 of the Law). 

    • In cases where the recipient country is not recognised as providing adequate protection and the Algerian data protection authority has not authorised the transfer, as required by Article 44 of the Law, the data controller can transfer personal data if:

      • the data subject has expressly consented to such transfer;
      • the transfer is necessary for, among others, protecting the health of the data subject, safeguarding the public interest or the execution of a contract between the data subject and the data controller;
      • the transfer takes place pursuant to a bilateral or multilateral agreement to which Algeria is party; or 
      • under the authorisation from the Algerian data protection authority, the processing falls under Article 2 of the Law.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

  • Andorra

    • Qualified Act 15/2003, of 18 December, of Personal Data Protection ('the Act')

    • According to Articles 35 and 36 of the Act, data transfers to countries outside of the EU/EEA, to third countries which have not been deemed adequate by either the European Commission or the Andorran data protection authority ('APDA'), are restricted.

    • According to Article 37, data transfers are permited when: 

      1. made with the unequivocal consent of the interested party; 
      2. made in accordance with international conventions of which the Principality Andorra is a party; 
      3. made for the purposes of international legal assistance, or for the recognition, exercise or defence of a right in the context of legal proceedings; 
      4. made for medical prevention or diagnosis, health care, social prevention or diagnosis or for the vital interest of the interested party; 
      5. made for the purpose of bank remittances or transfers of money; 
      6. necessary for the establishment, execution, fulfilment or control of legal relationships or contractual obligations between the interested party and the file manager; 
      7. necessary to preserve the public interest; or 
      8. concerned with data taken from public registries or is made in compliance with the functions and purposes of the public registries.

    • No further information.

    • Guidelines on international transfers issued by the Andorran data protection authority ('APDA') (only available in Catalan here).

    • No Transfers Note currently available.

  • Angola

    • Law No. 22/11 on the Protection of Personal Data ('the Law') (only available in Portuguese here).

      Please note that the Agency for the Protection of Personal Data has not yet been established.

    • According to Section 33 of the Law, data transfers are prohibited to countries that do not ensure an adequate level of protection. The adequacy must be assessed by the National Database Protection Agency ('APD').

    • According to Section 34 of the Law, data transfers are permitted when: 

      1. The data subject has given his/her unequivocal, express and written consent; 
      2. The transfer is required by an international treaty to which the Republic of Angola is a party; 
      3. The transfer is necessary for humanitarian reasons; 
      4. The transfer is necessary for the performance of contract of for precontractual measures; 
      5. The transfer is necessary for the performance of a contract between the data controller and a third party, which is in the interest of the data subject; 
      6. The transfer is necessary for legal obligations or for legal actions; 
      7. The data subject cannot give his/her consent and the transfer is necessary for his/her vital interest; 
      8. The data are included in a publicly available source; and 
      9. If the recipients are bound by contractual agreements to ensure the same level of protection. Data transfers are also allowed when a company has internal rules ensuring the protection of data.

    • No further information.

    • The APD has not yet released any guidelines on data transfers specifically. However, in its guidance on data processing notifications, the APD highlights that, regarding data transfers, organisations must indicate whether the data is sent outside of Angola. If so, organisations must indicate the country, entity, data type and the respective legal basis.

    • No Transfers Note currently available.

  • Antigua and Barbuda

    • Data Protection Act, 2013 ('the Act')

    • Under Section 2 of the Act, disclosure of personal data by transmission, transfer, dissemination or otherwise making it available falls under the concept of processing. Section 5(1) further states that personal data cannot be processed unless the data subejct has given his/her consent.

    • According to Section 5(2) of the Act, data may be processed without consent for the following purposes: 

      1. for the performance of a contract to which the data subject is a party; 
      2. for the taking of steps at the request of the data subject with a view to entering into a contract; 
      3. for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; 
      4. in order to protect the vital interests of the data subject; 
      5. for the administration of justice; or 
      6. for the exercise of any functions conferred on a person by or under any law.

