CFBAI_ProgramBackgrounds_4-28-2020

For EU, UK, and Swiss Consumers: BBB EUPS Dispute Resolution Process

Welcome to the BBB EU Privacy Shield consumer complaint system. We help individual consumers resolve privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Our program is an independent dispute resolution mechanism operated by BBB National Programs, a non-profit organization based in the United States.  BBB EU Privacy Shield is a successor program to BBB EU Safe Harbor, one of two original independent dispute resolution mechanisms supporting the U.S.-EU Safe Harbor Framework when it came into effect in 2000. 

 

If you are an individual in the European Union, United Kingdom, or Switzerland with a Privacy Shield complaint against a participating U.S. business, you may submit the complaint to our program. Our process is free of charge for individual consumers.

We will review all eligible complaints and help you and the participating business reach a resolution as described in our program’s Rules. A Participating Business must comply with BBB EU Privacy Shield’s final determination of any dispute. However, our process is non-binding on the consumer, which means that using our dispute resolution process will not affect your legal rights as an individual. 

Is your complaint eligible for resolution by BBB EU Privacy Shield?

Your complaint must concern personal data about you that was collected in a covered country and received in the United States by a Participating Business pursuant to Privacy Shield.

 

1. Eligible individual.

Your complaint concerns personal data about you (or your child under 13 years old).

 

2. Covered country.

Your personal data was collected in one of the following countries:

European Union 

Austria 

Belgium 

Bulgaria 

Croatia 

Cyprus 

Republic 

Denmark 

Estonia 

Finland 

France 

Germany 

Greece 

Hungary 

Ireland 

Italy 

Latvia 

Lithuania 

Luxembourg 

Malta 

Netherlands 

Poland 

Portugal 

Romania 

Slovakia 

Slovenia 

Spain 

Sweden 

 

European Economic Area 

Iceland 

Liechtenstein 

Norway 

The United Kingdom 

Switzerland

3. Participating business.

Your personal data was received in the United States by a U.S. organization that is both:

 

a. Self-certified under one of the Privacy Shield Frameworks (you may check the current list on the official Privacy Shield website), and


b. A Participating Business with BBB EU Privacy Shield (you may search our list of current participants when you file your complaint).

.

 

4. Privacy Shield complaint or inquiry.

Your complaint must allege a violation of the Privacy Shield Principles by the Participating Business or assert your rights under the Principles in relation to your personal data.

 

Please reach out to the U.S. business via the contact information listed on its privacy policy and/or the Privacy Shield List before filing your complaint with BBB EU Privacy Shield. Under the Privacy Shield Frameworks, the business has 45 days to respond to your inquiry.

FAQs for Consumers

 

What are the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks?

The U.S. Department of Commerce and the European Commission developed the “EU-U.S. Privacy Shield” Framework, enabling U.S. businesses to receive and process personal data from the EU, UK, and EAA countries and helping them comply with EU data protection requirements. The EU-U.S. Privacy Shield Framework replaced the U.S.-EU Safe Harbor Framework on July 12, 2016.

 

On January 12, 2017, the Swiss Government approved the Swiss-U.S. Privacy Shield Framework (replacing the U.S.-Swiss Safe Harbor Framework) as a valid legal mechanism for U.S. companies to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States. 

 

 

What is personal data?

Under the Privacy Shield Frameworks, personal data (also known as “personal information”) are data about an identified or identifiable individual that are within the scope of the applicable data protection law, received by an organization in the United States from a covered country, and recorded in any form. Additional protections may be provided for certain categories of personal data, such as “sensitive personal data,” which, under the EU-U.S. Privacy Shield Framework includes “personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and information specifying the sex life of the individual.” (Note that additional categories of personal information are considered personal under the Swiss-U.S. Privacy Shield Framework.)

 

 

What are my rights under Privacy Shield?

If your personal data is collected in the EU, UK, or Switzerland and is transferred to the United States for processing pursuant to the Privacy Shield Frameworks, the participating U.S. business must provide you with certain information and options regarding your data. These rights are listed on the U.S. Department of Commerce official Privacy Shield website.

 

 

What is the role of BBB EU Privacy Shield?

Many companies participating in the Privacy Shield Frameworks have chosen BBB EU Privacy Shield to help resolve privacy disputes that arise with individuals in the EU, UK, or Switzerland whose data the company received in the United States pursuant to Privacy Shield. We refer to these companies as “Participating Businesses.”

 

The Privacy Shield Frameworks require that Independent Recourse Mechanisms like BBB EU Privacy Shield be impartial, readily available and offered at no cost to EU and Swiss individuals, and that they ensure compliance with the data protection protections of the Privacy Shield. BBB EU Privacy Shield's obligations as an independent recourse mechanism are listed in Section 11 of the Privacy Shield Framework.


