The following FAQs are relevant to an organization preparing to come into compliance with the Accountability for Onward Transfer Principle.

Q1: Are Privacy Shield participants required to have contracts in place when transferring data to controllers and agents?

Generally speaking, yes. The Accountability for Onward Transfer Principle provides that a contract is required when personal data received under the Privacy Shield is transferred either to a third party acting as a controller or to a third party acting as an agent.

However, as explained in Supplemental Principle 9(e), for occasional employment-related operational needs of the Privacy Shield organization with respect to personal data transferred under the Privacy Shield, such as the booking of a flight, hotel room, or insurance coverage, transfers of personal data of a small number of employees can take place to controllers without entering into a contract with the third-party controller, provided that the Privacy Shield organization has complied with the Notice and Choice Principles.  Furthermore, when personal information is transferred between two controllers within a controlled group of corporations or entities, a contract is not always required, as explained in Supplemental Principle 10(b).

Q2: Can standard contractual clauses be used to meet the Accountability for Onward Transfer Principle’s contractual requirements?

Yes. Organizations may use contracts that fully reflect the requirements of the relevant standard contractual clauses adopted by the European Commission to fulfill these contractual requirements, though neither the use of standard contractual clauses nor prior authorization of contracts is required under the Frameworks. Organizations are encouraged to consider the context of the transfer, their processing operations, and the needs of their business and customers in determining which contractual provisions are most appropriate.

Note: The European Commission has decided that standard contractual clauses offer sufficient safeguards on data protection for data to be transferred internationally. As such, they are also an alternative to Privacy Shield to facilitate transfers of personal data from the European Union to organizations in the United States.

Q3: When transferring data to a third party, is a Privacy Shield participant obligated to require that third party to participate in Privacy Shield?

No. Supplemental Principle 10 specifies that the requirement to enter into a contract that provides the same level of protection does not require the third party controller to be a Privacy  Shield organization. With regard to transfers to an agent, the Accountability for Onward Transfer Principle makes clear that a contract is required and states that the Privacy Shield participant must “ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles.” The Frameworks do not prescribe how an agent must be obligated to provide this level of protection. Privacy Shield participants have used different mechanisms to obligate third party agents to provide the same level of privacy protection, including specifying protections in the contract between the Privacy Shield participant and the agent, using an agent located in a country which has been found by the European Commission to ensure an adequate level of protection, using an agent that is subject to the EU data protection rules and using an agent that is a Privacy Shield participant.

Q4: When transferring data to a third party, is a Privacy Shield participant obligated to require that third party to register with an independent recourse mechanism?

No. Supplemental Principle 10 specifies that when transfers are made to a controller, the recipient controller need not have an independent recourse mechanism, provided it makes available an “equivalent mechanism.” When transfers are made to an agent, the agent must be “obligated to provide at least the same level of privacy protection as is required by the Principles [emphasis added].” Third party recipients of data under the Privacy Shield have frequently used in-house dispute settlement procedures to provide an “equivalent mechanism.”