Iubenda logo
Start generating


Table of Contents

Privacy Shield Guide: Certification and iubenda Integration


Following the decision of July 16, 2020 in Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 we’re currently reworking this guide, as the Privacy Shield has been invalidated.

This is very early days, and therefore there is very little guidance out there yet. However, here’s what you need to know for now:

  • Normally, to transfer personal data of EU users outside of the EU one needs to meet the conditions outlined in articles 44-50 GDPR (for example, if you store personal data from EU citizens on a server in the United States, you will need to base this transfer on one of the existing compliance mechanisms).
  • US companies could get certified under Privacy Shield to be a safe destination for EU personal data and therefore when such a company received such data, this activity didn’t need any specific authorization.
  • Now the EU Court of Justice says that this system is in fact invalid. This means that transfers that relied upon Privacy Shield now need to look elsewhere for a justification.
  • We’re making all the necessary changes to our products to keep the privacy policy disclosures up to date (that’s where Privacy Shield impacts our product). If you want to follow the decision by the Court right away, you must review any data transfer you make to the US (e.g. you use a vendor or tool that’s run by a US company) and check if the data transfer was based on Privacy Shield. If so, you must check if that provider is now offering an alternative legal basis to justify data transfers, such as Standard Contractual Clauses integrated into the contract with the vendor, or explicit consent, for example.

This article is meant to provide information on Privacy Shield, its purpose, how it may impact you and how you can use iubenda Privacy Shield certification.

Privacy Shield

Introduction to the Privacy Shield

What is the Privacy Shield?

The Privacy Shield is a framework for cross-border exchanges of the personal data of Europeans which works ensure that EU standards of data protection are applied when transferring this personal data from the EU (and Switzerland) to the US.

Here’s the European Commission’s description of the Privacy Shield:

The EU-U.S. Privacy Shield imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbour framework invalid. The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. It includes, for the first time, written commitments and assurance regarding access to data by public authorities.

What this means in practice is that

  • US companies wanting to participate will have to:
    • Self-certify annually that they meet the requirements.
    • Display privacy policy on their website.
    • Reply promptly to any complaints.
    • (If handling human resources data) Cooperate and comply with European Data Protection Authorities.
  • EU and Swiss companies wanting to transfer European’s data to the US in a compliant way, can rely on the convenience and the assurances of the framework for the transfer to participating companies.
Some points to take note of
  • Privacy Shield is only relevant to companies that want to transfer data of EU or Swiss users to the US.
  • If a company does this through a partner/processor (e.g. using an analytics service that has servers in the US), then it’s that partner that has to comply, but a Data Processing Agreement between you the controller, and the processor is still required.
  • Complying with Privacy Shield goes far beyond the simple adaptation of a privacy policy as it comes with further requirements the site owner has to take care of.

See also the European Commission’s handy fact/overview sheet.

In this post, we’ll get into some of the specifics of what’s required for Self Certification, the ways in which iubenda can help, and what the Privacy Shield means for US, Eu and Swiss companies wishing to transfer or handle the data of European users that has been transferred to the US.

What does the Privacy Shield certification mean?

The Privacy Shield has established a framework for transfers of personal data from Europe to the United States. This framework serves the purpose of protecting Europeans’ personal data after the transfer to the US and correlates with GDPR requirements for Cross Border Data Transfers.

For European companies

For European companies, there are various ways to correctly transfer European’s data to the US, such as contractual clauses, binding corporate rules, and the Privacy Shield. EU law prohibits the personal data of EU citizens from being transferred outside the EU to countries which do not ensure an adequate level of protection for that data.

The EU generally regards the US as not having a sufficient level of protection. The Privacy Shield is meant to remedy this by acting as the revised mechanism for transferring data safely to the US.

If you’re using US companies to process Data, it might be worth considering one that has obtained the Privacy Shield certification as relying on other GDPR sanctioned transfer mechanisms such as Binding Corporate Rules (BCRs), Standard Contractual Clauses or explicit, informed individual consent (Article 49) can be a bit more complicated.


