This article is meant to provide information on Privacy Shield, its purpose, how it may impact you and how you can use iubenda Privacy Shield certification.
The Privacy Shield has established a new framework for transfers of personal data from Europe to the United States. This framework serves the purpose of protecting Europeans’ personal data after the transfer to the US.
For European companies
For European companies there are various ways to correctly transfer European’s data to the US, such as contractual clauses, binding corporate rules and the Privacy Shield. EU law prohibits the personal data of EU citizens from being transferred outside the EU to countries which do not ensure an adequate level of protection for that data. The EU generally regards the US as not having a sufficient level of protection. Privacy Shield is meant to remedy this by acting as the revised mechanism for transferring data safely to the US.
If you’re using US companies to process Data, it might be worth considering one that has obtained the Privacy Shield certification.
Be aware that there is a difference if the US company is a data controller or merely a data processor: according to Art. 17 of EC Directive 95/46/EC the two companies (EU/US) are obliged to conclude a data processing contract regardless of whether the data processor is a member of the Privacy Shield or not.
For Swiss companies
Switzerland has added itself to the Privacy Shield framework, therefore the same rules apply to Swiss companies. All the relevant documents can be found on this site by the Swiss government/data protection authority.
For US companies
This is how US companies can get started:
The privacy shield informs individuals on their rights and sets the legal standards that must be respected by the entity.
“[a]n organization inform individuals about:
i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
iii. its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield,
iv. the purposes for which it collects and uses personal information about them,
v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints,
vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
vii. the right of individuals to access their personal data,
viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
ix. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,
x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body [currently, there is no other U.S. authorized statutory body recognized by the EU],
xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,
xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
xiii. its liability in cases of onward transfers to third parties.”
Privacy Shield forces you to make some decisions and disclosures that will depend from case to case.
|the choices we need to make||what this model does not address|
|We need to link to “the address provided in this document” instead of a dedicated email address. We do not know which email address you’ll use for the Privacy Shield related inquiries.
|Regarding ii) Do you have any subsidiaries that data is shared with? You need to additionally mention them in another clause as being committed in the same ways to the Privacy Shield Principles.
|We have chosen the independent dispute resolution body to be the European panel of DPAs – they do not need linking to – as the private bodies. If you therefore use a private dispute resolution body, you need to rewrite this section.
|Regarding ix) This model does not address private dispute resolution, we opted for the DPAs that doesn’t need the direct links at the time being.
|Regarding x) We have assumed that the company is subject to the FTC as the most likely option.
|Regarding v) We cannot link to any relevant establishment in the EU since we do not know these details. Please add another section outlining this, if this applies to you.
|No specific choices the owner grants the User
|Regarding viii) This model does not go into detail about the choices you grant the users. If you do, you need to state that in an additional section. More information regarding choice.
Then, when you duplicate the policy into any of the other 8 languages, you will also have this text section translated.
Since the above constraints shown within the table apply, here’s the full text in case you need to apply any changes, and consequently copy it into the generator as a custom service.
The Owner participates in and complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union to the United States. The Owner has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
The Owner is responsible for all processing of Personal Data it receives under the Privacy Shield Framework from European Union individuals and commits to subject the processed Personal Data to the Privacy Shield Principles.
This, most importantly, includes the right of individuals to access their personal data processed by the Owner.
The Owner also complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, which means that it remains liable in cases of onward transfers to third parties.
The Owner is further required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, the Owner commits to resolve complaints about its collection or use of the User’s Personal Data. European Union individuals with inquiries or complaints regarding this Privacy Shield policy should first contact the Owner at the contact details supplied at the beginning of this document referring to “Privacy Shield” and expect the complaint to be dealt with within 45 days.
In case of failure by the Owner to provide a satisfactory or timely response, the User has the option of involving an independent dispute resolution body, free of charge.
In this regard, the Owner has agreed to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU. The User may therefore contact the Owner at the email address provided at the beginning of this document in order to be directed to the relevant DPA contacts.
Under certain conditions – available for the User in full on the Privacy Shield website (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint) – the User may invoke binding arbitration when other dispute resolution procedures have been exhausted.