       

      Moreover, such processing is subject, under Section 5(3) of the Act, to the requirement that it is processed for a lawful purpose directly related to an activity of the data user, that it is necessary for or directly related to that purpose, and that the personal data is adequate but not excessive in relation to that purpose.

    • International Foundations Act 

      According to Article 36 of the International Foundations Act 2007, the minutes of each council meeting shall be kept at the registered office of the foundation and shall be open to inspection by the founder, any foundation council member, any beneficiary, the Court or the Financial Services Regulatory Commission.

    • No further information.

    • No Transfers Note is currently available.

  • Argentina

    • Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act') (only available in Spanish here) and Decree No. 1558/2001 Regulating Act No. 25.326 ('the Decree')(only available in Spanish here).

      Please note that a draft data protection amendment bill is currently being reviewed by the Government (only available in Spanish here).

    • Section 12(1) of the Act states that the transfer of any type of personal information to countries or international or supranational entities that do not provide adequate levels of protection is prohibited. 

    • Under Section 12(2) of the Act, the prohibition does not apply in the following circumstances:

      1. international judicial cooperation;
      2. exchange of medical information, when so required for the treatment of the affected party, or for an epidemiological survey, provided that the data has been anonymised;
      3. stock exchange or banking transfers, to the extent thereof, and in pursuance of the applicable laws;
      4. when the transfer is arranged within the framework of international treaties which the Argentine Republic is a signatory to; or
      5. when the transfer is made for international cooperation purposes between intelligence agencies in the fight against organised crime, terrorism and drug-trafficking.

       

      In addition, Section 12 of the Decree authorises transfers where express consent has been granted by the data subject. It also states that consent is not required when data is transferred from a public registry that is legally constituted to provide information to the public and is open for consultation by the general public or by any person who can demonstrate a legitimate interest, provided that the legal and regulatory conditions for consultation are complied with in each particular case.

      The Argentinian data protection authority's ('AAIP') Regulation 60 – E/2016 on international data transfers listing the countries to which transfers are permitted (only available in Spanish here) ('the International Transfers Regulation'). Moreover, the International Transfers Regulation contains two model contracts that can be used for international data transfers to countries that do not provide adequate levels of protection; one must be used for transfers between data controllers, and the other must be used for transfers to data processors.

    • No further information.

    • Resolution No. 4/2019 on the application and interpretation of the Act (only available in Spanish here);
      Resolution No. 60 – E/2016 on model clauses for international transfers of personal data (only available in Spanish here) ('the International Transfers Resolution');
      Resolution No. 159/2018 on guidelines for binding corporate rules ('BCRs') for international data transfers within the group of multinational companies (only available in Spanish here) ('the BCRs Resolution'); and
      Resolution No. 198/2023 approving the Ibero-American Data Protection Network’s Standard Contractual Clauses (only available in Spanish here) ('the REDIPD SCCs Resolution’).

    • Argentina - Data Transfers Note

  • Armenia

    • Law of the Republic of Armenia of 13 June 2015 No. 49-ZR on the Protection of Personal Data ('the Law')

    • Article 26 and 27 of the Law state that personal data may be transferred to a third party or to another state with the data subject's consent, where it is required for by law and the state has an adequate level of data protection, or where the transfer of data stems from the purposes of processing personal data and/or is necessary for the implementation of these processes. The transfer of biometric or special category personal data needs to be notified to the Personal Data Protection Agency ('the Agency').

    • Article 26(2) of the Law states that special category personal data can be transferred to third parties without the data subject's consent, where the data processor is considered a processor of special category personal data prescribed by law or an interstate agreement, the transfer of such information is directly provided for by law and has an adequate level of protection, or the transfer od data is to protect the life, health, or freedom of the data subject. 

      Moreover, according to Article 27(3) of the Law, personal data can be transferred to a state not providing adequate data protection by the permission of the Agency, where the personal data are transferred on the basis of an agreement with appropriate safeguards approved by the Agency as providing adequate protection.

    • Government Decree No. 1521-N of 26 December 2013 on Approving Minimum Requirements for Official Websites of the Internet Network (only available in Armenian here) establishes data localisation requirements for the official websites of governmental agencies.

