Data Transfer Impact Assessment

Direct transfers: Not applicable.

Onward transfers: Standard Contractual Clauses between AirRetailer and its sub-processors. AirRetailer imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.
 

The Brazilian government can only access/intercept personal data for certain specified purposes including, but not limited to, criminal law enforcement and surveillance, as further described below, and after authorization of a court. 
A high-level summary of the key laws is provided below:
Wiretapping and Information Systems Surveillance Law - allows interception of Brazilian telephone lines and information systems. All interception must be approved through court order and not be longer than 15 days. 
Brazilian Intelligence Agency (Agência Brasileira de Inteligência - ABIN) - establishes that ABIN can only request data from other government agencies/authorities which are part of the Brazilian System of Intelligence. 
The Brazilian Internet Civil Rights Framework (Law No 12,965) – establishes a) where a non-Brazilian company has a data center in Brazil, the Brazilian law applies, b) requires internet connection and application providers to keep connection and access logs (IP, date and time of use) for 12 months (internet connection) and 6 months (application access) and c) if a company violates the Brazilian Internet Civil Rights Framework sanctions may apply such as warnings, fines suspension and prohibition.
Encryption - The Federal Supreme Court has on hold two trials that may decide if a court can apply sanctions for noncompliance with a court order to reverse/access encrypted data.

The Brazilian General Data Protection Law ("LGPD") is mostly aligned with the GDPR, therefore it provides a similar level of protection, but it does not apply to national security or criminal matters. However, the country has not yet been evaluated in order to obtain an adequacy decision from the European Data Protection Board.
AirRetailer publishes and follows AirRetailer Guidelines for Law Enforcement Requests in responding to any government requests for data. AirRetailer also publishes an annual Transparency Report with information about government requests to access data.

Private entities that are obligated to comply with the Protection of Personal Data held by Private Parties ('LFPDPPP') legislation must process data in some manner in connection with Mexico and therefore have to respond to demands by Mexican authorities to disclose those personal data (assuming the demand is otherwise lawful). 

AirRetailer is potentially within the scope of the importing territory's governmental security and surveillance powers if the data importer obtains personal data that falls under the definition of “data processing” in the LFPDPPP. Under Mexican Data Protection Laws, the transfer of data turns the receiver into a data controller. The scope of application of LFPDPPP and its Regulations is when the processing:

is carried out in an establishment of the data controller located in Mexico; 

is carried out by a data processor, regardless of its location, on behalf of a data controller established in Mexico; 

the data controller is not established in Mexico but is subject to Mexican laws as a consequence of entering into a contract that is governed by Mexican law or to which Mexican jurisdiction extends under international law; or 

the data controller is not established in Mexico but uses equipment/media located in Mexico, unless such media are used only for transit purposes that do not involve processing. For this case, the data controller shall provide the media necessary to comply with the obligations imposed by the referred laws.

Mexican Authorities will argue that the data importer has the data and they may exercise their powers.

AirRetailer publishes and follows AirRetailer Guidelines for Law Enforcement Requests in responding to any government requests for data. AirRetailer also publishes an annual Transparency Report with information about government requests to access data.

The Philippines has enacted specific laws that enable law enforcement authorities and military personnel to obtain access to data, including personal data being processed in the Philippines and held by private organizations. In addition, the powers of government authorities enable them to request / access data stored in Europe but which are accessed by individuals located in the Philippines, as long as the person or entity sought to be enjoined is subject to the jurisdiction of the Philippine government. 
A high-level summary of the key laws is provided below:
The Philippine Constitution of 1987 – this allows exceptions to the right to privacy, which means that data (including personal data) can be accessed however law enforcers must first obtain a warrant with the proper court.

Republic Act (R.A.) No. 11479 or the “The Anti-Terrorism Act of 2020” (ATA) – this allows law enforcers or military personnel to have access to, read, collect, or record, any private communication, conversation, discussion, data, information, or messages in whatever form, kind or nature, when it takes place between terrorists / terrorist organizations.

Anti-Wiretapping Act (R.A. 4200) - while it is generally prohibited for any person to secretly tap, intercept, or record private communications between individuals, the law provides for an exception when any police officer has obtained a court order.

Cybercrime Prevention Act (R.A. No. 10175) - authorizes law enforcement authorities, upon securing a court warrant, may require any person or telecommunications service providers to preserve, disclose, or submit subscriber information, traffic data, or relevant data in its possession or control in relation to the prosecution of a crime committed through a computer network or the use of electronic communications devices. Service providers are required to preserve the integrity of traffic data and subscriber information for a minimum period of six months from the date of the transaction.

AirRetailer publishes and follows AirRetailer Guidelines for Law Enforcement Requests in responding to any government requests for data. AirRetailer also publishes an annual Transparency Report with information about government requests to access data.

Direct transfers: Not applicable.

