6. Is there a Privacy Shield Certification mark that my organization can use once its certification has been finalized?
- Not yet. The Department of Commerce intends to make a Privacy Shield certification mark available to participating organizations. We will let participants know as soon as the mark is available for use.
7. Are there different requirements under Privacy Shield for non-Human Resources and Human Resources privacy policies?
- Yes. While the same policy can be used to cover both human resources (HR) data transferred from the EU and/or Switzerland in the context of the employment relationship and non-HR personal data, there are two key differences to note.
- Second, both your organization’s HR and non-HR policies must include information about the specific independent dispute resolution body that is available to address complaints and provide appropriate recourse free of charge to the individual. With regard to HR data, the relevant body must be the panel established by EU data protection authorities (DPAs) under the EU-U.S. Privacy Shield Framework or the Swiss Federal Data Protection and Information Commissioner under the Swiss-U.S. Privacy Shield Framework. With regard to non-HR data, your organization can choose either a private-sector dispute resolution provider or the EU DPAs under the EU-U.S. Privacy Shield Framework/the Swiss Federal Data Protection and Information Commissioner under the Swiss-U.S. Privacy Shield Framework. Sample language is provided below to assist you in this regard.
In compliance with the Privacy Shield Principles, (INSERT your organization name) commits to resolve complaints about our collection or use of your personal information. (INSERT European Union and/or Swiss, as applicable) individuals with inquiries or complaints regarding our Privacy Shield policy should first contact (INSERT your organization name) at:
(INSERT contact information for your organization's internal complaints mechanism)
FOR USE INFORMING INDIVIDUALS THAT YOUR ORGANIZATION HAS SELECTED A PRIVATE SECTOR DISPUTE RESOLUTION PROVIDER (ONLY APPLICABLE WHEN COVERING NON-HR DATA)
(INSERT your organization name) has further committed to refer unresolved Privacy Shield complaints to (INSERT your selected independent dispute resolution provider), an alternative dispute resolution provider located in the (INSERT the United States, the EU, or Switzerland, as applicable). If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit (INSERT your selected independent dispute resolution provider) for more information or to file a complaint. The services of (INSERT your selected independent dispute resolution provider) are provided at no cost to you.
FOR USE INFORMING INDIVIDUALS THAT YOUR ORGANIZATION WILL COOPERATE WITH EU DPAS AND/OR THE SWISS FEDERAL DATA PROTECTION AND INFORMATION COMMISSIONER (REQUIRED WITH REGARD TO HR DATA AND AN ALTERNATIVE TO SELECTING A PRIVATE SECTOR PROVIDER WHEN COVERING NON-HR DATA)
(INSERT your organization name) commits to cooperate with (INSERT the panel established by the EU data protection authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable) and comply with the advice given by (INSERT the panel and/or Commissioner, as applicable) with regard to [human resources] data transferred from (INSERT the EU and/or Switzerland, as applicable) [in the context of the employment relationship].
8. The Privacy Shield requires that my organization inform individuals about how to contact the organization with any inquiries or complaints as well as about the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual. Does the Privacy Shield team recommend any particular approach in providing this notice?
- Yes. The Privacy Shield team has found that the clearest policies provide contact information for the organization, including any relevant establishment in the EU and/or Switzerland, directly above contact information for the independent recourse mechanism which is available to address unresolved complaints. Please see FAQ 6 above for sample language.
- Placing these two required elements together in this order makes it clear that an individual should first contact the organization with any questions or complaints and then proceed to the independent recourse mechanism if needed.
- Both. During the certification process, your organization will be asked to list “all entities or subsidiaries of your organization that are also adhering to the Privacy Shield Principles and are covered under your organization’s self-certification.” This is where you should list any subsidiaries or other entities within your organization also adhering to the Principles. You do not need to list your organization itself nor do you need to list particular program operations, only entities and subsidiaries.
The Department of Transportation has jurisdiction over (INSERT your organization name)’s compliance with the Privacy Shield.