EU-US Privacy Shield
We explain what the EU-US Privacy Shield is all about.
You are a European company and now want to gain a foothold in the US?
Should personal data of your customers from the EU be transferred to the USA? Then you should now think about whether the EU-US Privacy Shield is the right legal basis for the transfer of data to the United States for your company. Because even between the EU and the US, data protection is an important issue that you should consider.
What is the EU-US Privacy Shield?
The EU-US Privacy Shield is a data protection agreement between the European Commission and the US Department of Commerce, which regulates the transfer of personal data from the EU to the US. This has been the successor to the invalidated Safe Harbor Agreement since 12.07.2016 and aims, above all, to better protect the privacy of European consumers and to increase transparency in terms of collecting, using and sharing data. The benefit to American companies is that they can immediately demonstrate, through a public certification under the Privacy Shield, that European privacy standards are adhered to in the company.
At the same time, the new Privacy Shield provisions also lead to a large need for action for participating American companies, as various data protection requirements must be met.
What should be considered?
First it is necessary to sign up for the Privacy Shield www.privacyshield.gov self-certify and assure that you recognize and obey the Privacy Shield Principles. If this has been done, then one must first of all pay attention to the extensive information obligations stipulated by Principle I of the Privacy Shield Regulations. This information should be made clear and clear to the customer. These include the types of data collected and the purpose for which the data was collected. In addition, whether a transfer to third parties and if so, for what purpose. In this context, the potential liability of your company should also be clarified if data are passed on to unnamed third parties or if the third party uses the data incorrectly. Consumers should also be informed about their right of access to the data, their right to choose for what purpose the data may be used and their right to correct or update the data collected. In addition, your company must have an independent dispute resolution mechanism in place and communicate it to the consumer.
In addition to these there are other information requirements and also internal requirements, which you must fulfill as an American company. Violation of these principles can lead to complaints from consumers as well as to official or court orders and, as a result, to fines.
What does a company have to inform about?
In order to participate in the EU – US Privacy Shield, the following information must be clearly visible:
- their participation in the Privacy Shield with a link to the Privacy Shield list or the web address of the list,
- the types of personal data collected and, where applicable, the organizations or subsidiaries of the organization that also comply with the principles,
- their obligation to apply the principles to all personal data received from the EU on the basis of the Privacy Shield,
- for what purpose it collects and uses the personal data about it,
- how to contact the organization in case of any inquiries or complaints, including information about a relevant body in the EU that can respond to such requests or complaints;
- the category and identity of third parties to whom the data are shared and the purpose of the transfer,
- the right of individuals to access their personal data,
- what means and means it makes available to private individuals in order to limit the use and disclosure of their personal data,
- the independent dispute settlement body designated to handle complaints and free legal protection for the individual, and whether 1 is the body set up by data protection authorities, 2, an EU-based alternative dispute resolution provider or 3) in the United States States-based alternative dispute resolution provider,
- the investigative and enforcement powers of the FTC, the Department of Transportation or any other authorized US authority that apply to the organization;
- the possibility of enforcing binding arbitration under certain conditions,
- the provision to disclose personal data at the legitimate request of public authorities in order to comply with national security or law enforcement requirements, and;
- the liability of the organization in case of disclosure to third parties.
Therefore, it is particularly important to be advised by a specialist from the beginning about this complex topic and not take any risks.
We already have well-known companies like the TeamSpeak Systems Inc. For the EU-US Privacy Shield certified and therefore know exactly what is important.
Attorney Stephen Hendel as well as the entire law firm Gabler und Hendel will be happy to answer your questions. We are also happy to take care of the self-certification and the creation of a legally compliant Privacy Shield declaration for you.
Your comment
Participate in discussion?Leave us your comment!