    • No further information.

    • Armenia - Data Transfers Note

  • Aruba

    • National Ordinance of May 19, 2011 Laying Down New Rules for the Protection of Privacy in Connection with the Recording and Dissemination of Personal Data ('the Ordinance') (only available in Dutch here).

    • DataGuidance confirmed with Daniel Rasmijn, Attorney at HBN Law, that data transfers must comply with the conditions contained in Article 9 of the Ordinance if they are to be lawful:

      1. the transfer is necessary in connection with the purpose of the data recording;
      2. insofar as necessary based on legislation;
      3. if the data subject has granted their consent;
      4. in the interest of academic research, statistics or other urgent reasons, if certain specific conditions are met.

      Moreover, Article 24(2) of the Ordinance establishes a prohibition to transfer data from Aruba to a foreign country if the Ordinance is not applicable and the Minister of Justice has declared that such a transfer would be harmful to the privacy of data subjects.

    • DataGuidance also confirmed with Daniel Rasmijn that there are no exemptions that allow an international data transfer once the Minister has declared that it would harm privacy rights.

    • No further information.

    • No further information.

    • No Transfers Note is currently available. 

  • Australia

    • Privacy Act 1988 No. 119, 1988 (as amended) ('the Act')

    • Principle 8 of the Act provides that the cross-border use or disclosure of data can happen only when the entity, which wants to transfer the data, has taken such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles ('APP') (other than Australian Privacy Principle 1) in relation to the information. In addition APP entities that disclose personal information outside Australia are liable under The Notifiable Data Breaches scheme, and must notify eligible data breaches while the information is under the APP entity control.

    • According to Principle of 8 of the Act, an entity does not have to take the reasonable steps when: 

      1. The recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; 
      2. The entity expressly informs the individual that if he/she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure; after being so informed, the individual consents to the disclosure; 
      3. The disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; 
      4. A permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by an entity covered by the APP; 
      5. The entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or 
      6. The entity is an agency and both of the following apply: the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.

    • There are currently no statutory localisation or residence requirements for personal information. However, certain health information cannot leave certain States (e.g. NSW, Victoria and ACT) unless the discloser is satisfied they are going to a place with similar health information privacy laws. In particular, Section 77(1) of the Personally Controlled Electronic Health Records Act 2012 ('PCEHR') notes that operators which are subject to PCEHR are not required to hold or take records outside Australia.

      Exemptions

      Such operators are exempted from this restriction, provided that the records do not include personal information in relation to a consumer or participant in the PCEHR system or identifying information of an individual or entity.

      A mandatory comprehensive credit reporting regime is currently being considered in the form of the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019, which includes a localisation requirement. 

    • APP Guidelines (Chapters 3, 6 and, 8)

       

       

    • Australia - Data Transfers Note

  • Azerbaijan

    • Law of 11 May 2010 No. 998-IIIQ on Personal Data (only available in Azerbaijani here) ('the Personal Data Law')

    • According to the Law, Article 14 of the Personal Data Law cross border transmissions of personal data are prohibited in the following cases:

      • when creating a threat to the national security of the Republic of Azerbaijan;
      • if the legislation of the country where the personal data is transmitted does not provide legal protection of such data at the level established by the legislation of the Azerbaijan Republic;
      • in cases where the subject agrees to the cross-border transfer of personal data, as well as the transfer of personal data is necessary to protect the life and health of the subject, the cross-border transfer of personal data may be carried out regardless of their level of legal protection; and
      • in the case of cross-border transmission of personal data, the security of this data is ensured by the owner or operator. 

    • Not applicable. 

    • Not applicable. 

    • Not applicable. 

    • No Transfers Note currently available.

  • Bahrain

    • Law No. (30) of the Year 2018 Issuing a Law on the Protection of Personal Data (only available in Arabic here) ('the Act') 

    • Under Article 12 of the Act, data transfers outside Bahrain are prohibited, unless:

      1. the relevant country or territory provides adequate protection of personal data, based on the assessment of the competent authority; or
      2. the competent authority permits the transfer, having assessed the circumstances.

