Iubenda logo
Start generating

Documentation

Table of Contents

EU-US Data Privacy Framework: How Can iubenda Help

EU Commission Adequacy Decision

On July 10, 2023, Commissioner Reynders announced the adoption by the EU Commission of a new adequacy decision (the “Decision”) on the EU-US Data Privacy Framework (the “Framework” or “DPF”), a new framework developed after the invalidation of the Privacy Shield by the European Court of Justice.

The Decision concludes that the

United States ensures an adequate level of protection for personal data transferred from the Union to organizations in the United States that are included in the Data Privacy Framework List.

This means, in other words, that the standards of personal data protection issued by the US Department of Commerce and included in the DPF are “essentially equivalent” to those guaranteed by the GDPR.

This also means that personal data can now flow from the EU to US organizations that meet the privacy principles of the DPF and are included in the relevant List without the need for any additional measures.

The Framework

The DPF is based on a certification system.

US organizations that wish to be certified and included in the DPF List need to meet the privacy principles outlined in the DPF and be subject to the investigatory and enforcement powers of the Federal Trade Commission. 

Organizations must re-certify on an annual basis. 

The framework also addresses and regulates the access to and use of personal data transferred from the EU by public authorities in the US, the topic that led, among others, to the invalidation of the Privacy Shield by the European Court of Justice. 

DPF’s Main Principles

1. Notice

Organizations are required to provide the following information to individuals:

  • that they participate in the DPF and provide a link to the Data Privacy Framework List;
  • the categories of personal data collected and, where applicable, the US entities or subsidiaries of the organization also adhering to the Principles;
  • the commitment to process all personal data received from the EU in line with the DPF’s Principles;
  • the purposes for which personal information is collected and used;
  • how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints;
  • the categories or identity of third parties to which personal information is disclosed and relevant purposes; 
  • the right of individuals to access their personal data ();
  • how individuals can limit the use and disclosure of their personal data;
  • the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is:
    • the panel established by EU DPAs;
    • an alternative dispute resolution provider based in the EU; or
    • an alternative dispute resolution provider based in the United States;
  • that the organization is subject to the investigatory and enforcement powers of the Federal Trade Commission, the US Department of Transportation, or any other US authorized body;
  • the individual’s right, under certain conditions, to have access to binding arbitration;
  • the organization’s obligation to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and
  • the organization’s liability in cases of onward transfers to third parties.

How?

All the above information must be provided to individuals in clear and conspicuous language.

When?

The information must be made available to individuals when personal information is first collected or as soon as possible. In any case, before the information is used for a purpose different from that for which it was originally collected or processed by the transferring organization, or it is disclosed for the first time to a third party.

Under the Notice Principle, organizations are required to include the following links in their privacy policy:

  1. to the US Department of Commerce’s DPF website (link) → where individuals can find additional information on the certification, data subjects’ rights, and recourse mechanisms;
  2. to the DPF List (link); and
  3. to the website of an appropriate alternative dispute settlement provider.

2. Choice

Organizations must allow individuals to opt out (opt-in for sensitive information) of the:

  1. disclosure of their personal information to a third party; or 
  2. use of their personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized.

3. Accountability for Onward Transfers

Under the DPF, organizations are subject to strict requirements before transferring personal data to a third party (e.g., ensuring that the transfer occurs only for limited and specified purposes and the third party provides at least the same level of privacy protection and processes personal information consistently with the Principles).

The organization remains liable for how data is processed by the third party.

4. Security

Organizations are required to grant the security of the information they receive.

5. Data Integrity and Purpose Limitation

Organizations are not allowed to process personal information for purposes that are not compatible with the purposes for which it was collected or those authorized by the individual.

Under the Integrity Principle, organizations must ensure that personal data is reliable for its intended use, accurate, complete, and current.

6. Access

The DPF, save for minor limitations, grants individuals the right to access their personal information.

The Principle also entails the individuals’ right to correct, amend, or delete their information where it is inaccurate or has been processed in violation of the Principles.

7. Recourse, Enforcement, and Liability

This Principle ensures the effectiveness of the Framework by setting up mechanisms that assure compliance with the Principles, recourses for individuals who are affected by non-compliance, and that organizations are held liable when the Principles are not followed. 

The Principle also includes follow-up checks to verify that what organizations state about their privacy practices is true and implemented.

How to Certify

Self-certification

US organizations that wish to become part of the Framework must submit a self-certification on the Department of Commerce’s dedicated website (link).

DPF’s benefits operate from the moment in which the organization is added to the Data Privacy Framework List.

The self-certification or subsequent re-certification (on an annual basis) must be submitted by a corporate officer and include, among others, the following:

  1. the name of the self-certifying or re-certifying US organization; 
  2. a description of the processing activities performed on the personal information received from the EU; 
  3. a description of and link to the organization’s privacy policy regarding such personal information;
  4. a contact point within the organization for the handling of complaints, access requests, and any other issues arising in connection with the Principles;
  5. the authority that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of privacy laws or regulations;
  6. the method of compliance verification chosen by the organization (e.g. self-assessment or external compliance reviews, including the third party that performs such reviews); and
  7. independent recourse mechanism(s) available to investigate unresolved Principles-related complaints.

How Can iubenda Help?

Following the Decision and in line with the DPF’s standards, all organizations that wish to be part of the Framework are required to update their privacy policies to include mandatory disclosures under the Notice Principle.

Easily add required information in your Privacy Policy through custom clauses in our generator!

Generate a cookie banner