FAQs - Privacy Policy (6-10)Privacy Policy FAQs 6-10

Q6: Is there a Privacy Shield Certification mark that my organization can use once its certification has been finalized?

• Not yet. The Department of Commerce intends to make a Privacy Shield certification mark available to participating organizations. We will let participants know as soon as the mark is available for use.

Q7: Are there different requirements under Privacy Shield for non-Human Resources and Human Resources privacy policies?

• Yes. While the same policy can be used to cover both human resources (HR) data transferred from the EU and/or Switzerland in the context of the employment relationship and non-HR personal data, there are two key differences to note.
• First, your organization’s non-HR privacy policy must be made publicly available on your organization’s website (if it has a website), while its HR privacy policy need not be. If covering non-HR data, during the Privacy Shield certification process, you must provide the URL (i.e., web address) to access your non-HR privacy policy. If covering HR data, during the Privacy Shield certification process, you must indicate where your HR privacy policy is available for viewing by affected employees and upload a copy for review by the Privacy Shield team (this will not be made public). If the same policy covers both non-HR and HR data, you can provide the URL for the policy during the certification process and indicate that it covers both.
• Second, both your organization’s HR and non-HR policies must include information about the specific independent dispute resolution body that is available to address complaints and provide appropriate recourse free of charge to the individual. With regard to HR data, the relevant body must be the panel established by EU data protection authorities (DPAs) under the EU-U.S. Privacy Shield Framework or the Swiss Federal Data Protection and Information Commissioner under the Swiss-U.S. Privacy Shield Framework. With regard to non-HR data, your organization can choose either a private-sector dispute resolution provider or the EU DPAs under the EU-U.S. Privacy Shield Framework/the Swiss Federal Data Protection and Information Commissioner under the Swiss-U.S. Privacy Shield Framework.  Sample language is provided below to assist you in this regard.

Sample Language:

In compliance with the Privacy Shield Principles, (INSERT your organization name) commits to resolve complaints about our collection or use of your personal information.  (INSERT European Union and/or Swiss, as applicable) individuals with inquiries or complaints regarding our Privacy Shield policy should first contact (INSERT your organization name) at:

(INSERT contact information for your organization's internal complaints mechanism)

FOR USE INFORMING INDIVIDUALS THAT YOUR ORGANIZATION HAS SELECTED A PRIVATE SECTOR DISPUTE RESOLUTION PROVIDER (ONLY APPLICABLE WHEN COVERING NON-HR DATA)

(INSERT your organization name) has further committed to refer unresolved Privacy Shield complaints to (INSERT your selected independent dispute resolution provider), an alternative dispute resolution provider located in the (INSERT the United States, the EU, or Switzerland, as applicable). If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit (INSERT your selected independent dispute resolution provider) for more information or to file a complaint.  The services of (INSERT your selected independent dispute resolution provider) are provided at no cost to you.

FOR USE INFORMING INDIVIDUALS THAT YOUR ORGANIZATION WILL COOPERATE WITH EU DPAS AND/OR THE SWISS FEDERAL DATA PROTECTION AND INFORMATION COMMISSIONER (REQUIRED WITH REGARD TO HR DATA AND AN ALTERNATIVE TO SELECTING A PRIVATE SECTOR PROVIDER WHEN COVERING NON-HR DATA)

(INSERT your organization name) commits to cooperate with (INSERT the panel established by the EU data protection authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable) and comply with the advice given by (INSERT the panel and/or Commissioner, as applicable) with regard to [human resources] data transferred from (INSERT the EU and/or Switzerland, as applicable) [in the context of the employment relationship].

Q8: The Privacy Shield requires that my organization inform individuals about how to contact the organization with any inquiries or complaints as well as about the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual. Does the Privacy Shield team recommend any particular approach in providing this notice?

• Yes. The Privacy Shield team has found that the clearest policies provide contact information for the organization, including any relevant establishment in the EU and/or Switzerland, directly above contact information for the independent recourse mechanism which is available to address unresolved complaints.  Please see FAQ 6 above for sample language.
• Placing these two required elements together in this order makes it clear that an individual should first contact the organization with any questions or complaints and then proceed to the independent recourse mechanism if needed.

Q9: The Privacy Shield requires my organization to inform individuals about the U.S. entities or U.S. subsidiaries of my organization also adhering to the Principles. Is this done through the certification process, through my privacy policy or through both?

• Both. During the certification process, your organization will be asked to list “all U.S. entities or U.S. subsidiaries of your organization that are also adhering to the Privacy Shield Principles and are covered under your organization’s self-certification.” This is where you should list any U.S. subsidiaries or other U.S. entities within your organization also adhering to the Principles.  You do not need to list your organization itself nor do you need to list particular program operations, only U.S. entities and U.S. subsidiaries.
• You must also inform individuals through your privacy policy or policies that the U.S. entities you list in your certification adhere to the Principles.  This can be done in one policy or multiple policies depending on how you structure your business operations. If it is done through multiple policies, you will need to provide each policy during the certification process.

Q10: The Privacy Shield requires my organization to inform individuals about my organization being subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission or the Department of Transportation. Does this mean that our privacy policy must reference the same enforcement authority that we indicate during the certification process?

• Yes.  Organizations subject to the investigative and enforcement powers of the U.S. Federal Trade Commission or Department of Transportation are eligible to self-certify to the Privacy Shield.  During the certification process, your organization will be asked to indicate which of these two bodies is the relevant enforcement authority with regard to the activities covered in your organization’s certification. Your organization’s privacy policy must indicate that your organization is subject to the same enforcement authority indicated in your certification. The following sample language is acceptable for this purpose: