Additional Information About your Data Protection Rights

Residents of the European Union and the United Kingdom

If you are a resident of the European Union (E.U.) or United Kingdom (U.K.), the E.U. or U.K. General Data Protection Regulation (collectively, the “GDPR”) is applicable to our use of your personal information. The lawful basis for processing your personal information will depend on the personal information concerned and the specific context in which we collect it as detailed in the Privacy Policy. Under the GDPR you have a number of rights. For example, you can request to see a copy of the personal information we process about you, to delete or rectify your personal information, or to transfer your personal information elsewhere. You also have the right to make a complaint to your local supervisory authority and in the first instance to our Data Privacy Department.

If you wish to exert any of your rights, please contact us via email at privacy@sans.org.

You should be aware that your personal information may be transferred to, stored, and processed within the United States of America (U.S.A.) and other jurisdictions outside of the U.S.A., the E.U. or the U.K.

We want to assure you that SANS is fully committed to compliance with the GDPR when it comes to international data transfers. We take data privacy seriously and apply the necessary safeguards to ensure the protection of your data. Specifically, we utilize the Standard Contractual Clauses (SCC) for our E.U. based transfers and the International Data Transfer Agreement (IDTA) for our U.K. based transfers, to guarantee that your data is transferred securely and in accordance with GDPR requirements. Your privacy and data security are of utmost importance to us, and we are dedicated to upholding the highest standards in this regard.

Residents of Australia

If you are a resident of Australia, the Privacy Act (“TPA”) is applicable to our use of your personal information. The lawful basis for processing your personal information will depend on the personal information concerned and the specific context in which we collect it as detailed in the Privacy Policy. Under the TPA, you have a number of rights. For example, you can request to see a copy of the personal information we process about you, to use a pseudonym or remain anonymous, to consent prior to having personal information processed, to correct your personal information, and to object to receiving direct marketing communications. You have the right to make a complaint with the Office of the Australian Information Commissioner. You also have the right to make a complaint to our Data Privacy Department.

If you wish to exert any of your rights, please contact us via email at privacy@sans.org.

You should be aware that your personal information may be transferred to, stored, and processed within the U.S.A. and other jurisdictions outside of the U.S.A. We will take all appropriate measures to safeguard your information in accordance with applicable legal requirements.

Residents of Brazil

If you are a resident of Brazil, the General Personal Data Protection Law (“LGPD”) are applicable to our use of your personal information. The lawful basis for processing your personal information will depend on the personal information concerned and the specific context in which we collect it as detailed in the Privacy Policy. Under the LGPD, you have a number of rights. For example, you can request to see a copy of the personal information we process about you, the right to ask what will happen if you do not consent to the processing of your personal information by SANS, to delete or rectify your personal information, or to transfer your personal information elsewhere. You also have the right to make a complaint to our Data Privacy Department.

If you wish to exert any of your rights, please contact us via email at privacy@sans.org.

You should be aware that your personal information may be transferred to, stored, and processed within the United States and other jurisdictions outside of the U.S.A. We will take all appropriate measures to safeguard your information in accordance with applicable legal requirements.

Residents of Singapore

If you are a resident of Singapore, the Personal Data Protection Act (“PDPA”) is applicable to our use of your personal information. The lawful basis for processing your personal information will depend on the personal information concerned and the specific context in which we collect it as detailed in the Privacy Policy. Under the PDPA, you have a number of rights. For example, you can request access to the personal information we process about you, withdraw consent for our use of your personal information, request that we correct any incomplete or inaccurate personal information we hold or control, the right to opt out of the collection, use, or disclosure of your personal information at any time, or to transfer your personal information elsewhere. You also have the right to make a complaint to our Data Privacy Department and to not be discriminated against because you exercise any of your PDPA rights.

Please note that SANS Training PTE Limited (“SANS Singapore”) participates in the Singapore SkillsFuture program, and that if you utilize a SkillsFuture Credit to assist in payment of a SANS course or GIAC certification, SANS Singapore as required by law may collect and provide certain information about you to the SkillsFuture Singapore Agency including your NRIC and or passport number, attendance record at SANS courses, course assessments and GIAC examination results.

If you wish to exert any of your rights, please contact us via email at privacy@sans.org. You may also reach out to singapore@sans.org to reach a local Data Protection Officer representative.

United States – State Privacy Rights

Residents of California

If you are a California resident, the California Consumer Privacy Act (“CCPA”) may grant you the following rights:

• Right to Know: You have the right to request that a business that collects personal information about you disclose the following: (1) the categories of personal information it has collected about you; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about you. California residents may make a Request to Know up to twice every 12 months.

• Right to Correction: You have the right to request a business that maintains inaccurate personal information about you to correct that information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

• Right to Deletion: You have the right to request that a business delete any personal information about you which the business has collected from you.

