Update: in the meantime we’ve published a guide to iubenda and the Privacy Shield.

Read the Privacy Shield integration guide

Below you will find the original post outlining the notice requirements under the Privacy Shield.


We’ve recently had various users ask whether iubenda generates Privacy Shield compliant privacy policies for companies that want to self-certify for the program. Let us quickly repeat what Privacy Shield is about in the words of the European Commission:

The EU-U.S. Privacy Shield imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbour framework invalid. The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. It includes, for the first time, written commitments and assurance regarding access to data by public authorities.

Therefore this puts US companies in a place where they have a couple of requirements to fulfill, if they want the privileged position that Privacy Shield companies are in.

What will it mean in practice?

  • Self-certify annually that they meet the requirements.
  • Display privacy policy on their website.
  • Reply promptly to any complaints.
  • (If handling human resources data) Cooperate and comply with European Data Protection Authorities.

As you can see, the privacy policy is an integral part of the requirement catalogue presented by the European Commission.If you want more information, here’s a handy fact/overview sheet.

Before we go into the notice requirements more deeply, we will have to establish a couple of facts:

  • Privacy Shield is only relevant to companies that want to transfer data of EU users to the US.
  • If a company does this through a partner (e.g. using an analytics service that has servers in the US), then it’s that partner that has to comply
  • Complying with Privacy Shield goes far beyond the simple adaptation of a privacy policy as it comes with further requirements the site owner has to take care of

That said, iubenda has existing European requirements built in for elements in a privacy policy, however there are additional notice requirements that companies need to have that come right out of the Privacy Shield requirement list and these full requirements are the following (copied right out of the annex of the communication by the aforementioned Commission):

An organization must inform individuals about:


  • i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
  • ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
  • iii. its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield,
  • iv. the purposes for which it collects and uses personal information about them,
  • v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints,
  • vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
  • vii. the right of individuals to access their personal data,
  • viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
  • ix. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is:
    • (1) the panel established by DPAs,
    • (2) an alternative dispute resolution provider based in the EU,
    • or (3) an alternative dispute resolution provider based in the United States,
  • x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body,
  • xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,
  • xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
  • xiii. its liability in cases of onward transfers to third parties.


This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

If this scares you, you will find some default wording suggestions in the Privacy Shield Framework FAQs, like:

(INSERT your organization name) complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.””

If these do not help, then it might be time to look for professional solutions and professionals who can help you getting your privacy policy done.

Self-certifying for Privacy ShieldFinally, European Commission launches EU-U.S. Privacy ShieldCOPPA, Privacy Policy and iubenda

About Us

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate a privacy policy now

Ready in a few steps and built to meet the needs of both website and mobile app owners

Generate your privacy policy now

Sometimes the best choice is to "just give it a try"

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate your privacy policy now