Documentation index

Generale ›

Privacy Shield and iubenda (integration guide)


This article is meant to provide information on Privacy Shield, its purpose, how it may impact you and how you can use iubenda Privacy Shield certification.

Table of contents:

pshield_help

Introduction to the Privacy Shield

What does the Privacy Shield certification mean?

The Privacy Shield has established a new framework for transfers of personal data from Europe to the United States. This framework serves the purpose of protecting Europeans’ personal data after the transfer to the US.

For European companies
For European companies there are various ways to correctly transfer European’s data to the US, such as contractual clauses, binding corporate rules and the Privacy Shield. EU law prohibits the personal data of EU citizens from being transferred outside the EU to countries which do not ensure an adequate level of protection for that data. The EU generally regards the US as not having a sufficient level of protection. Privacy Shield is meant to remedy this by acting as the revised mechanism for transferring data safely to the US.

If you’re using US companies to process Data, it might be worth considering one that has  obtained the Privacy Shield certification.

Be aware that there is a difference if the US company is a data controller or merely a data processor: according to Art. 17 of EC Directive 95/46/EC the two companies (EU/US) are obliged to conclude a data processing contract regardless of whether the data processor is a member of the Privacy Shield or not.

→ Find more information on the requirements here

→ FAQ by the European Privacy Authorities (Art 29 Working Party)

For Swiss companies
Switzerland has added itself to the Privacy Shield framework, therefore the same rules apply to Swiss companies. All the relevant documents can be found on this site by the Swiss government/data protection authority.

For US companies
US companies have many requirements to follow under the Privacy Shield, one of them is to provide a privacy policy in which all of the notice requirements are outlined. We’ve published the broader requirements stated in the Privacy Shield Annex a while ago. In the meantime the Privacy Shield site run by the US Department of Commerce has published ample documentation regarding the certification requirements. → Find more information here

This is how US companies can get started:

  • 1. Confirm Your Organization’s Eligibility to Participate in the Privacy Shield – more
  • 2. Develop a Privacy Shield-Compliant Privacy Policy Statement – more
  • 3. Identify Your Organization’s Independent Recourse Mechanism
  • 4. Ensure that Your Organization’s Verification Mechanism is in Place
  • 5. Designate a Contact within Your Organization Regarding Privacy Shield
  • 6. Review the Information Required to Self-Certify
  • 7. Submit Your Organization’s Self-Certification to the Department of Commerce – more on these steps

About the Privacy Shield privacy policy
The privacy shield informs individuals on their rights and sets the legal standards that must be respected by the entity.

Regarding 2), the Privacy Shield privacy policy requirement

The Privacy Shield privacy policy includes a lot of information that basically commits an organization to its principles. It serves the purpose of properly informing an individual about their rights and also marks the basis of a statement that the company needs to respect after its publication.

Broadly speaking you need to model your organization’s privacy policy to align with the Privacy Shield Principles, while also reflecting your organization’s own business operations. Here you’ll find the elements that are requested by the Privacy Shield Annex (emphasis added):

“[a]n organization inform individuals about:
i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
iii. its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield,
iv. the purposes for which it collects and uses personal information about them,
v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints,
vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
vii. the right of individuals to access their personal data,
viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
ix. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,
x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body [currently, there is no other U.S. authorized statutory body recognized by the EU],
xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,
xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
xiii. its liability in cases of onward transfers to third parties.”

These are the main points you need to address within your Privacy Shield privacy policy at the time of writing. Now let’s take a closer look at how an integration with a iubenda policy might work.

Integration with iubenda

If you are using iubenda, we’ve written a section that can be added to your privacy policy to get you started on your long way to a Privacy Shield certification. It can be found in our dashboard area (in the add-a-service interface), as usual as “Privacy Shield: data transfers from the EU to the United States“. You can simply add this section to your privacy policy. However, there are a few things you need to be aware of:

  1. We’re writing these integrations for our privacy policy with certain assumptions to make them work for as many parties as possible. Therefore you will need to manually add, or at least consider certain sections you will find in the table below. If certain assumptions we took do not apply to you, you need to rewrite these parts as applicable to you.
  2. As time goes on, some practices might change. Therefore this is another topic that might want to be revisited periodically, even more now when it’s all new and unclear.

Privacy Shield forces you to make some decisions and disclosures that will depend from case to case.

the choices we need to make what this model does not address
We need to link to “the address provided in this document” instead of a dedicated email address. We do not know which email address you’ll use for the Privacy Shield related inquiries.

 

Regarding ii) Do you have any subsidiaries that data is shared with? You need to additionally mention them in another clause as being committed in the same ways to the Privacy Shield Principles.

 

We have chosen the independent dispute resolution body to be the European panel of DPAs – they do not need linking to – as the private bodies. If you therefore use a private dispute resolution body, you need to rewrite this section.

 

Regarding ix) This model does not address private dispute resolution, we opted for the DPAs that doesn’t need the direct links at the time being.

 

Regarding x) We have assumed that the company is subject to the FTC as the most likely option.

 

 

 

Regarding v) We cannot link to any relevant establishment in the EU since we do not know these details. Please add another section outlining this, if this applies to you.

 

No specific choices the owner grants the User

 

Regarding viii) This model does not go into detail about the choices you grant the users. If you do, you need to state that in an additional section. More information regarding choice.

 

iubenda integration text

This is the text we’re currently suggesting as a starter template, which is fully integrated into the iubenda generator. It can be found under “Privacy Shield: data transfers from the EU to the United States”. This text functions just like the other iubenda integrations, they will be added to your privacy policy automatically.

Then, when you duplicate the policy into any of the other 8 languages, you will also have this text section translated.

Since the above constraints shown within the table apply, here’s the full text in case you need to apply any changes, and consequently copy it into the generator as a custom service.

Privacy Shield participation: data transfers from the EU to the United States

The Owner participates in and complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union to the United States. The Owner has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view the Owner’s certification, please visit https://www.privacyshield.gov/ (or find the direct link to the certification list of Privacy Shield participants maintained by the Department of Commerce https://www.privacyshield.gov/list).

What does this mean for the European User?

The Owner is responsible for all processing of Personal Data it receives under the Privacy Shield Framework from European Union individuals and commits to subject the processed Personal Data to the Privacy Shield Principles.

This, most importantly, includes the right of individuals to access their personal data processed by the Owner.

The Owner also complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, which means that it remains liable in cases of onward transfers to third parties.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, the Owner is subject to the investigatory and regulatory enforcement powers of the FTC, if not stated otherwise in this privacy policy.

The Owner is further required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Dispute resolution under the Privacy Shield

In compliance with the Privacy Shield Principles, the Owner commits to resolve complaints about its collection or use of the User’s Personal Data. European Union individuals with inquiries or complaints regarding this Privacy Shield policy should first contact the Owner at the contact details supplied at the beginning of this document referring to “Privacy Shield” and expect the complaint to be dealt with within 45 days.

In case of failure by the Owner to provide a satisfactory or timely response, the User has the option of involving an independent dispute resolution body, free of charge.

In this regard, the Owner has agreed to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU. The User may therefore contact the Owner at the email address provided at the beginning of this document in order to be directed to the relevant DPA contacts.

Under certain conditions – available for the User in full on the Privacy Shield website (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint) – the User may invoke binding arbitration when other dispute resolution procedures have been exhausted.


Still have questions?

Visit our support forum Email us