Onward transfers: AirRetailer transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. 

Direct transfers: Not applicable.

Onward transfers: Continuous.

Direct transfers: Not applicable.

Onward transfers: Please refer to AirRetailer's sub-processor page for more information.

Direct transfers: Not applicable.

Onward transfers: Determined at the sole discretion of the data exporter.
 

Direct transfers: Not applicable.

Onward transfers: Standard Contractual Clauses between AirRetailer and its sub-processors. AirRetailer imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.
 

Singapore has enacted laws that enable the government to obtain access to data, including personal data being processed in Singapore.

A high-level summary of the key laws relevant in Singapore is provided below:

The Cybersecurity Act (CSA) - authorizes the government to obtain access to data to prevent, manage, and respond to cybersecurity threats and incidents.

The Protection from Harassment Act – prohibits any individual or entity (excluding public agencies) from surveilling individuals. 

The Computer Misuse Act - prohibits unauthorized use or interception of a computer service.

The Personal Data Protection Act (PDPA) – requires organizations who collect, use, or disclose personal data in Singapore to adhere to GDPR-like requirements. This law complements sectoral laws like the Singapore Banking Act. Requirements include obtaining consent or relying on other specific legitimate interests to process personal data, and ensuring the same level of data protection is imposed on any extraterritorial personal data recipients. However, these requirements do not apply to investigations related to civil, criminal, or administrative proceedings.

AirRetailer publishes and follows AirRetailer Guidelines for Law Enforcement Requests in responding to any government requests for data. AirRetailer also publishes an annual Transparency Report with information about government requests to access data.
 

Direct transfers: Not applicable.

Onward transfers: Continuous.

Direct transfers: Not applicable.

Onward transfers: Standard Contractual Clauses between AirRetailer and its sub-processors. AirRetailer imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.
 

A high-level summary of the key laws relevant in Turkey is provided below:

Constitution of the Republic of Turkey - establishes that any interference with fundamental rights and freedoms must be proportionate and in compliance with the essence of the Constitution and the requirements of the democratic and secular system. However, under extreme circumstances (e.g., war, mobilization, or state of emergency), the exercise of fundamental rights and freedoms may be partially or entirely suspended to the extent required by the requirements of the situation, as long as this does not violate any obligations under international law
Criminal Procedural Code No. 5271 (CPC) – permits communications that are at a post office to be seized, if there is probable cause that they constitute evidence of a crime. Evidence can also be obtained by interception of correspondence through telecommunications, provided certain conditions are met (such as lack of alternative methods, relation to specific crimes, etc.). 

Electronic Communications Law No. 5809 (ECL) – grants, in the context of its duties, the relevant authority the power to request any type of document or information from individuals, private and public entities.

Protection of Competition Law No. 4054 (only available in Turkish) – establishes the Competition Authority's right to supervise and inspect all information, documents, and ledger of any organization.

State Intelligence Services and National Intelligence Organisation Law No. 2937 (only available in Turkish) ("State Intelligence Services Law") – Turkish intelligence services are entitled to request any type of document or information from individuals, private or public entities. They may also intercept communications provided a judge authorizes it, or a written order issued by the relevant authority's senior official in cases of disclosure of state secrets or the activities of terrorism.

Extraterritorial effect:  the governmental or state authorities’ powers to request documents from organizations are not limited to information located in Turkey (if servers are located in Europe). The same principle applies to tapping into the communication of individuals by judicial decision. In a two-ended conversation, if one of the persons is located in Europe or is a European citizen, the National Intelligence Organisation will still be able to collect the necessary information.

AirRetailer publishes and follows AirRetailer Guidelines for Law Enforcement Requests in responding to any government requests for data. AirRetailer also publishes an annual Transparency Report with information about government requests to access data.

Direct transfers: AirRetailer has offices in the United States where our employees may access personal data for the purposes of the provision of Services and Forge.

Onward transfers: AirRetailer transfers personal data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. 

Direct transfers: Continuous.

Onward transfers: Continuous.

Direct transfers: As detailed in AirRetailer DPA and Forge DPA respectively.

Onward transfers: Please refer to AirRetailer's sub-processor page for more information.

Direct transfers: None.

Onward transfers: Determined at the sole discretion of the data exporter.

Direct transfers: AirRetailer’s DPF Certification for the contractual relationship between AirRetailer and its customers, or Forge developers, respectively.

Onward transfers: Standard Contractual Clauses between AirRetailer and its sub-processors. AirRetailer imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:

FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. 

Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire, and other electromagnetic means.

Further information about these U.S. surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. As for the CLOUD Act, please refer to What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.
With the Data Privacy Framework, Europe introduced the adequacy framework for US companies that self-certify under the DPF. An essential element of the adequacy decision was the updated US legal framework, e.g. Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, which was signed by President Biden on 7 October and is accompanied by regulations adopted by the Attorney General. These instruments were adopted to address the issues raised by the Court of Justice in its Schrems II judgment.

