The following FAQs are relevant when personal data is transferred from the European Union (EU) to the United States for processing purposes only.

When responding to individuals seeking to exercise their rights under the Privacy Shield Principles, a processor should respond pursuant to the instructions of the EU data controller.


Q1: When personal data is transferred from the European Union (EU) to the United States for processing purposes only, what contractual requirements are mandated by the Framework(s)?

Supplemental Principle 10a of the EU-U.S. Privacy Shield Framework addresses this question (and is reproduced here in its entirety for ease of reference, given its relevance to the other FAQs below).

i. When personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the Privacy Shield.
 
ii. Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield.  The purpose of the contract is to make sure that the processor:

1. acts only on instructions from the controller;
 
2. provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access, and understands whether onward transfer is allowed; and
 
3. taking into account the nature of the processing, assists the controller in responding to individuals exercising their rights under the Principles.
 
iii. Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.

Q2: How can a Privacy Shield participant acting as a processor adhere to the Frameworks’ Notice Principle?

The Notice Principle requires all Privacy Shield participants to inform individuals about thirteen discrete elements, including the following:
 
• the purposes for which it collects and uses personal information about them
 
• the choices and means the organization offers individuals for limiting the use and disclosure of their personal data
 
• the right of individuals to access their personal data

Organizations processing data only on the instructions of an EU controller frequently ask how they should address those three elements in their privacy policies.

Every Privacy Shield participant must inform individuals about all thirteen elements of the Notice Principle. Organizations processing data only on the instructions of an EU controller may choose to acknowledge that this is the function they are performing when informing individuals about these elements in their privacy policies. For instance, a processor could acknowledge that it processes data only on the instructions of an EU controller and describe the type of processing services it provides. Similarly, with respect to accessing data, a processor could provide individuals with its contact information, while noting that it will work with the EU controller to facilitate access or choice.

Q3: How can a Privacy Shield participant acting as a processor adhere to the Frameworks’ Choice Principle?

The Choice Principle states, in part, that:

“An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.  Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice.”

Supplemental Principle 10a provides that the processor acts only on instructions from the EU controller, which would include instructions regarding the Choice Principle and regarding how a mechanism to exercise choice would be provided.  As an example, an organization acting as a processor with contractual limitations on disclosure or use of information could inform individuals about these contractual limitations on its ability to disclose personal information to third parties or to use personal information for purposes other than those specified in the contract.  As another example, an organization acting as a processor could, pursuant to the EU controller’s instructions, put individuals in contact with the controller that provides a choice mechanism or offer a choice mechanism directly. 

Q4: How can a Privacy Shield participant acting as a processor adhere to the Frameworks’ Data Integrity and Purpose Limitation Principle?
“An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.  To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current...”

“Information may be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing .... This obligation does not prevent organizations from processing personal information for longer periods for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis ....”

When an organization acting as a processor is operating under contractual requirements governing data retention, accuracy and purposes of processing, it may have no direct contact with individuals to which the data pertains. In such a case, the processor should work with the EU controller to ensure that these requirements are met.

Q5: How can a participant acting as a processor adhere to the Frameworks’ Access Principle?

The Access Principle states:

“Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.”

When a Privacy Shield participant is acting as a processor, it should provide access by putting an individual in contact with the EU controller, or by working together with the EU controller to provide access, as prescribed by the EU controller.