• Right to Opt Out of Selling and Sharing: You have the right to request that a business not sell your personal information to a third party or share your personal information with a third party for purposes of cross-context behavioral advertising. Opt-out rights can be exercised by clicking here, by contacting privacy@sans.org, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences.

• Right to Non-Discrimination: You have the right to not be discriminated against because you exercised any of your CCPA rights.

If you are a California resident, you may specifically instruct us not to sell or share your personal information as described above. Please note, neither SANS, GIAC nor the SANS Technology Institute sells or shares the personal information of individuals under the age of 16. If you are a California resident and would like to make a request to exercise your rights under the CCPA, please contact privacy@sans.org. We will respond to verifiable requests received from California residents as required by law. For more information about our privacy practices, you may contact us as set forth in the Section below entitled “Contact Us.”

We will use the following process to verify Requests to Know, Requests to Delete, and Requests to Correct: We will acknowledge receipt of your Consumer Request, verify it using processes required by law, then process and respond to your request as required by law. To verify such requests, we may ask you to provide the following information:

• For a Request to Know categories of personal information which we collect, we will verify your identity to a reasonable degree of certainty by matching at least two data points provided by you against information in our systems which are considered reasonably reliable for the purposes of verifying a consumer’s identity.

• For a Request to Know specific pieces of personal information, Requests to Delete, Requests to Correct, we will verify your identity to a high degree of certainty by matching at least three pieces of personal information provided by you to personal information maintained in our systems and also by obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

An authorized agent can make a request on a California resident’s behalf by providing a power of attorney valid under California law, or providing: (1) proof that the consumer authorized the agent to do so; (2) verification of their own identity with respect to a right to know categories, right to know specific pieces of personal information, or requests to delete which are outlined above; and (3) direct confirmation that the consumer provided the authorized agent permission to submit the request.

Residents of Colorado

If you are a Colorado resident, the Colorado Protection Act (CPA) may grant you the following rights:

• Right to Access: Consumers have the right to confirm whether an organization is processing personal information and to access such personal information.

• Right to Correction: Consumers have the right to correct inaccuracies in the personal information that an organization has stored, taking into consideration the nature of the personal information and the purposes of the processing.

• Right to Deletion: Consumers have the right to have organizations delete personal information that has been collected.

• Right to Opt Out: Consumers have the right to opt out of the processing of their personal information for purposes of (i) targeted advertising, (ii) the sale of personal information, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Submitting Requests: Right to Access Requests, Right to Data Portability Request, Right to Correction Requests, Right to Delete Requests, Right to Opt Out Requests and Right to Appeal Requests, may be submitted by contacting us at privacy@sans.org. Right to Opt Out requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences. Consumers may exercise their rights outlined above once per 12-month time period free of charge. For additional requests, an organization may charge the consumer a fee in accordance with the law.

We will use the following process to verify Right to Access Requests, Right to Data Portability Request, Right to Correction Requests, Right to Delete Requests, Right to Opt Out Requests, and Right to Appeal Requests: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of Connecticut

If you are a Connecticut resident, the Connecticut Data Privacy Act (CDPA) may grant you the following rights:

• Right to Access: Consumers have the right to confirm whether an organization is processing personal information and to access such personal information.

• Right to Deletion: Consumers have the right to have organizations delete personal information that has been collected.

• Right to Appeal: Consumers have the right to appeal an organization’s decision denying a consumer’s rights within a reasonable time period. A business must respond to a consumer request within 45 days of receipt of the appeal, explaining any actions it has taken and reasons for refusing a customer’s request. A business may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline it must notify the consumers within the initial 45-day response period.

We will use the following process to verify Right to Access Requests, Right to Data Portability Request, Right to Correction Requests, Right to Delete Requests, Right to Opt out Requests, and Right to Appeal Requests: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of Delaware (effective January 1, 2025)

If you are a Delaware resident, the Delaware Personal Data Privacy Act (DPDPA) may grant you the following rights:

• Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.

• Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.

• Right to Deletion: You have the right to request that a business delete your personal information that was collected about you.

• Right to Appeal: Consumers have the right to appeal a business’ denial to take action within a reasonable time period. A business must respond to a consumer request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary considering the complexity and number of the consumer’s requests. If a consumer appeals a business’ denial to take action, a business must respond to an appeal in writing within 60 days and, if the appeal is denied, the business must provide the consumer with an online mechanism, if available, or other method for contacting the Delaware Department of Justice to submit a complaint.

• Right to Know: You have the right to obtain a list of the specific third parties to which we have disclosed your personal information. If we do not maintain this information in a format specific to you, a list of specific third parties to whom we have disclosed any consumer’s personal information may instead be provided to you.