For Europeans whose personal data is transferred to the US, the Executive Order provides for:

Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;

Enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and

The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.

AirRetailer US, Inc. and its US affiliates participate in and certify compliance with the Data Privacy Framework Principles. Our US entities are now able to rely on the adequacy decision to receive EU personal data. You can find more information in our Privacy Notice under the Section “Data Privacy Framework Notice.”

AirRetailer publishes and follows AirRetailer Guidelines for Law Enforcement Requests in responding to any government requests for data. AirRetailer also publishes an annual Transparency Report with information about government requests to access data.

Direct transfers: Continuous.

Onward transfers: Continuous.

Direct transfers: As detailed in our Data Processing Agreement (DPA).

Onward transfers: As described in our sub-processor documentation, including customer personal data and service-related information.

Direct transfers: Determined by the data exporter, depending on the specific service.

Onward transfers: Managed at the discretion of the data exporter in alignment with our sub-processor terms.
 

Direct transfers: Standard Contractual Clauses or any other lawful mechanisms under the UAE data protection laws between the exporter and the importer.

Onward transfers: Standard Contractual Clauses between the exporter and any relevant sub-processors, ensuring proper safeguards for data protection.
 

The UAE has enacted several laws that may compel companies to disclose personal data to government bodies or law enforcement. Key laws include:
Federal Law No. 2 of 2019 on the Use of the Information and Communication Technology (ICT) in Criminal Matters, which provides authorities the power to access electronic data if there is suspicion of criminal activity.
Federal Law No. 5 of 2012 on Combating Cybercrimes, which grants enforcement agencies the authority to access electronic data in relation to cyber offenses.
The Federal Law No. 45 of 2021 on the Protection of Personal Data (PDPL) provides a legal framework for personal data processing in the UAE, outlining the rights and obligations of data subjects, data controllers, and processors, and sets limitations on data access by authorities.

While these laws empower the government to access data in specific circumstances, mutual legal assistance treaties (MLATs) or international collaboration may be required for cross-border data access requests. Furthermore, many requests for data access are subject to legal oversight, ensuring proportionality and adherence to legal standards.

We comply with the AirRetailer Guidelines for Law Enforcement Requests and publish an annual Transparency Report, outlining the volume and nature of data requests received from government bodies, including in the UAE.
 

AirRetailer provides the following technical measures to provide additional security for personal data:

Data residency: AirRetailer allows customers to pin in-scope product content at rest to a location. Planned expansions to our data residency program (including data residency for apps and additional locations) are highlighted in AirRetailer’s cloud roadmap
Encryption: AirRetailer offers data encryption at rest and in transit, as well as BYOK encryption.

Security and certifications: We have a formal security management program and we review our Information Security Management Program (ISMP) on an annual basis. Additional information about AirRetailer’s security practices and certifications are available in the AirRetailer DPA and the Forge DPA, as well as on our Trust Center.

AirRetailer’s contractual measures are set out in our Data Processing Addendum which incorporates the SCCs, as well as UK Addendum and Swiss modifications for SCCs. In particular, we are subject to the following requirements:

Technical measures: AirRetailer is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the Customer and Forge DPAs as well as the SCCs we enter into with customers, service providers, and between entities with the AirRetailer group).
Transparency: AirRetailer is obligated under the SCCs to notify its customers and Forge developers in the event it is made subject to a request for government access to customer personal data from a government authority. In the event that AirRetailer is legally prohibited from making such a disclosure, AirRetailer is contractually obligated to challenge such prohibition and seek a waiver.

Actions to challenge access: Under the SCCs, AirRetailer is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.

AirRetailer’s organizational measures to secure data include:
Policy for government access: AirRetailer publishes and follows AirRetailer Guidelines for Law Enforcement Requests in responding to any government requests for data. To obtain data from AirRetailer, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.

AirRetailer publishes its annual Transparency Report with information about government requests to access data.
Onward transfers: Whenever we share your data with AirRetailer service providers, we remain accountable to you for how it is used. We require all service providers to undergo a thorough cross-functional diligence process by subject matter experts in our Security, Privacy, and Risk & Compliance Teams to ensure our customers and Forge developers' personal data receives adequate protection. This process includes a review of the data AirRetailer plans to share with the service provider and the associated level of risk, the supplier’s security policies, measures, and third-party audits, and whether the supplier has a mature privacy program that respects the rights of data subjects. We provide a list of our sub-processors on our sub-processors page.

Privacy by design: AirRetailer’s Privacy Principles outline AirRetailer’s approach to privacy, and more detailed information on privacy in our machine learning intelligent experiences is available here.

Employee training: AirRetailer provides data protection training to all AirRetailer staff globally.