how to comply with privacy shield
TRANSCRIPT
How to comply with
Privacy ShieldWe self-certify compliance with Privacy Shield
The Privacy Shield self-certification program is important if your business is based in the U.S. and you collect,
use and/or store any personal information about European citizens.
Under EU privacy laws, personal information from EU citizens cannot be transferred outside of the EU
unless adequate guarantees for the privacy of that data are made.
But first, what was Safe Harbor
(1) Link to https://termsfeed.com/blog/what-is-safe-harbor/
The Safe Harbor (1) program was created in the year 2000 between the EU and the U.S. in an attempt to make sure
that both EU and U.S. businesses would be
complying with EU privacy laws when dealing with
personal information from EU citizens.
Only certain type of businesses were able to participate in the Safe Harbor program, such as:
Businesses that fall under the jurisdiction of FTC Businesses that fall under the jurisdiction of DoT
The end of Safe Harbor
The court invalidated the Safe Harbor agreement between the US and the EU.
It concluded that even if US companies were following Safe Harbor guidelines, the personal information of European citizens were at risk because US public
authorities are not subject to the Safe Harbor guidelines.
Privacy Shield
The new obligations in the Privacy Shield are more broad.
Self-certification is still available, but with more strict requirements.
How to comply with Privacy Shield
Notice
1
Privacy Shield requires you to have a Privacy Policy.
If you don't have one, generate it (2) now.
1(2) Link to https://termsfeed.com/privacy-policy/generator/
The agreement must let users know:
What personal information you're collecting How you'll be using the collected personal information What access third parties have to the collected information Your responsibility and liability for any personal information that's transferred to a third party How users can access their personal information after you collected it
1
How users can control the way you use personal information How users can opt-out of having you share personal information with third-parties How you will obtain affirmative consent from users before you disclose sensitive personal information How you will handle complaints that users may lodge against you under the Privacy Shield program
1
Third party dealings
2
If the third party you use to transfer personal information of users from the EU to the US fails to comply with
Privacy Shield, you may be held liable unless you can show that you aren't responsible for the event
that failed to comply.
2
Pay attention to third parties to make sure they have adequate procedures and policies in place
to ensure the protection of personal data.
2
Limit data collection
3
The Privacy Shield requires that any data you collect must be:
Relevant for processing purposes, Reliable for the use you intend to use it for, Current, Complete, and Accurate
3
Give users access to their information
4
To be compliant with the Privacy Shield requirements, you must give your users the ability to:
Access their personal information that you’ve collected, Correct the personal information in the event of errors, Amend their personal information as they see fit, and
4
Delete any outdated or no longer accurate information, Confirm that their personal information is actually being processed by you, and If their information is being processed, confirm that it is being done so lawfully
4
Dispute resolution preparedness
5
Disputes under the Privacy Shield have a few requirements:
You must reply to all complaints within 45 days, You must provide Alternative Dispute Resolution (ADR) to your users, at no cost to them, and You must provide notice that an arbitration mechanism of a Privacy Shield Panel will be made available as a last
5