Submitting Requests: Right to Access Requests, Right to Data Portability Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, Right to Appeal Requests, and Right to Know Requests may be submitted by contacting us at privacy@sans.org. Right to Opt Out of Processing requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences.

We will use the following process to verify Right to Access Requests, Right to Data Portability Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, Right to Appeal Requests, and Right to Know Requests: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of Florida

If you are a Florida resident, the Florida Digital Bill of Rights (FDBR) may grant you the following rights:

• Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.

• Right to Correction: You have the right to request that a business correct inaccuracy in your personal information, taking into account the nature of the personal information and our purpose for processing the personal information. We must respond to your request for correction within 45 days, and we may extend such period for an additional 15 days under certain circumstances. If we offer a self-service mechanism to consumers for correcting personal information, we can deny a consumer’s request to correct the information.

• Right to Deletion: You have the right to request that a business delete your personal information that was collected about you.

• Right to Opt Out of Certain Types of Processing: You have the right to opt out of the processing of the personal information for purposes of (i) targeted advertising, (ii) the sale of personal information, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Further, you have the right to opt out of collection of sensitive data, including geolocation data, and personal information collected through the operation of a voice recognition or facial recognition feature.

Submitting Requests: Right to Access Requests, Right to Correction Requests, Right to Delete Requests, and Right to Opt Out of Processing may be submitted by contacting us at privacy@sans.org. Right to Opt Out of Processing requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences.

We will use the following process to verify Right to Access Requests, Right to Correction Requests, Right to Delete Requests and Right to Opt Out of Processing: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of Iowa (effective January 1, 2025)

If you are an Iowa resident, the Iowa Consumer Data Protection Act (ICDPA) may grant you the following rights:

• Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.

• Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.

• Right to Deletion: You have the right to request that a business delete your personal information that was collected about you.

• Right to Opt Out of Sale: You have the right to opt out of the sale of personal information.

Submitting Requests: Right to Access Requests, Right to Data Portability Requests, Right to Delete Requests, and Right to Opt Out of Sale Requests may be submitted by contacting us at privacy@sans.org. Right to Opt Out of Sale Requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences.

We will use the following process to verify Right to Access Requests, Right to Data Portability Requests, Right to Delete Requests, and Right to Opt Out of Sale Requests: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of Maryland

If you are a Maryland resident, the Maryland Online Data Privacy Act (MODPA) may grant you the following rights:

• Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.

• Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.

• Right to Deletion: You have the right to request that a business delete your personal information that was collected about you, unless retention of the personal information is required by law.

• Right to Know: You have the right to obtain a list of the third parties to which we have disclosed your personal information. If we do not maintain this information in a format specific to you, a list of the categories of third parties to whom we have disclosed any consumer’s personal information may instead be provided to you.

Submitting Requests: Right to Access Requests, Right to Data Portability Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Know Requests may be submitted by contacting us at privacy@sans.org. Right to Opt Out of Processing requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences.

We will use the following process to verify Right to Access Requests, Right to Data Portability Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Know Requests: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of Montana (effective October 1, 2024)

If you are a Montana resident, the Montana Consumer Data Privacy Act (MCDPA) may grant you the following rights:

• Right to Access: Consumers have the right to confirm whether an organization is processing personal information and to access such personal information.

• Right to Deletion: Consumers have the right to have organizations delete personal information that has been collected.

• Right to Opt Out: Consumers have the right to opt out of the processing of personal their personal information for purposes of (i) targeted advertising, (ii) the sale of personal information, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Residents of Nevada

If you are a Nevada resident, the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) may grant you the right to request that a business not sell certain kinds of personal information that the business has collected or will collect about you. A “sale” under the NPICICA is the exchange of personal information for monetary consideration by the business to a third party to license or sell the personal information to third parties, with certain exceptions. If you are a Nevada resident and wish to obtain information about SANS’ compliance with Nevada law, please contact us at privacy@sans.org.

Residents of New Hampshire (effective January 1, 2025)

If you are a New Hampshire resident, the New Hampshire Privacy Act (NHPA) may grant you the following rights:

• Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.

• Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.

• Right to Deletion: You have the right to request that a business delete your personal information that was collected about you.

• Right to Non-Discrimination: You have the right not to be discriminated against by a business for exercising your rights listed above.

Submitting Requests: Right to Access Requests, Right to Data Portability Requests, Right to Correction Requests, Right to Delete Requests, and Right to Opt Out of Processing may be submitted by contacting us at privacy@sans.org. Right to Opt Out of Processing requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences.

We will use the following process to verify Right to Access Requests, Right to Data Portability Requests, Right to Correction Requests, Right to Delete Requests, and Right to Opt Out of Processing: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Residents of New Jersey (effective January 15, 2025)

If you are a New Jersey resident, the New Jersey Privacy Law (NJPL) may grant you the following rights:

• Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.

• Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.

• Right to Deletion: You have the right to request that a business delete your personal information that was collected about you.