Be aware that data controllers that fall within the scope of the GDPR are always required to enter into a contract when any data transfer for the purposes of processing occurs. This applies whether the processing happens in or outside of the European Union, and whether or not the processor participates in the Privacy Shield.

Additionally, a GDPR sanctioned transfer mechanism such as an adequacy decision like the Privacy Shield, Binding Corporate Rules (BCRs), Standard Contractual Clauses or explicit, informed individual consent must be used for any cross-border transfer of Europeans’ personal data whether that transfer is controller → controller (e.g transfer between the data controller’s EU and US branches) or controller → processor.

Where the transfer is controller → controller, Binding Corporate Rules (BCRs) may be the best suited mechanism, especially in cases where the controller has branches in multiple countries (as the EU-US Privacy Shield only applies to the US).

You can see which countries adequacy approval has been granted to here.

For Swiss companies

Switzerland has added itself to the Privacy Shield framework, therefore the same rules apply to Swiss companies. All the relevant documents can be found on this site by the Swiss government/data protection authority and you can read the official Swiss – U.S. Privacy Shield FAQs here.

For US companies

US companies have many requirements to follow under the Privacy Shield, one of them is to provide a privacy policy in which all of the notice requirements are outlined. In the meantime, the Privacy Shield site run by the US Department of Commerce has published ample documentation regarding the certification requirements. Find more information here.

This is how US companies can get started:

  1. Confirm Your Organization’s Eligibility to Participate in the Privacy Shield – more
  2. Develop a Privacy Shield-Compliant Privacy Policy Statement – more
  3. Identify Your Organization’s Independent Recourse Mechanism
  4. Ensure that Your Organization’s Verification Mechanism is in Place
  5. Designate a Contact within Your Organization Regarding Privacy Shield
  6. Review the Information Required to Self-Certify
  7. Submit Your Organization’s Self-Certification to the Department of Commerce – more on these steps

The Privacy Shield privacy policy informs individuals on their rights and sets the legal standards that must be respected by the entity.

According to the Department of Commerce, you must develop a Privacy Shield-compliant privacy policy before submitting your self-certification. You can read the FAQs here

Regarding the Privacy Shield privacy policy requirement

The Privacy Shield privacy policy includes a lot of information that basically commits an organization to its principles. It serves the purpose of properly informing an individual about their rights and also marks the basis of a statement that the company needs to respect after its publication.

Broadly speaking you need to model your organization’s privacy policy to align with the Privacy Shield Principles, while also reflecting your organization’s own business operations. Here you’ll find the elements that are requested by the Privacy Shield Annex (emphasis added):

An organization must inform individuals about:

  1. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List;
  2. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles;
  3. its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield;
  4. the purposes for which it collects and uses personal information about them;
  5. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints;
  6. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so;
  7. the right of individuals to access their personal data;
  8. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data;
  9. [under the EU-U.S. Privacy Shield] the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is:
    • the panel established by DPAs,
    • an alternative dispute resolution provider based in the EU, or
    • an alternative dispute resolution provider based in the United States;
  10. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body [currently, there is no other U.S. authorized statutory body recognized by the EU or Switzerland];
  11. the possibility, under certain conditions, for the individual to invoke binding arbitration;
  12. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
  13. its liability in cases of onward transfers to third parties.

These are the main points you need to address within your Privacy Shield privacy policy at the time of writing. Now let’s take a closer look at how an integration with an iubenda policy might work.

Integration with iubenda

If you are using iubenda, we’ve written a section that can be added to your privacy policy to get you started on your way to a Privacy Shield certification. It can be found in our dashboard area (in the usual add-a-service interface), as “Privacy Shield participation: data transfers from the EU and Switzerland to the United States“. You can simply add this section to your privacy policy. However, there are a few things you need to be aware of:

  1. We’re writing these integrations for our privacy policy with certain assumptions to make them work for as many parties as possible. Therefore you will need to manually add, or at least consider certain sections you will find in the table below. If the default policy text does not fully apply to your specific situation, you’ll need to rewrite these parts as applicable to you.
  2. As time goes on, some practices might change. Therefore this is a topic that you may want to revisit periodically.

