Privacy Policy Requirements
As part of the BBB EU Privacy Shield application process, a draft of your organization’s privacy policy must be made available for our review and approval before we can confirm your company's participation. The privacy policy must comply both with our program requirements and with the requirements of the U.S. Department of Commerce for participants in the EU-U.S. Privacy Shield and/or the Swiss-U.S. Privacy Shield. As part of our expanded IRM services Independent Recourse Mechanism model, we will provide hands-on assistance and step-by-step instructions for aligning your policy with these requirements after you apply.
Before applying, please closely review the below steps to ensure you are fully prepared for the self-certification process.
After your self-certification is approved, your Privacy Shield notice must be accurate, comprehensive, prominently displayed, completely implemented, and accessible.
As the Privacy Shield Principles require, “This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.” Section II(1)(b).
The following is a brief overview of each key privacy policy element, as required by the Privacy Shield Notice Principle. Additional privacy policy guidance and tips on meeting your substantive Privacy Shield obligations can be found in our supplemental document for participants, Privacy Policy Checklist, and on the Department of Commerce privacy policy FAQs pages.
- Legal name and subsidiaries. State your organization’s legal name and, where applicable, list any U.S. subsidiaries or affiliates also adhering to the Privacy Shield Principles. If you do intend to cover an affiliate or subsidiary under the same account, that entity must abide by the same privacy policy as the primary company and must share a single point of contact for Privacy Shield complaints. After approval, this common corporate privacy policy must be posted on the primary company’s website and all covered subsidiary websites. Otherwise, the subsidiary or affiliate will need to submit a separate BBB EU Privacy Shield application on our website. NOTE: All subsidiaries and affiliates that you wish to be covered by BBB EU Privacy Shield must be listed in your Participation Agreement.
- Affirmation statement. State your organization’s adherence to the Privacy Shield Principles with respect to personal data received from the EU, UK, and/or Switzerland in reliance on the Privacy Shield Frameworks. The affirmation statement must also include a link to the Department of Commerce’s Privacy Shield list . See sample language in step 2.
- Types of data. Describe, either in your Privacy Shield notice or within the rest of your privacy policy, the types of personal data your company is collecting and processing under Privacy Shield (e.g., name, email address, biometric information, location information, etc.).
- Purposes of processing. Describe the purposes for which each type of personal data is being collected and used (e.g., sales, marketing, order fulfillment, research).
- Individual rights. Inform individuals whose personal data you are processing of their right under Privacy Shield to access, correct, or delete their personal data.
- Choice. Describe the choices and means your organization offers individuals for limiting use and disclosure of their personal data.
- Third-party sharing and purposes of sharing. Either describe the types of third parties (e.g., business partners, advertisers, vendors) or identify by name specific third parties to which your organization discloses personal information. Also state the purposes for which you disclose personal information with each third party.
- Government access. Disclose that your organization may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
- Onward transfer. Note your company’s potential liability in cases of onward transfers of Privacy Shield data to third parties.
- Complaint contact. List a point of contact (a dedicated email address is best) within your organization for privacy inquiries and complaints. Where applicable, identify any “relevant establishment” of your organization in the EU or Switzerland (such as a parent company, affiliate, or branch office) that can handle Privacy Shield inquiries and complaints on your behalf.
- Independent Recourse Mechanism. Identify BBB EU Privacy Shield, your designated IRM for handling privacy complaints from EU, UK, and/or Swiss individuals, and include a working link to our complaint portal. See required language in step.
- Last-resort arbitration. Note the possibility, under certain limited conditions, for individuals to invoke binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
- Enforcement. State that your organization is subject to the investigatory and enforcement powers of, as applicable, the Federal Trade Commission, the Department of Transportation or another U.S. authorized statutory body.
Include an affirmative commitment to adhere to the Privacy Shield privacy principles and the supplemental principles that together make up the Privacy Shield Framework. Included below for your reference are concise examples of Privacy Shield-complaint "affirmation statements.”
Where self-certifying to both the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework:
[INSERT your organization name] complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on Privacy Shield. [INSERT your organization name] has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
Where self-certifying to the EU-U.S. Privacy Shield Framework only:
[INSERT your organization name] complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom to the United States in reliance on Privacy Shield. [INSERT your organization name] has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
Please use the following language for this purpose:
Where self-certifying to both the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework:
In compliance with the Privacy Shield Principles, [INSERT your organization name] commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union, United Kingdom, and Swiss individuals with Privacy Shield inquiries or complaints should first contact [INSERT your organization name] at: [INSERT contact information for your organization's internal complaints mechanism]
[INSERT your organization name] has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/ for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
Where self-certifying to the EU-U.S. Privacy Shield Framework only:
In compliance with the Privacy Shield Principles, [INSERT your organization name] commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and United Kingdom individuals with Privacy Shield inquiries or complaints should first contact [INSERT your organization name] at: [INSERT contact information for your organization's internal complaints mechanism]
[INSERT your organization name] has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/ for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
HR Data. Does your company process human resources data in the U.S. for your employees based in the EU, the UK, or Switzerland? Most BBB EU Privacy Shield participants use Privacy Shield only for transfers of commercial Personal Data collected from consumers or others outside their organizations. However, some companies also wish to cover the internal human resources (HR) data of their EU or Swiss employees. If your organization also intends to cover HR Data under your Privacy Shield certification, please ask us for our guidance document, Covering Human Resources Data Under Privacy Shield.
GDPR. Many BBB EU Privacy Shield participants are complying with the EU General Data Protection Regulation (GDPR)—or similar data protection laws—with respect to personal data collected in participating countries, while relying on Privacy Shield as an authorized international transfer mechanism to enable them to receive this data in the United States. To avoid confusion about the complaint process, it is important to distinguish the obligations and data subject rights under Privacy Shield from those under GDPR and similar laws. If your organization is addressing Privacy Shield and GDPR in the same privacy notice, please carefully review our supplemental document. Addressing the General Data Protection Regulation in Your Privacy Policy for additional privacy policy guidance.