Annex I: Section C
An individual who decides to invoke this arbitration option must take the following steps prior to initiating an arbitration claim: (1) raise the claimed violation directly with the organization and afford the organization an opportunity to resolve the issue within the timeframe set forth in Section III.11(d)(i) of the Principles; (2) make use of the independent recourse mechanism under the Principles, which is at no cost to the individual; and (3) raise the issue through their Data Protection Authority to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the International Trade Administration of the Department of Commerce, at no cost to the individual. This arbitration option may not be invoked if the individual’s same claimed violation of the Principles (1) has previously been subject to binding arbitration; (2) was the subject of a final judgment entered in a court action to which the individual was a party; or (3) was previously settled by the parties.
In addition, this option may not be invoked if [an EU Data Protection Authority or the Commissioner] (1) has authority under Sections III.5 or III.9 of the Principles; or (2) has the authority to resolve the claimed violation directly with the organization. [A DPA’s/the Commissioner's] authority to resolve the same claim against [an EU or a Swiss] data controller does not alone preclude invocation of this arbitration option against a different legal entity not bound by the [DPA/Commissioner's] authority.
- All Privacy Shield participants must inform individuals about each element listed in the Notice Principle.
- The Privacy Shield requires that, “In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.”
- Each organization will be asked during the self-certification process to identify all U.S. entities or subsidiaries of the organization also adhering to the Privacy Shield Principles and covered under the organization’s self-certification.
- The organization can either 1) list the entities and subsidiaries by name or, 2) if an individual could readily understand the subsidiaries’ connection to the organization due to the use of a shared brand name as part of the entities’ names, the organization may indicate “all U.S. subsidiaries using brand name [X],” excluding particular entities if applicable.
- Per the Notice Principle, organizations must also inform individuals about the entities or subsidiaries also adhering to the Principles.