    • Under Article 13 of the Act, data transfers to a country or territory that does not provide adequate protection of personal data is permitted if:

      1. the individual gave their consent;
      2. the personal data originates from public registers; or
      3. the data transfer is necessary for the following purposes: fulfilment of a contract; protection of vital interests of the individual; implementation of a legal obligation; or legal claim purposes.

    • Central Bank Business Standards

      According to Central Bank of Bahrain ('CBB') Volume 1 Business Standards, OM 6.3.1 ('the Rule'), conventional bank licensees must maintain the following records in original form or in hard copy at their premises in Bahrain: 

      1. internal policies, procedures, and operating manuals; 
      2. corporate records, including minutes of shareholders, directors, and management meetings; 
      3. correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
      4. reports prepared by the conventional bank licensee's internal and external auditors; and 
      5. employee training manuals and records.

       

      According to Article 60 of the Central Bank of Bahrain and Financial Institutions Law (the Law'), records referred to in Article 59 of the Law shall be kept for at least 10 years at the Licencee's main office in the Kingdom of Bahrain or at such other places as the Central Bank may approve. Records shall be kept in such a format, as the CBB may deem suitable.

    • No further information.

    • No Transfers Note currently available.

  • Bolivia

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note is currently available. 

  • British Columbia

    • The Personal Information Protection Act (Statutes of British Columbia 2003, c. 63) ('BC PIPA')

    • BC PIPA does not specifically regulate data transfers. However, it does regulate 'disclosure', which, according the the Official Guidelines, involves 'showing, sending or giving some other organisation, government or individual the personal information in question.' An organisation may disclose personal information only: 

      1. for purposes that a reasonable person would consider are appropriate in the circumstances and that the data subject has been notified of in advance, as per Section 17 of BC PIPA; or
      2. with the consent of the individual, as per Section 6(1) of BC PIPA.

    • According to Section 18 of BC PIPA, an organisation may disclose personal information about an individual without their consent if: 

      1. the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way; 
      2. the disclosure is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent; 
      3. it is reasonable to expect that the disclosure with the consent of the individual would compromise an investigation or proceeding and the disclosure is reasonable for purposes related to an investigation or a proceeding;
      4. the information is collected from certain public events; the disclosure is necessary to determine a suitability  to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or to be selected for an athletic or artistic purpose;
      5. the disclosure is necessary in order to collect a debt owed to the organisation or for the organisation to repay an individual money owed to them by the organisation;
      6. the personal information is disclosed in accordance with a provision of a treaty that British Columbia or Canada is a party to and that authorises or requires its disclosure;
      7. the disclosure is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of personal information;
      8. the disclosure is to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province, to assist in an investigation, or in the making of a decision to undertake an investigation, to determine whether the offence has taken place, or to prepare for the laying of a charge or the prosecution of the offence;
      9. there are reasonable grounds to believe that compelling circumstances exist that affect the health or safety of any individual and if notice of disclosure is mailed to the last known address of the individual to whom the personal information relates;
      10. the disclosure is for the purpose of contacting next of kin or a friend of an injured, ill or deceased individual;
      11. the disclosure is to a lawyer who is representing the organisation; the disclosure is to an archival institution if the collection of the personal information is reasonable for research or archival purposes; or
      12. the disclosure is required or authorised by law.

      Additionally, under Section 19 of BC PIPA, an organisation may disclose employee personal information without the consent of the individual where the disclosure is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organisation and the individual, as long as it notifies the individual of the disclose, and the purposes for the dislcosure, beforehand.

      Moreover, according to Section 20 of BC PIPA, an organisation may disclose personal information about its employees, customers, directors, officers or shareholders without their consent, to a prospective party to a business transaction that involves substantial assets other than the data subjects' personal information. This applies if the personal information is necessary for the prospective party to determine whether to proceed with the business transaction, and the organisation and prospective party have entered into an agreement that requires the prospective party to use or disclose the personal information solely for purposes related to the prospective business transaction.