*Privacy Shield forces you to make some decisions and disclosures that will depend on each particular case.

What the current integrations contain by default Things You May Need to Add
Providing a point of contact to handle Privacy Shield inquiries: By default the policy contains only the Owner Contact information you provide within the Owner Field Since we don’t know which email address you’ll use for the Privacy Shield related inquiries, if the address added in the Owner field is not one dedicated to handling Privacy Shield inquires, you will need to add this information to your policy as the Framework requires a dedicated email address or company contact information for handling privacy inquiries and complaints.
[Regarding ii] By default the policy contains no references to subsidiaries or branches as not every organization may have subsidiaries If have any subsidiaries that data is shared with, you’ll need to additionally mention them in another clause as being committed in the same ways to the Privacy Shield Principles.
[Regarding ix] By default, the policy sets the independent dispute resolution body as the European panel of DPAs – they do not need linking to – unlike the private bodies. If you therefore use a private dispute resolution body, you need to add a section addressing this (as explained in the integration section below).
[Regarding v] By default, the policy does not link to any relevant establishment that you may have appointed in the EU to handle inquire or complaints since we cannot know these details. If you therefore, have appointed a particular EU-based establishment or have an EU-based department for handling Privacy Shield related inquires or complaints, you’ll need to add a clause outlining this (as explained in the integration section below).
[Regarding viii] By default, the policy does not go into detail about the choices you may grant the users. If you offer such choices, you need to state that in an additional section (as explained in the integration section below). Please remember that some choices must be mandatorily offered to users based on the particular type of processing you do. More information on choices can be found here.

iubenda integration text

This is the text we’re currently suggesting as a starter template, which is fully integrated into the iubenda generator. It can be found under “Privacy Shield participation: data transfers from the EU and Switzerland to the United States“. This text functions just like the other iubenda integrations, they will be added to your privacy policy automatically. Then, when you duplicate the policy into any of the other 8 languages, you will also have this text section translated.

Since the above constraints shown within the table apply, here’s the full text in case you need to apply any changes/ additions mentioned in the table above, and consequently instead copy it into the generator as a custom service.

Please note that custom clauses are not automatically translated.

Privacy Shield participation: data transfers from the EU and Switzerland to the United States

The Owner participates in and complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union and Switzerland to the United States. The policies and rights outlined below are therefore equally and explicitly applicable to Users from Switzerland, except if stated otherwise. The Owner has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view the Owner’s certification, please visit https://www.privacyshield.gov/ (or find the direct link to the certification list of Privacy Shield participants maintained by the Department of Commerce https://www.privacyshield.gov/list).

What does this mean for the European User?

The Owner is responsible for all processing of Personal Data it receives under the Privacy Shield Framework from European Union individuals and commits to subject the processed Personal Data to the Privacy Shield Principles.

This, most importantly, includes the right of individuals to access their personal data processed by the Owner.

The Owner also complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, which means that it remains liable in cases of onward transfers to third parties.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, the Owner is subject to the investigatory and regulatory enforcement powers of the FTC, if not stated otherwise in this privacy policy.

The Owner is further required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Dispute resolution under the Privacy Shield

In compliance with the Privacy Shield Principles, the Owner commits to resolve complaints about its collection or use of the User’s Personal Data. European Union individuals with inquiries or complaints regarding this Privacy Shield policy should first contact the Owner at the contact details supplied at the beginning of this document referring to “Privacy Shield” and expect the complaint to be dealt with within 45 days.

In case of failure by the Owner to provide a satisfactory or timely response, the User has the option of involving an independent dispute resolution body, free of charge.

In this regard, the Owner has agreed to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU. The User may therefore contact the Owner at the email address provided at the beginning of this document in order to be directed to the relevant DPA contacts.

Under certain conditions – available for the User in full on the Privacy Shield website – the User may invoke binding arbitration when other dispute resolution procedures have been exhausted.

You can read the full Privacy Shield Framework text here.