Additional Information About your Data Protection Rights

Residents of the European Union and the United Kingdom

If you are a resident of the European Union or United Kingdom, the E.U. or U.K. General Data Protection Regulation (collectively, the “GDPR”) is applicable to our use of your data. The lawful basis for processing your personal information will depend on the personal information concerned and the specific context in which we collect it as detailed in the Privacy Policy. Under the GDPR you have a number of rights. For example, you can request to see a copy of the data we process about you, to delete or rectify your data, or to transfer your data elsewhere. You also have the right to make a complaint to your local supervisory authority and in the first instance to our Data Privacy Department.

If you wish to exert any of your rights, please contact us via email at privacy@sans.org.

You should be aware that your personal information may be transferred to, stored, and processed within the United States and other jurisdictions outside of the U.S.A., the E.U. or the U.K.

We want to assure you that we are fully committed to compliance with the GDPR when it comes to international data transfers. We take data privacy seriously and apply the necessary safeguards to ensure the protection of your data. Specifically, we utilize the Standard Contractual Clauses (SCC) for our E.U. based transfers and the International Data Transfer Agreement (IDTA) for our U.K. based transfers, to guarantee that your data is transferred securely and in accordance with GDPR requirements. Your privacy and data security are of utmost importance to us, and we are dedicated to upholding the highest standards in this regard.

Residents of Brazil

If you are a resident of Brazil, the General Personal Data Protection Law (“LGPD”) are applicable to our use of your data. The lawful basis for processing your personal information will depend on the personal information concerned and the specific context in which we collect it as detailed in the Privacy Policy. Under the LGPD, you have a number of rights. For example, you can request to see a copy of the data we process about you, the right to ask what will happen if you do not consent to the processing of your data by us, to delete or rectify your data, or to transfer your data elsewhere. You also have the right to make a complaint to our Data Privacy Department.

If you wish to exert any of your rights, please contact us via email at privacy@sans.org.

You should be aware that your personal information may be transferred to, stored, and processed within the United States and other jurisdictions outside of the U.S.A. We will take all appropriate measures to safeguard your information in accordance with applicable legal requirements.

United States – State Privacy Rights

Residents of California

If you are a California resident, the California Consumer Privacy Act (“CCPA”) may grant you the following rights:

Right to Know: You have the right to request that a business that collects personal information about you disclose the following: (1) the categories of personal information it has collected about you; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about you. California residents may make a Request to Know up to twice every 12 months.
Right to Correct: You have the right to request a business that maintains inaccurate personal information about you to correct that information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
Right to Delete: You have the right to request that a business delete any personal information about you which the business has collected from you.
Right to Opt Out of Selling and Sharing: You have the right to request that a business not sell your personal information to a third party or share your personal information with a third party for purposes of cross-context behavioral advertising. Opt-out rights can be exercised by clicking here, by contacting privacy@sans.org, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences.
Right to Non-Discrimination: You have the right to not be discriminated against because you exercised any of your CCPA rights.

If you are a California resident, you may specifically instruct us not to sell or share your personal information as described above. Please note, neither SANS, GIAC nor the SANS Technology Institute sells or shares the personal data of individuals under the age of 16. If you are a California resident and would like to make a request to exercise your rights under the CCPA, please contact privacy@sans.org. We will respond to verifiable requests received from California residents as required by law. For more information about our privacy practices, you may contact us as set forth in the Section below entitled “Contact Us.”

We will use the following process to verify Requests to Know, Requests to Delete, and Requests to Correct: We will acknowledge receipt of your Consumer Request, verify it using processes required by law, then process and respond to your request as required by law. To verify such requests, we may ask you to provide the following information:

For a Request to Know categories of personal information which we collect, we will verify your identity to a reasonable degree of certainty by matching at least two data points provided by you against information in our systems which are considered reasonably reliable for the purposes of verifying a consumer’s identity.
For a Request to Know specific pieces of personal information, Requests to Delete, Requests to Correct, we will verify your identity to a high degree of certainty by matching at least three pieces of personal information provided by you to personal information maintained in our systems and also by obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

An authorized agent can make a request on a California resident’s behalf by providing a power of attorney valid under California law, or providing: (1) proof that the consumer authorized the agent to do so; (2) verification of their own identity with respect to a right to know categories, right to know specific pieces of personal information, or requests to delete which are outlined above; and (3) direct confirmation that the consumer provided the authorized agent permission to submit the request.