The BBB EU Privacy Shield dispute resolution procedure:

 

  • Is readily accessible to individual complainants through a secure, online complaint intake form accessed directly via a hyperlink in the privacy policy of each Participating Business
  • Has always been offered free of charge to individuals
  • Provides a speedy and fair resolution option through the staff conciliation process
  • When conciliation fails, provides impartial and enforceable resolution by means of an independent Panelist’s Data Privacy Review and determination of the issues in the dispute.

 

All participating businesses in BBB EU Privacy Shield sign an agreement requiring them to participate in the dispute resolution process, and to abide by final determinations by BBB National Programs or the Panelist, including any sanctions or corrective action.

 

Participating businesses also agree that if they fail to take corrective action required by a final determination, the matter may be referred to the Federal Trade Commission, and the fact of the referral may be made public by BBB National Programs. Such a referral will also be notified to the Department of Commerce, which may remove the company from the Privacy Shield List for noncompliance.


BBB National Programs publishes an annual  BBB EU Privacy Shield Procedure Report that summarizes the number and nature of privacy complaints and the actions taken by BBB National Programs (and any Data Privacy Review Panelist); as well as the number and nature of complaints deemed ineligible for processing. If a participating business fails to comply with a final determination of the program and is referred to the Federal Trade Commission for noncompliance, a Case Report will be published in the Procedure Report summarizing the case and its outcome, identifying the company and the fact of noncompliance.

 

 

How will BBB EU Privacy Shield help resolve my privacy complaint?

File a privacy complaint against a Participating Business using the BBB EU Privacy Shield complaint form. You can report a company’s violation of a posted Privacy Shield privacy policy or raise a privacy concern about the company's compliance with the Privacy Shield Principles.

 

The BBB EU Privacy Shield complaints process works as follows:


1. When you submit a complaint, BBB National Programs staff will first verify that the complaint is eligible for resolution under our Procedure Rules, and that you have provided enough information to proceed. If you should require translation or interpretation services at any time during the dispute resolution procedure, they will be provided for you at no cost. All other costs of administering the complaint procedure will be the responsibility of either BBB National Programs or the participating business. The complaint handling service is provided free of charge to individual complainants.

 

2. Staff will verify with you that you have made a good faith effort to resolve the complaint with the participating business. Note that the business is required to respond to your complaint within 45 days.

 

3. Once you have provided sufficient information to verify your complaint, BBB EU Privacy Shield will pass your complaint to the Participating Business and will try to help you and the business resolve the complaint through an exchange of information. This process is called conciliation. Staff will try to help you reach a resolution, or settlement, of your complaint. 

If the complaint is resolved through this process, staff will send you and the business a settlement letter and will close out the case.  

 

4. If conciliation does not resolve the dispute, you will be able to seek a Data Privacy Review, a form of non-binding arbitration conducted by an independent decision maker (a Panelist), selected in an impartial manner to avoid conflicts of interest. BBB National Programs staff will administer this process, obtaining written statements of your respective positions from you and the participating business. Staff will assemble these documents into the Case Record, which they will present to the Panelist for review. 

 

5. The Panelist will be asked to make best efforts to issue a Decision within 10 business days of receiving the Case Record. During this time, he or she may request additional information from you or the business and may ask you and the business to take part in a telephone hearing if he or she thinks it necessary to resolve the matter. 

 

6. If the Panelist finds that a violation of the Principles occurred, he or she may require the participating business to implement corrective action, including (1) access to, correction, or suppression of data; or (2) processing of data consistent with the Privacy Shield Principles. 

 

7. The Panelist’s finding is not binding on the individual complainant and does not preclude the individual from seeking additional remedies under the Privacy Shield Frameworks if he or she is dissatisfied with the outcome of the BBB EU Privacy Shield dispute resolution procedure. These redress options are described in Annex I of the Privacy Shield Framework.

 

It is the objective of the BBB EU Privacy Shield Procedure to resolve complaints in a transparent, fair and timely manner. Our goal is to resolve conciliated complaints within 15 days, and if a Data Privacy Review is initiated, to conclude that process in no longer than 60 days.

 

See our Procedure Rules for more details.

 

 

How do I submit my Privacy Shield complaint?

Please use our online complaint form to submit your complaint. You may also submit your complaint by postal mail at the following address:

 

BBB National Programs, Inc.

ATTN: BBB EU Privacy Shield

3033 Wilson Boulevard, Suite 600

Arlington, VA 22201

U.S.A.