International Privacy Rights

1. Overview

MayDay-IC is committed to respecting and protecting the privacy rights of individuals worldwide. As an emergency incident command platform used by agencies across the globe, we recognize that personal data protection is governed by a complex landscape of international laws and regulations.

This page provides a comprehensive overview of the international privacy frameworks that may apply to MayDay-IC users and the rights afforded under each jurisdiction. We strive to meet or exceed the requirements of each applicable law.

Because MayDay-IC processes protected health information (PHI) in connection with emergency response, much of the data we handle in the United States is governed by HIPAA. For data processed outside the United States or for non-PHI data, the international privacy frameworks described below apply in addition to, or in place of, U.S. federal and state privacy laws.

2. Global Privacy Law Summary

The following table summarizes the major international privacy and data protection laws applicable to MayDay-IC operations, including key authorities and response timelines.

3. European Union / European Economic Area (GDPR)

The General Data Protection Regulation (GDPR) is the cornerstone of data protection law in the European Union and European Economic Area. It establishes comprehensive requirements for the processing of personal data and grants extensive rights to data subjects.

Lawful Bases for Processing

Under the GDPR, MayDay-IC processes personal data only when we have a valid lawful basis, including:

• Consent: Where you have given clear, informed, and freely given consent for specific processing purposes.
• Contract: Where processing is necessary for the performance of a contract with you or to take pre-contractual steps at your request.
• Legal Obligation: Where processing is necessary to comply with EU or member state law.
• Vital Interests: Where processing is necessary to protect someone’s life, particularly relevant in emergency response scenarios.
• Public Interest: Where processing is necessary for tasks carried out in the public interest or in the exercise of official authority.
• Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests.

Data Subject Rights (Articles 15–22)

If you are located in the EU/EEA, you have the following rights under the GDPR:

• Right of Access (Art. 15): Obtain confirmation of whether we process your personal data and access a copy of that data, along with information about the purposes, categories, recipients, retention periods, and your rights.
• Right to Rectification (Art. 16): Request correction of inaccurate personal data or completion of incomplete data without undue delay.
• Right to Erasure / Right to Be Forgotten (Art. 17): Request deletion of your personal data where the data is no longer necessary, you withdraw consent, or the data has been unlawfully processed, subject to legal retention requirements.
• Right to Restriction of Processing (Art. 18): Request restriction of processing where you contest accuracy, processing is unlawful, we no longer need the data, or you have objected to processing pending verification.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Art. 21): Object to processing based on legitimate interests or public interest, including profiling. We must cease processing unless we demonstrate compelling legitimate grounds.
• Right Not to Be Subject to Automated Decision-Making (Art. 22): Not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, except where necessary for contract performance, authorized by law, or based on explicit consent.

Cross-Border Data Transfers

MayDay-IC transfers personal data outside the EU/EEA only when adequate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use the European Commission’s approved SCCs for transfers to countries without an adequacy decision.
• Adequacy Decisions: We may transfer data to countries that the European Commission has determined provide an adequate level of data protection.
• Binding Corporate Rules (BCRs): Where applicable, we rely on approved BCRs for intra-group transfers.

Data Protection Officer

MayDay-IC has appointed a Data Protection Officer (DPO) who can be reached at info@maydayic.com for all matters relating to GDPR compliance.

Supervisory Authority

You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated. A list of EU/EEA supervisory authorities is available on the European Data Protection Board (EDPB) website.

Penalties

Non-compliance with the GDPR can result in administrative fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher.

4. United Kingdom (UK GDPR / DPA 2018)

Following Brexit, the United Kingdom adopted the UK GDPR, which mirrors the EU GDPR in most respects, alongside the Data Protection Act 2018. The UK GDPR applies to all processing of personal data of individuals in the United Kingdom.

Key Provisions

• The UK GDPR largely mirrors the EU GDPR in scope, lawful bases, and data subject rights.
• The Information Commissioner’s Office (ICO) is the independent supervisory authority responsible for enforcement.
• International data transfers from the UK require adequacy decisions, SCCs (International Data Transfer Agreement or UK Addendum), or other appropriate safeguards.
• The UK has been granted an adequacy decision by the EU, allowing data to flow freely between the UK and EU/EEA.

Your Rights

UK data subjects enjoy the same rights as under the EU GDPR, including access, rectification, erasure, restriction, portability, objection, and protection from automated decision-making.

Penalties

Maximum fines under the UK GDPR are £17.5 million or 4% of total worldwide annual turnover, whichever is higher.

5. Canada (PIPEDA + Quebec Law 25)

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law governing the private sector. Quebec’s Law 25 (Act Respecting the Protection of Personal Information in the Private Sector) provides additional protections for Quebec residents.

PIPEDA’s 10 Fair Information Principles

1. Accountability: An organization is responsible for personal information under its control.
2. Identifying Purposes: Purposes for collection must be identified at or before the time of collection.
3. Consent: Knowledge and consent are required for collection, use, or disclosure.
4. Limiting Collection: Collection must be limited to what is necessary for identified purposes.
5. Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected.
6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as necessary.
7. Safeguards: Personal information shall be protected by appropriate security safeguards.
8. Openness: An organization shall make its policies and practices readily available.
9. Individual Access: Upon request, an individual shall be informed of the existence, use, and disclosure of their personal information and given access.
10. Challenging Compliance: Individuals may challenge compliance with these principles to the designated accountability officer.

Your Rights Under PIPEDA

• Right to Access: Access your personal information held by the organization.
• Right to Correction: Challenge the accuracy and completeness of your personal information and have it amended.
• Right to Withdraw Consent: Withdraw consent at any time, subject to legal or contractual restrictions.
• Right to Complain: File a complaint with the Office of the Privacy Commissioner of Canada (OPC).

Quebec Law 25 Additions

• Privacy impact assessments required for certain projects.
• Privacy by default for technological products and services.
• Right to data portability.
• Right to de-indexation (right to be forgotten) in search engines.
• Mandatory breach notification to the Commission d’accès à l’information (CAI).
• Penalties up to CAD $25 million or 4% of worldwide turnover.

Enforcement

PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC). Quebec Law 25 is enforced by the Commission d’accès à l’information (CAI).

6. Brazil (LGPD)

Brazil’s Lei Geral de Proteção de Dados (LGPD) is a comprehensive data protection law that applies to any processing of personal data of individuals located in Brazil, regardless of where the data processor is located.

Legal Bases for Processing

The LGPD provides 10 legal bases for processing personal data:

1. Consent
2. Legal or regulatory obligation
3. Public administration and public policy execution
4. Research (by research bodies, with anonymization where possible)
5. Contract performance
6. Exercise of rights in judicial, administrative, or arbitration proceedings
7. Protection of life or physical safety
8. Health protection (by health professionals or health entities)
9. Legitimate interests
10. Credit protection

Your Rights Under the LGPD

• Confirmation and Access: Confirm the existence of processing and access your data.
• Correction: Correct incomplete, inaccurate, or outdated data.
• Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data.
• Data Portability: Transfer your data to another service or product provider.
• Deletion: Delete personal data processed with your consent.
• Information on Sharing: Obtain information about public and private entities with which your data has been shared.
• Information on Non-Consent: Be informed about the possibility and consequences of not providing consent.
• Revocation of Consent: Revoke consent at any time.

Enforcement

The LGPD is enforced by the Autoridade Nacional de Proteção de Dados (ANPD). Penalties include fines of up to 2% of revenue in Brazil, capped at BRL 50 million per violation.

7. Asia-Pacific

Japan — Act on the Protection of Personal Information (APPI)

The APPI, as amended in 2022, governs the handling of personal information by business operators in Japan. Key rights include:

• Right to request disclosure of retained personal data.
• Right to request correction, addition, or deletion of inaccurate data.
• Right to request cessation of use or erasure if data was obtained improperly or is no longer needed.
• Right to request cessation of third-party provision.

Enforced by the Personal Information Protection Commission (PPC). Response timeline: 2 weeks.

South Korea — Personal Information Protection Act (PIPA)

PIPA, as amended in 2023, is one of the strictest data protection laws in Asia. Key rights include:

• Right to be informed about the processing of personal information.
• Right to consent to or refuse the processing of personal information.
• Right to request access, correction, suspension, and deletion.
• Right to claim damages for privacy violations.