Residents of Virginia

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) may grant you the following rights:

Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.
Right to Correction: You have the right to request that a business correct inaccuracy in your personal information, taking into account the nature of the personal information and our purpose for processing the personal information.
Right to Delete: You have the right to request that a business delete your personal information that was collected about you.
Right to Opt Out of Certain Types of Processing: You have the right to opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.
Right to Non-Discrimination: You have the right not to be discriminated against by a business for exercising your rights listed above.

Submitting Requests: Right to Access Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Data Portability Requests may be submitted by contacting us at privacy@sans.org. Right to Opt Out of Processing requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences.

We will use the following process to verify Right to Access Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Data Portability Requests: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of Nevada

If you are a Nevada resident, the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) may grant you the right to request that a business not sell certain kinds of personal information that the business has collected or will collect about you. A “sale” under the NPICICA is the exchange of personal information for monetary consideration by the business to a third party to license or sell the personal information to third parties, with certain exceptions. If you are a Nevada resident and wish to obtain information about our compliance with Nevada law, please contact us at privacy@sans.org.

Residents of Colorado

If you are a Colorado resident, the Colorado Protection Act (CPA) may grant you the following rights:

Right of access: Consumers have the right to confirm whether an organization is processing personal data and to access such personal data.
Right to data portability: Consumers have the right to obtain personal data in a format that allows the consumer to transmit the data to another entity easily, and to the extent technically feasible, consumers have the right to have the personal data delivered in a readily usable format. Consumers may exercise that right up to two times per calendar year.
Right to correction: Consumers have the right to correct inaccuracies in the personal data that an organization has stored, taking into consideration the nature of the personal data and the purposes of the processing.
Right to deletion: Consumers have the right to have organizations delete personal data that has been collected.
Right to opt-out: Consumers have the right to opt-out of the processing of personal their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Right to appeal: Consumers have the right to appeal a business’ denial to take action within a reasonable time period. A business must respond to a consumer request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline it must notify the consumers within the initial 45-day response period.

Submitting Requests: Right to Access Requests, Right to Data Portability Request, Right to Correction Requests, Right to Delete Requests, Right to Opt Out Requests and Right to Appeal Requests, may be submitted by contacting us at privacy@sans.org. Right to Opt Out requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences. Consumers may exercise their rights outlined above once per 12-month time period free of charge. For additional requests, an organization may charge the consumer a fee in accordance with the law.

We will use the following process to verify Right to Access Requests, Right to Data Portability Request, Right to Correction Requests, Right to Delete Requests, Right to Opt Out Requests, and Right to Appeal Requests: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of Connecticut

If you are a Connecticut resident, the Connecticut Data Privacy Act (CDPA) may grant you the following rights:

Right of access: Consumers have the right to confirm whether an organization is processing personal data and to access such personal data.
Right to data portability: Consumers have the right to obtain personal data in a format that allows the consumer to transmit the data to another entity easily, and to the extent technically feasible, consumers have the right to have the personal data delivered in a readily usable format.
Right to correction: Consumers have the right to correct inaccuracies in the personal data that an organization has stored, taking into consideration the nature of the personal data and the purposes of the processing.
Right to deletion: Consumers have the right to have organizations delete personal data that has been collected.
Right to opt-out: Consumers have the right to opt-out of the processing of personal their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Right to appeal: Consumers have the right to appeal an organization’s decision denying a consumer’s rights within a reasonable time period. A business must respond to a consumer request within 45 days of receipt of the appeal, explaining any actions it has taken and reasons for refusing a customer’s request. A business may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline it must notify the consumers within the initial 45-day response period.

We will use the following process to verify Right to Access Requests, Right to Data Portability Request, Right to Correction Requests, Right to Delete Requests, Right to Opt out Requests, and Right to Appeal Requests: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of Utah (effective Dec 31, 2023)

If you are a Utah resident, the Utah Consumer Privacy Act (CDPA) may grant you the following rights:

Right of access: Consumers have the right to confirm whether an organization is processing personal data and to access such personal data.
Right to data portability: Consumers have the right to obtain personal data in a format that allows the consumer to transmit the data to another entity easily, and to the extent technically feasible, consumers have the right to have the personal data delivered in a readily usable format. Consumers may exercise that right once per 12-month time period free of charge. For additional requests, an organization may charge the consumer a reasonable fee if a request is excessive, repetitive, technically infeasible or manifestly unfounded.
Right to deletion: Consumers have the right to have organizations delete personal data that has been collected.
Right to opt-out: Consumers have the right to opt-out of the processing of personal their personal data for purposes of (i) targeted advertising, and (ii) the sale of personal data.
Right to appeal: Consumers have the right to appeal an organization’s decision denying a consumer’s rights within a reasonable time period. A business must respond to a consumer request within 45 days of receipt of the appeal, explaining any actions it has taken and reasons for refusing a customer’s request. A business may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline it must notify the consumers within the initial 45-day response period.

