- In order for the Department to verify the self-certification requirements, organizations’ privacy policies must be in compliance with the Privacy Shield Principles at the time they submit their self-certification.
- During this period, organizations must respond promptly to inquiries from the Department related to their self-certification.
- Failure to respond within the timeframes designated by the Department, or other failure to complete the certification, will lead to a Department notice that the application has been abandoned, in which case the organization must immediately remove all references to the Privacy Shield from its privacy policies unless and until it submits a new application.
- Yes. The Privacy Shield is a new Framework with distinct requirements, including those pertaining to the notice that organizations must provide to individuals.
- The Notice Principle requires that “[a]n organization inform individuals about:
i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
iii. its commitment to subject to the Principles all personal data received from the EU and/or Switzerland in reliance on the Privacy Shield,
iv. the purposes for which it collects and uses personal information about them,
v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU and/or Switzerland that can respond to such inquiries or complaints,
vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
vii. the right of individuals to access their personal data,
viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
ix. [under the EU-U.S. Privacy Shield] the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,
ix. [under the Swiss-U.S. Privacy Shield] the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the Commissioner, (2) an alternative dispute resolution provider based in Switzerland, or (3) an alternative dispute resolution provider based in the United States,
x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body [currently, there is no other U.S. authorized statutory body recognized by the EU or Switzerland],
xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,
xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
xiii. its liability in cases of onward transfers to third parties.”
4. Can my organization meet the requirements of the Notice Principle by providing the required information only as part of my organization’s Privacy Shield certification?
- The Privacy Shield requires that “notice be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.”
- Yes. The following language is acceptable for this purpose: