EU Privacy Shield Privacy Policy Requirements

Privacy Policy Requirements

 

A draft of your privacy policy must be made available for our review and approval before we can confirm your company's participation in BBB EU PRIVACY SHIELD. The privacy policy must comply both with our program requirements and with the requirements of the Department of Commerce (DOC) for participants in the EU-US Privacy Shield, and if applicable, the Swiss-US Privacy Shield. Finally the policy must be posted on your public website before you self-certify to the Privacy Shield Framework(s). 


Step 1: Develop your Privacy Shield-compliant Privacy Policy Statement:

When developing your new privacy policy, start by reviewing the following key privacy policy elements to make sure you are referencing all Privacy Shield elements.  Remember that your privacy policy, must be made publicly available in clear and conspicuous language:

  • When individuals are first asked to provide personal information to your organization; or
  • As soon thereafter as is practicable

Additional guidance and tips can be found on U.S. Department of Commerce Privacy Shield website: Privacy Shield Framework - Privacy Policy FAQs.

Also, see Steps 2 and 3 below for Department of Commerce and BBB required language, which you MUST include in your privacy policy as a condition of participation in BBB EU Privacy Shield. 

Key Privacy Policy Elements:

1.  State your company’s legal name and, where applicable, list any US company subsidiaries or affiliates also adhering to the Privacy Shield Principles.  Please keep in mind if you do intend to cover an affiliate or subsidiary under the same account, that sub/affiliate MUST link to a single corporate privacy policy.  This common corporate privacy policy must be present on the parent (APPLICANT) company’s website and all covered subsidiary domains, and must be bound with a single privacy contact.  Otherwise, the subsidiary or affiliate will need to submit a separate BBB EU Privacy Shield application on our website. 

      NOTE: If these companies are to be covered by BBB EU Privacy Shield, they must be listed in your Participation Agreement.  

2. State your organization’s adherence to the Privacy Shield Principles with respect to data received from the EU and/or Switzerland in reliance on the Privacy Shield Frameworks, and also provide a link to the Privacy Shield List on the Commerce Department website

      NOTE: Use the BBB EU PRIVACY SHIELD required language detailed in STEP 2, below, to meet this requirement.

3. Describe the TYPES of data your company is collecting under Privacy Shield (types of data may include e.g., name, mailing or email address, biometric data, etc.)

4. Note the PURPOSES for which each type of data is being collected and used (may include, e.g., sales, marketing, order fulfillment, research). 

5. Inform individuals whose personal data you are processing of their right under Privacy Shield to access, correct or delete their personal data.

6. Describe the choices and means your organization offers individuals for limiting use and disclosure of their personal data.

7. Either DESCRIBE the types of third parties (e.g., business partners, advertisers, vendors) or IDENTIFY by name specific third parties, to which your organization discloses personal information originating in the EU or Switzerland. Also state the PURPOSES for which you share the information with each third party.

8. Note that your company may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

9. Note your company’s potential liability in cases of onward transfers of Privacy Shield data to third parties.

      NOTE: See the Commerce Department's Privacy Policy FAQ #12  for further guidance on this requirement. 

10. Provide a point of contact (a dedicated email address, or company contact information) in your organization for privacy inquiries and complaints.  Where applicable, identify any “relevant establishment” (such as a parent company, affiliate or branch office) your organization may have in the EU or Switzerland that is able to handle Privacy Shield inquiries and complaints on your behalf.

11. Identify the independent dispute resolution mechanism you have designated to handle privacy complaints free of charge to EU and Swiss individuals, and include a working link to the website it uses for complaint handling.

      NOTE: BBB EU PRIVACY SHIELD required language shown in Step 3 below MUST be included in your privacy policy to meet this requirement.

12. Note the possibility, under certain limited conditions, for individuals to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission. 

13. State that your company is subject to the investigatory and enforcement powers of either: the Federal Trade Commission, the Department of Transportation or another U.S. authorized statutory body.