• Right to Opt Out of Certain Types of Processing: You have the right to opt out of the processing of the personal information for purposes of (i) targeted advertising, (ii) the sale of personal information, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. A business cannot process personal information of consumers for the purposes of (i) targeted advertising, (ii) the sale of personal information, or (iii) certain types of profiling without prior opt-in consent if the business has actual knowledge or willfully disregards that the consumer is a child at least 13 but under 17 years of age.

Residents of Oregon

If you are an Oregon resident, the Oregon Consumer Protection Act (OCPA) may grant you the following rights:

• Right to Access: Consumers have the right to confirm whether an organization is processing personal information and to access such personal information.

• Right to Deletion: Consumers have the right to have organizations delete personal information that has been collected.

Residents of Tennessee (effective July 1, 2025)

If you are a Tennessee resident, the Tennessee Information Protection Act (TIPA) may grant you the following rights:

• Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.

• Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.

• Right to Deletion: You have the right to request that a business delete your personal information that was collected about you.

Residents of Texas

If you are a Texas resident, the Texas Data Privacy and Security Act (TDPSA) may grant you the following rights:

• Right to Access: Consumers have the right to confirm whether an organization is processing personal information and to access such personal information.

• Right to Deletion: Consumers have the right to have organizations delete personal information that has been collected.

Submitting Requests: Right to Access Requests, Right to Data Portability Request, Right to Correction Requests, Right to Delete Requests, Right to Opt Out Requests and Right to Appeal Requests, may be submitted by contacting us at privacy@sans.org. Right to Opt Out requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences. Consumers may exercise their rights outlined above twice per 12-month time period free of charge. For additional requests, an organization may charge the consumer a reasonable fee if the request is manifestly unfounded, excessive, or repetitive.

Residents of Utah

If you are a Utah resident, the Utah Consumer Privacy Act (CDPA) may grant you the following rights:

• Right to Access: Consumers have the right to confirm whether an organization is processing personal information and to access such personal information.

• Right to Data Portability: Consumers have the right to obtain personal information in a format that allows the consumer to transmit the information to another entity easily, and to the extent technically feasible, consumers have the right to have the personal information delivered in a readily usable format. Consumers may exercise that right once per 12-month time period free of charge. For additional requests, an organization may charge the consumer a reasonable fee if a request is excessive, repetitive, technically infeasible or manifestly unfounded.

• Right to Deletion: Consumers have the right to have organizations delete personal information that has been collected.

• Right to Opt Out: Consumers have the right to opt out of the processing of their personal information for purposes of (i) targeted advertising, and (ii) the sale of personal information.

Submitting Requests: Right to Access Requests, Right to Data Portability Request, Right to Delete Requests, Right to Opt Out Requests and Right to Appeal Requests, may be submitted by contacting us at privacy@sans.org. Right to Opt Out requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences. Consumers may exercise their rights outlined above once per 12-month time period free of charge. For additional requests, an organization may charge the consumer a reasonable fee if a request is excessive, repetitive, technically infeasible or manifestly unfounded.

Residents of Virginia

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) may grant you the following rights:

• Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.

• Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.

• Right to Deletion: You have the right to request that a business delete your personal information that was collected about you.

• Right to Non-Discrimination: You have the right not to be discriminated against by a business for exercising your rights listed above.

Submitting Requests: Right to Access Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Data Portability Requests may be submitted by contacting us at privacy@sans.org. Right to Opt Out of Processing requests may also be made by clicking here, or by enabling an online global privacy signal, such as Global Privacy Control, which is a browser tool that automatically communicates your opt-out preferences.

We will use the following process to verify Right to Access Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Data Portability Requests: We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law. To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Contact Us

To make a request or exercise your data privacy rights, if you have a complaint, or if you have any questions or suggestions regarding this Policy or our processing of your personal information, please contact us at privacy@sans.org or at +1 301-654-7267 and request to speak to the Data Privacy Department.

Free Course Demos

SANS CISO Primer: 4 Cyber Trends

2023 Security Awareness Report

Security Policy Templates

Join the Community

Our Mission

Additional Information About your Data Protection Rights

Residents of the European Union and the United Kingdom

Residents of Australia

Residents of Brazil

Residents of Singapore

United States – State Privacy Rights

Residents of Colorado

Residents of Connecticut

Residents of Delaware (effective January 1, 2025)

Residents of Florida

Residents of Iowa (effective January 1, 2025)

Residents of Maryland

Residents of Montana (effective October 1, 2024)

Residents of Nevada

Residents of New Hampshire (effective January 1, 2025)

Residents of New Jersey (effective January 15, 2025)

Residents of Oregon

Residents of Tennessee (effective July 1, 2025)

Residents of Texas

Residents of Utah

Residents of Virginia

Contact Us