Enforced by the Personal Information Protection Commission (PIPC). Responses must be provided without delay.

India — Digital Personal Data Protection Act (DPDP 2023)

The DPDP Act 2023 establishes a framework for processing digital personal data in India. Key rights include:

• Right to obtain information about processing.
• Right to correction and erasure of personal data.
• Right to grievance redressal.
• Right to nominate another person to exercise rights in case of death or incapacity.

Enforced by the Data Protection Board (DPB). Response timelines to be specified per implementing rules.

China — Personal Information Protection Law (PIPL)

The PIPL is China’s comprehensive data protection law governing the processing of personal information of individuals within China. Key rights include:

• Right to know and decide on the processing of personal information.
• Right to restrict or refuse processing.
• Right to access and copy personal information.
• Right to request correction or completion.
• Right to request deletion.
• Right to request explanation of processing rules.
• Right to data portability.

Enforced by the Cyberspace Administration of China (CAC). Response timeline: 15 working days. Cross-border transfer requires security assessments, SCCs, or certification.

Singapore — Personal Data Protection Act (PDPA)

Singapore’s PDPA governs the collection, use, and disclosure of personal data by organizations. Key rights include:

• Right to access personal data held by an organization.
• Right to correction of personal data.
• Right to withdraw consent.
• Right to data portability (effective 2024).

Enforced by the Personal Data Protection Commission (PDPC). Response timeline: 30 days.

Thailand — Personal Data Protection Act (PDPA)

Thailand’s PDPA provides comprehensive data protection aligned with international standards. Key rights include:

• Right to access and obtain copies of personal data.
• Right to data portability.
• Right to object to processing.
• Right to request deletion, destruction, or anonymization.
• Right to request restriction of processing.
• Right to rectification.

Enforced by the Personal Data Protection Committee (PDPC). Response timeline: 30 days.

Australia — Privacy Act 1988

Australia’s Privacy Act, as amended in 2024, regulates the handling of personal information by government agencies and private sector organizations. Key rights include:

• Right to access personal information held by an organization.
• Right to request correction of inaccurate information.
• Right to complain about privacy breaches.
• Right to know how personal information is collected, used, and disclosed.

Enforced by the Office of the Australian Information Commissioner (OAIC). Response timeline: 30 days.

New Zealand — Privacy Act 2020

New Zealand’s Privacy Act 2020 provides comprehensive privacy protections based on 13 Information Privacy Principles. Key rights include:

• Right to access personal information held about you.
• Right to request correction of personal information.
• Right to complain to the Privacy Commissioner.

Enforced by the Office of the Privacy Commissioner (OPC). Response timeline: 20 working days.

8. Middle East & Africa

United Arab Emirates — Personal Data Protection Law (PDPL)

The UAE’s PDPL establishes a framework for data protection across the UAE. Key rights include:

• Right to access personal data.
• Right to rectification of inaccurate data.
• Right to erasure.
• Right to restrict processing.
• Right to data portability.
• Right to object to processing and automated decision-making.

Enforced by the UAE Data Office. Response timeline: 14 days.

Saudi Arabia — Personal Data Protection Law (PDPL)

Saudi Arabia’s PDPL provides comprehensive data protection for individuals in the Kingdom. Key rights include:

• Right to be informed about the purpose of processing.
• Right to access personal data.
• Right to request correction of inaccurate data.
• Right to request destruction of data no longer needed.
• Right to withdraw consent.

Enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA). Response timeline: 30 days.

South Africa — Protection of Personal Information Act (POPIA)

POPIA is South Africa’s comprehensive data protection law, closely aligned with the GDPR. Key rights include:

• Right to be notified that personal information is being collected.
• Right to access personal information.
• Right to request correction or deletion.
• Right to object to processing.
• Right to submit a complaint to the Information Regulator.
• Right to institute civil proceedings for damages.

Enforced by the Information Regulator. Response timeline: 30 days.

Nigeria — Nigeria Data Protection Act (NDPA)

The NDPA establishes a legal framework for data protection in Nigeria. Key rights include:

• Right to be informed about data processing.
• Right to access personal data.
• Right to rectification of inaccurate data.
• Right to erasure.
• Right to restrict processing.
• Right to data portability.
• Right to object to processing.

