Update: in the meantime we’ve published a guide to iubenda and the Privacy Shield.
Below you will find the original post outlining the notice requirements under the Privacy Shield.
We’ve recently had various users ask whether iubenda generates Privacy Shield compliant privacy policies for companies that want to self-certify for the program. Let us quickly repeat what Privacy Shield is about in the words of the European Commission:
“The EU-U.S. Privacy Shield imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbour framework invalid. The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. It includes, for the first time, written commitments and assurance regarding access to data by public authorities.“
Therefore this puts US companies in a place where they have a couple of requirements to fulfill, if they want the privileged position that Privacy Shield companies are in.
What will it mean in practice?
- Self-certify annually that they meet the requirements.
- Reply promptly to any complaints.
- (If handling human resources data) Cooperate and comply with European Data Protection Authorities.
Before we go into the notice requirements more deeply, we will have to establish a couple of facts:
- Privacy Shield is only relevant to companies that want to transfer data of EU users to the US.
- If a company does this through a partner (e.g. using an analytics service that has servers in the US), then it’s that partner that has to comply
An organization must inform individuals about:
- i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
- ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
- iii. its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield,
- iv. the purposes for which it collects and uses personal information about them,
- v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints,
- vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
- vii. the right of individuals to access their personal data,
- viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
- ix. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is:
- (1) the panel established by DPAs,
- (2) an alternative dispute resolution provider based in the EU,
- or (3) an alternative dispute resolution provider based in the United States,
- x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body,
- xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,
- xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
- xiii. its liability in cases of onward transfers to third parties.
This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.
If this scares you, you will find some default wording suggestions in the Privacy Shield Framework FAQs, like: