Posted on

Such as your own data online privacy policies weren’t complex enough, the duty now extends outdoors your walls to vendors and partners. Privacy Shield expands on Safe Harbor’s needs for regulating and responsibility for forward change in private data, requiring certified organizations to specify in 3rd party contracts that transferred private data may be processed for limited and specified purposes in conjuction with the data subject’s consent. By saying yes to such contracts, organizations are held towards the same purpose limitations because the certified organization.

Which means that now, not just are companies accountable for making certain that they’re submission using their own mentioned privacy and knowledge protection policies, they also must be sure that the organizations that they share information have comparable procedures and policies that belongs to them.

What exactly are organizations accountable for?

In which the 3rd party is serving as a real estate agent, like a vendor, the certified organization must additionally take reasonable and appropriate steps to guarantee the agent upholds the Concepts – including stopping and remediating any unauthorized processing. This downstream data protection accountability puts significant pressure on vendor selection and monitoring practices. A Privacy Shield certified organization must even supply the Department of Commerce (DOC) with relevant 3rd party contractual provisions, which place some limitations on contractual confidentiality.

No matter contractual language, a Privacy Shield certificate holder remains prone to the information subject because of its vendor’s breach from the Concepts. The only real exception is that if it proves that it’s not accountable for the big event giving rise towards the damage.

Needs for Responsible Forward Change in Private Data

For change in private data to a 3rd party serving as a controller, a Privacy Shield participant must:

  • Adhere to the Notice and selection concepts
  • Enter an agreement using the third-party controller that states data may be processed for limited and specified purposes in conjuction with the consent supplied by the person, which the recipient will give you exactly the same degree of protection because the Concepts

For change in private data to a 3rd party serving as an agent, a Privacy Shield participant must:

  • Transfer such data just for limited and specified purposes
  • Determine the representative is obligated to supply a minimum of exactly the same security protection out of the box needed through the Concepts
  • Take reasonable and appropriate steps to make sure that the agent effectively processes the private information transferred inside a manner in conjuction with the organization’s obligations underneath the Concepts
  • Upon notice, take reasonable and appropriate steps to prevent and remediate unauthorized processing
  • Give a summary or perhaps a representative copy from the relevant privacy provisions of their hire that agent towards the department upon request

Exactly what does this suggest for your organization?

First, you have to:

  • Absolutely and clearly indicate what private information you’re requesting and collecting from consumers
  • Provide them with an option if to supply it
  • Clearly mark the information you’ve collected using the specific purpose for collection

Which means that you can’t leave your policies to chance or luck. Privacy Shield mandates that explore only create policies that meet its mandate, however that you operationalize individuals policies and then prove that you’ve done this.


Organizations must provide “clear, conspicuous, and easily available mechanisms” through which individuals can opt from any change in private data to a 3rd party or using data for any purpose apart from the main one that it had been initially collected. Beyond this initial obligation, for particular groups of sensitive information (including data associated with health, racial or ethnic origin, political and non secular opinions, trade union membership, or information revealing a person’s sex existence), the person must affirmatively opt-in to allowing the for change in private data to a 3rd party or make use of the information for any separate purpose.

It is really an vital requirement to know. This can very directly impact firms that regularly share customer data with exterior parties, specifically if the discussing of knowledge isn’t associated with the initial data collection purpose. This may also have implications for businesses that hold collected data during a period of some time and are later susceptible to a merger or acquisition.

Also, the opt-in requirement implies that many organizations will have to create layered consent mechanisms to which they are able to particularly show one has selected to permit change in private data to 3rd parties. As numerous organizations collect data and acquire consent through their websites, this can need a major update of existing consent mechanisms and opt-inOrchoose out practices. This may also be true for in-person or non-internet based consent forms.

What exactly are the position?

When it comes to data that you’re planning to see your vendors, after you are your partner’s keeper. You have to:

  • Limit the information you tell your partners and vendors to simply that data you’ve permission to talk about
  • Proactively make sure your partners and vendors understand purpose limitations
  • Ensure partners and vendors can make reasonable efforts to conform using the purpose limitation and appropriate protection of this data

These obligations should be specified by your contracts. If something bad happen to your computer data underneath the proper care of your lover or vendor, you might find yourself getting to protect your getting shared it to begin with. So, 3rd party vendor risk assessment must take on another degree of importance and priority.

Make sure to turn these assessments into regular positive reviews and do your research in assuring that these aren’t simply check box exercises, but that you’re very obvious with organizations regarding their obligations to safeguard the information you provide for them. Failure to do this may lead to their mistakes costing your organization.

Find Out More

Get ready for certification with this EU-U.S. Privacy Shield Guide!

eu us privacy shield guide