Submitting Requests: Right to Access Requests, Right to Data Portability Request, Right to Delete Requests, Right to Opt Out Requests and Right to Appeal Requests, may be submitted by contacting us at privacy@sans.org. Right to Opt Out requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences. Consumers may exercise their rights outlined above once per 12-month time period free of charge. For additional requests, an organization may charge the consumer a reasonable fee if a request is excessive, repetitive, technically infeasible or manifestly unfounded.

Residents of Oregon (effective July 1, 2024)

If you are an Oregon resident, the Oregon Consumer Protection Act (OCPA) may grant you the following rights:

Right of access: Consumers have the right to confirm whether an organization is processing personal data and to access such personal data.
Right to data portability: Consumers have the right to obtain personal data in a format that allows the consumer to transmit the data to another entity easily, and to the extent technically feasible, consumers have the right to have the personal data delivered in a readily usable format.
Right to correction: Consumers have the right to correct inaccuracies in the personal data that an organization has stored, taking into consideration the nature of the personal data and the purposes of the processing.
Right to deletion: Consumers have the right to have organizations delete personal data that has been collected.
Right to opt-out: Consumers have the right to opt-out of the processing of personal their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Right to appeal: Consumers have the right to appeal a business’ denial to take action within a reasonable time period. A business must respond to a consumer request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline it must notify the consumers within the initial 45-day response period.

Residents of Texas (effective July 1, 2024)

If you are a Texas resident, the Texas Data Privacy and Security Act (TDPSA) may grant you the following rights:

Right of access: Consumers have the right to confirm whether an organization is processing personal data and to access such personal data.
Right to data portability: Consumers have the right to obtain personal data in a format that allows the consumer to transmit the data to another entity easily, and to the extent technically feasible, consumers have the right to have the personal data delivered in a readily usable format.
Right to correction: Consumers have the right to correct inaccuracies in the personal data that an organization has stored, taking into consideration the nature of the personal data and the purposes of the processing.
Right to deletion: Consumers have the right to have organizations delete personal data that has been collected.
Right to opt-out: Consumers have the right to opt-out of the processing of personal their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Right to appeal: Consumers have the right to appeal a business’ denial to take action within a reasonable time period. A business must respond to a consumer request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline it must notify the consumers within the initial 45-day response period.

Submitting Requests: Right to Access Requests, Right to Data Portability Request, Right to Correction Requests, Right to Delete Requests, Right to Opt Out Requests and Right to Appeal Requests, may be submitted by contacting us at privacy@sans.org. Right to Opt Out requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences. Consumers may exercise their rights outlined above twice per 12-month time period free of charge. For additional requests, an organization may charge the consumer a reasonable fee if the request is manifestly unfounded, excessive, or repetitive.

Residents of Montana (effective October 1, 2024)

If you are a Montana resident, the Montana Consumer Data Privacy Act (MCDPA) may grant you the following rights:

Right of access: Consumers have the right to confirm whether an organization is processing personal data and to access such personal data.
Right to data portability: Consumers have the right to obtain personal data in a format that allows the consumer to transmit the data to another entity easily, and to the extent technically feasible, consumers have the right to have the personal data delivered in a readily usable format.
Right to correction: Consumers have the right to correct inaccuracies in the personal data that an organization has stored, taking into consideration the nature of the personal data and the purposes of the processing.
Right to deletion: Consumers have the right to have organizations delete personal data that has been collected.
Right to opt-out: Consumers have the right to opt-out of the processing of personal their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Right to appeal: Consumers have the right to appeal a business’ denial to take action within a reasonable time period. A business must respond to a consumer request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline it must notify the consumers within the initial 45-day response period.

Contact Us

To make a request or exercise your data privacy rights, if you have a complaint, or if you have any questions or suggestions regarding this Policy or our processing of your personal information, please contact us at privacy@sans.org or at +1 301-654-7267 and request to speak to the Data Privacy Department.