      According to Sections 21 and 22 of BC PIPA, an organisation may disclose information without consent, for research, statistical, archival or historial purposes, in certain circumstances.

    • Under Section 30 of the Freedom of Information and Protection of Privacy Act, RSBC 1996 c 165 a public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:

      1. if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
      2. if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
      3. if it was disclosed under Section 33.1 (1) (i.1).

    • Official Guidelines on the general application of BC PIPA issued by the Office of the Information and Privacy Commissioner in October 2015. 

    • Canada - Data Transfers Note

  • California

    • California Consumer Privacy Act of 2018 ('CCPA')

    • Not applicable.

    • Not applicable.

    • Certain public procurement contracts might impose domestic data storage as a requirement. In addition, contractors working in certain industries may be subject to certain localisation or other restrictions. For example, the U.S. Department of Defense ('DOD') requires cloud computing service providers that provide services to the DoD to store data relating to the DoD within U.S. territory, unless otherwise authorised in writing by the DoD.

    • Not applicable.

    • California - Data Transfers Note

  • COPPA

    • Children's Online Privacy Protection Rule 1999 (16 C.F.R. Part 312) ('COPPA Rule')

    • COPPA does not contain any explicit cross-border data transfer restrictions. 

      However, §312.4 requires a website operator to provide notice and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children.

      Moreover, §312.8 requires an operator to take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner.

    • § 312.5(c) provides verifiable parental consent is not required prior to the collection, use, or disclosure of personal information from a child: 

      1. where the sole purpose of collecting the name or online contact information of the parent or child is to provide notice and obtain parental consent; 
      2. where the purpose of collecting a parent's online contact information is to provide voluntary notice to, and subsequently update the parent about, the child's participation in a website or online service that does not otherwise collect, use, or disclose children's personal information. In such cases, the parent's online contact information may not be used or disclosed for any other purpose; 
      3. where the sole purpose of collecting online contact information from a child is to respond directly on a one-time basis to a specific request from the child, and where such information is not used to re-contact the child or for any other purpose, is not disclosed, and is deleted by the operator from its records promptly after responding to the child's request; 
      4. where the purpose of collecting a child's and a parent's online contact information is to respond directly more than once to the child's specific request, and where such information is not used for any other purpose, disclosed, or combined with any other information collected from the child. In such cases, the operator must make reasonable efforts to ensure that the parent receives notice. 
      5. where the purpose of collecting a child's and a parent's name and online contact information, is to protect the safety of a child, and where such information is not used or disclosed for any purpose unrelated to the child's safety;
      6. where the purpose of collecting a child's name and online contact information is to (i) protect the security or integrity of its website or online service; (ii) take precautions against liability; (iii) respond to judicial process; or (iv) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety; and where such information is not be used for any other purpose;
      7. where an operator collects a persistent identifier and no other personal information and such identifier is used for the sole purpose of providing support for the internal operations of the website or online service;
      8. where an operator collects a persistent identifier and no other personal information from a user who affirmatively interacts with the operator and whose previous registration with that operator indicates that such user is not a child. 

      According to § 312.6, disclosures made in good faith and following reasonable procedures in responding to a request for disclosure of personal information to the parent of a child are allowed.

    • No further information.

    • Complying with COPPA: Frequently Asked Questions issued by the Federal Trade Commission.

    • No Transfers Note currently available.

  • Iraq

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Third Country Assessments

Request a jurisdiction

Schrems II - Third Country Assessment

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.
    Applicable Law
  • Human rights law
  • Authority access law
  • Legal bases for access
  • Other limits on access
    Authority Functions
  • Authorities
  • Oversight mechanisms
  • Legal remedies data subjects
  • Legal remedies organisations
    title
  • Overseas subjects
  • International commitments
  • Further information
  • Albania
  • Algeria
  • Argentina
  • Armenia
  • Australia
  • Azerbaijan
  • Bahrain
  • Bangladesh
  • Bosnia & Herzegovina
  • Brazil
  • California
  • Canada Federal
  • Cayman Islands
  • Colorado
  • DRC
  • Israel
  • Jamaica

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.