a.    Organizations will implement their commitment to cooperate with European Union data protection authorities (“DPAs”) as described below.  Under the Privacy Shield, U.S. organizations receiving personal data from the EU must commit to employ effective mechanisms for assuring compliance with the Privacy Shield Principles.  More specifically as set out in the Recourse, Enforcement and Liability Principle, participating organizations must provide:  (a)(i) recourse for individuals to whom the data relate; (a)(ii) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true; and (a)(iii) obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organizations.  An organization may satisfy points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle if it adheres to the requirements set forth here for cooperating with the DPAs. 

b.    An organization commits to cooperate with the DPAs by declaring in its Privacy Shield self-certification submission to the Department of Commerce (see Supplemental Principle on Self-Certification) that the organization:
  • i.    elects to satisfy the requirement in points (a)(i) and (a)(iii) of the Privacy Shield Recourse, Enforcement and Liability Principle by committing to cooperate with the DPAs;
  • ii.    will cooperate with the DPAs in the investigation and resolution of complaints brought under the Privacy Shield; and
  • iii.    will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.