      NOTE: This is a required statement. In almost every case the FTC will be the relevant agency. Suggested language can be found in Privacy Policy FAQ #10 of the Privacy Shield website.

Additional guidance and tips on meeting the above requirements can be found on U.S. Department of Commerce Privacy Shield website: Privacy Shield Framework - Privacy Policy FAQs

Step 2: Ensure that your policy includes a required affirmation statement.

Include an affirmative commitment to adhere to the Privacy Shield privacy principles and the 15 FAQs that make up the Privacy Shield Framework(s). Included below for your reference are concise examples of Privacy Shield-complaint "affirmative statements" you may use to refer to the Frameworks your company is using:

Where self-certifying to BOTH the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework:

[INSERT your organization name] complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to Privacy Shield.  [INSERT your organization name has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

Where self-certifying to the EU-US Privacy Shield Framework only:

[INSERT your organization name] complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries transferred to the United States pursuant to Privacy Shield.  [INSERT your organization name has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

STEP 3: Identify BBB EU PRIVACY SHIELD as your independent recourse mechanism for Privacy Shield privacy complaints, and provide a link  to our online complaint handling system for use by European Union and/or Swiss individuals. 

Please use the following language for this purpose:

Where self-certifying to both the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework:

In compliance with the Privacy Shield Principles, [INSERT your organization name] commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact [INSERT your organization name at:

[INSERT contact information for your organization's internal complaints mechanism]

[INSERT your organization namehas further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers  for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

Where self-certifying to the EU-US Privacy Shield Framework only:

In compliance with the Privacy Shield Principles, [INSERT your organization name] commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints should first contact [INSERT your organization name]  at:

[INSERT contact information for your organization's internal complaints mechanism]

[INSERT your organization name] has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers  for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

Does Your Company Process Human Resources Datain the U.S. for Your Employees Based in the EU or Switzerland?Most BBB EU Privacy Shield participants use Privacy Shield only for transfers of commercial Personal Data collected from consumers or others outside their organizations. However, some companies also wish to cover the internal human resources (HR) data of their EU or Swiss employees. If your organization also intends to cover HR Data under your Privacy Shield certification, please review the following guidance document: Covering Human Resources Data Under Privacy Shield

If your company wishes to cover HR Data, you may add the following language to your complaint handling statement (above the 'binding arbitration' paragraph) for this purpose:

If your complaint involves human resources data transferred to the United States from the EU [and/or Switzerland] in the context of the employment relationship, and [INSERT your organization name] does not address it satisfactorily, [INSERT your organization name commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) [and/or the Swiss Federal Data Protection and Information Commissioner, as applicable] and to comply with the advice given by the DPA panel [and/or Commissioner, as applicable] with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.

Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

Addressing the General Data Protection Regulation in Your Privacy Policy: Many BBB EU Privacy Shield participants are complying with the EU General Data Protection Regulation (GDPR) with respect to personal data collected in the European Union, and are also using Privacy Shield as a transfer mechanism to authorize processing of that data in the United States. Some organizations also may be using Privacy Shield to authorize transfers to the United States of personal data from Switzerland, which is not subject to the GDPR. To avoid confusion, it is important to distinguish the obligations and data subject rights of GDPR and Privacy Shield in your public privacy notice.

If your organization is addressing Privacy Shield and GDPR in the same privacy notice, please carefully review our supplemental document “Addressing the General Data Protection Regulation in Your Privacy Policy” for additional privacy policy guidance.

STEP 4: Make your policy "publicly available" after approval by Department of Commerce.

We require participating companies to have a readily accessible (consumer-facing) and clearly labeled privacy policy.  At a minimum, the policy should be linked to from your company’s homepage and on all pages where information is collected (not ‘buried’ in the site).  Important Note: Do not post your Privacy Shield-compliant policy to your website until the Department of Commerce has reviewed your policy and instructed you to do so.