Enforced by the Nigeria Data Protection Commission (NDPC). Breach notification: 72 hours.

Kenya — Data Protection Act 2019

Kenya’s Data Protection Act provides comprehensive data protection aligned with international standards. Key rights include:

• Right to be informed of the use of personal data.
• Right to access personal data.
• Right to object to processing.
• Right to correction of false or misleading data.
• Right to deletion of false or misleading data.

Enforced by the Office of the Data Protection Commissioner (ODPC). Response timeline: 30 days.

Egypt — Law 151 of 2020

Egypt’s data protection law establishes requirements for the processing of personal data. Key rights include:

• Right to be informed about data processing.
• Right to access, correct, and delete personal data.
• Right to withdraw consent.
• Right to object to processing.

Enforced by the Data Protection Center (DPC). Response timeline: unspecified in current regulations.

Israel — Privacy Protection Law (1981, amended 2024)

Israel’s Privacy Protection Law, recently amended in 2024, provides data protection aligned with EU adequacy standards. Key rights include:

• Right to access personal data in databases.
• Right to request correction or deletion of inaccurate data.
• Right to object to use of data for direct marketing.
• Right to be informed about cross-border data transfers.

Enforced by the Privacy Protection Authority (PPA). Response timeline: 30 days.

9. Latin America

Mexico — LFPDPPP

Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) establishes requirements for data protection in the private sector. Key rights (ARCO rights) include:

• Access (Acceso): Access your personal data.
• Rectification (Rectificación): Request correction of inaccurate or incomplete data.
• Cancellation (Cancelación): Request deletion of personal data.
• Opposition (Oposición): Object to the processing of personal data.

Enforced by the National Institute for Transparency, Access to Information and Personal Data Protection (INAI). Response timeline: 20 days.

Argentina — Personal Data Protection Law (PDPL)

Argentina’s PDPL, enacted in 2000, provides comprehensive data protection. Argentina has been granted an EU adequacy decision. Key rights include:

• Right to access personal data.
• Right to rectification, updating, and suppression of personal data.
• Right to request confidentiality of personal data.
• Right to file a habeas data action.

Enforced by the Agency for Access to Public Information (AAIP). Response timeline: 10 days.

Colombia — Law 1581 of 2012

Colombia’s data protection law establishes requirements for the processing of personal data. Key rights include:

• Right to know, update, and rectify personal data.
• Right to request proof of consent.
• Right to be informed about the use of personal data.
• Right to file complaints with the SIC.
• Right to revoke consent and request deletion.
• Right to free access to personal data.

Enforced by the Superintendence of Industry and Commerce (SIC). Response timeline: 15 days.

10. Cross-Border Data Transfers

MayDay-IC may transfer personal data across international borders to provide our services. We ensure that all cross-border transfers comply with applicable data protection laws through the following mechanisms:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs, UK International Data Transfer Agreements, and equivalent mechanisms for transfers from the EU/EEA, UK, and other jurisdictions that require transfer safeguards.
• Adequacy Decisions: Where available, we rely on adequacy decisions issued by relevant authorities recognizing that the destination country provides an adequate level of data protection.
• Consent: In certain jurisdictions, we may rely on explicit informed consent for specific data transfers where other mechanisms are not available.
• Data Localization: Some jurisdictions (e.g., China, Russia, Indonesia, Vietnam) require certain categories of personal data to be stored locally. MayDay-IC complies with applicable data localization requirements in each jurisdiction where we operate.

We conduct Transfer Impact Assessments (TIAs) where required to evaluate the level of protection in the destination country and implement supplementary measures as needed to ensure adequate protection.

11. International Data Subject Requests

Regardless of your location, MayDay-IC is committed to honoring your data protection rights under the laws applicable to you. To exercise your rights, you may:

• Submit a request by email to info@maydayic.com.
• Include your full name, jurisdiction of residence, and a description of the right(s) you wish to exercise.
• We will verify your identity before processing any request to protect against unauthorized access.
• We will respond within the timeline required by the applicable law of your jurisdiction (see the summary table above for specific timelines).
• If we are unable to fulfill your request, we will provide a written explanation of the reasons and inform you of your right to appeal or complain to the relevant supervisory authority.

12. Contact