Want your business to be recognized as Privacy Shield Certified ?
What is GDPR?
General Data Protection Regulation (GDPR) is a set of laws on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA).
GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws.
EU does not list the US as one of the countries that meets the GDPR requirement and hence Privacy Shield Framework were design
Privacy Shield Overview:
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law. On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S.
Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States
Privacy Shield Benefits:
The Privacy Shield provides many important benefits to U.S.-based organizations, as well as their partners in Europe. These include:
- Participating organizations are deemed to provide “adequate” privacy protection, a requirement (subject to limited derogations) for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR) and outside of Switzerland under the Swiss Federal Act on Data Protection;
- EU Member State requirements for prior approval of data transfers either are waived or approval will be automatically granted; and
- Compliance requirements are clearly laid out and cost-effective, which should particularly benefit small and medium-sized enterprises..
What do the Privacy Shield Principles Required?
a. An organization must inform individuals about:
- i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
- ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
- iii. its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield,
- iv. the purposes for which it collects and uses personal information about them,
- v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints,
- vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
- vii. the right of individuals to access their personal data,
- viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
- ix. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,
- x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body,
- xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,
- xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
- xiii. its liability in cases of onward transfers to third parties.
b. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.
How we can assist your organization to comply with Privacy Shield Requirements
- We will review Privacy Shield Framework requirements with you to determine if it is a right solution for your business
- Analyzing the inflow of the data in your organization, Data Usage, and the data that you share with third parties outside of your organization.
- Help determine who to give the notices and when.
- Once it is in place, we will make sure that the notices are drafted accurately and are given at all appropriate times and places.
- Opt/in and Opt/out
- Onward Transfer
- Security of personal Information
- Data Integrity
- We will provide technical assistance and educational materials to assist you throughout the process for understanding and meeting the Privacy Shield requirements. We stand ready to assist your organization in:
- Meeting the US Department of Commerce’s registration requirements for Privacy Shield
- Developing required processes/procedures for your organization.
- Suggesting an independent third-party dispute resolution mechanism, and
- Addressing any other questions or concerns your company has regarding the safe harbor process.