Privacy Policy Requirements


As part of our application process, a draft of your privacy policy must be made available for our review and approval before we can confirm your company's participation in BBB EU PRIVACY SHIELD (BBB EUPS). The privacy policy must comply both with our program requirements and with the requirements of the U.S. Department of Commerce (DOC) for participants in the EU-US Privacy Shield, and if applicable, the Swiss-US Privacy Shield.  As part of our full-service Independent Recourse Mechanism (IRM) model, we will provide hands-on assistance and step-by-step instructions for aligning your policy with these requirements after you apply. Before applying, please closely review the below steps to ensure you are fully prepared for the self-certification process. 


Step 1: Develop your Privacy Shield-compliant Privacy Policy Statement: 

Remember, after your self-certification is approved, your Privacy Shield notice must be publicly available, written in clear and conspicuous language, and prominently linked on your website and: 

-When individuals are first asked to provide personal information to your organization; or
-As soon thereafter as is practicable 

Additional privacy policy guidance and tips can be found in our supplemental document Privacy Policy Checklist, and on the Department of Commerce Privacy Shield website: Privacy Shield Framework - Program Overview

Also, see Steps 2 and 3 below for Department of Commerce and BBB EUPS required language, which you MUST include in your privacy policy as a condition of participation in BBB EU Privacy Shield. 

Key Privacy Policy Elements: 

1.  State your company’s legal name and, where applicable, list any U.S. subsidiaries or affiliates also adhering to the Privacy Shield Principles. If you do intend to cover an affiliate or subsidiary under the same account, that sub/affiliate MUST link to a single corporate privacy policy. After approval, this common corporate privacy policy must be posted on the parent (APPLICANT) company’s website and all covered subsidiary domains, and must be bound with a single privacy contact.  Otherwise, the subsidiary or affiliate will need to submit a separate BBB EU Privacy Shield application on our website. 

      NOTE: All subsidiaries and affiliates that you wish to be covered by BBB EU Privacy Shield must be listed in your Participation Agreement.  

2. State your organization’s adherence to the Privacy Shield Principles with respect to data received from the EU and the UK and/or Switzerland in reliance on the Privacy Shield Frameworks, and also provide a link to the Privacy Shield List on the Commerce Department website

3. Describe the TYPES of data your company is collecting under Privacy Shield (types of data may include e.g., name, mailing or email address, biometric data, etc.) 

4. Note the PURPOSES for which each type of data is being collected and used (may include, e.g., sales, marketing, order fulfillment, research). 

5. Inform individuals whose personal data you are processing of their right under Privacy Shield to access, correct or delete their personal data. 

6. Describe the choices and means your organization offers individuals for limiting use and disclosure of their personal data. 

7. Either DESCRIBE the types of third parties (e.g., business partners, advertisers, vendors) or IDENTIFY by name specific third parties, to which your organization discloses personal information originating in the EU or Switzerland. Also state the PURPOSES for which you share the information with each third party. 

8. Note that your company may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. 

9. Note your company’s potential liability in cases of onward transfers of Privacy Shield data to third parties. 

10. Provide a point of contact (a dedicated email address, or company contact information) in your organization for privacy inquiries and complaints.  Where applicable, identify any “relevant establishment” (such as a parent company, affiliate or branch office) your organization may have in the EU or Switzerland that is able to handle Privacy Shield inquiries and complaints on your behalf. 

11. Identify the independent dispute resolution mechanism you have designated to handle privacy complaints free of charge to EU and Swiss individuals, and include a working link to the website it uses for complaint handling. 

      NOTE: BBB EUPS required language shown in Step 3 below MUST be included in your privacy policy to meet this requirement. 

12. Note the possibility, under certain limited conditions, for individuals to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission. 

13. State that your company is subject to the investigatory and enforcement powers of either: the Federal Trade Commission, the Department of Transportation or another U.S. authorized statutory body. 

Additional guidance and tips on meeting the above requirements can be found in our supplemental document Privacy Policy Checklist, and on the Department of Commerce Privacy Shield website: Privacy Shield Framework - Program Overview

 

Step 2: Ensure that your policy includes a required affirmation statement. 

Include an affirmative commitment to adhere to the Privacy Shield privacy principles and the 15 FAQs that make up the Privacy Shield Framework(s). Included below for your reference are concise examples of Privacy Shield-complaint "affirmative statements" you may use to refer to the Frameworks your company is using: 

Where self-certifying to BOTH the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework: 

[INSERT your organization name] complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on Privacy Shield.  [INSERT your organization name] has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

Where self-certifying to the EU-US Privacy Shield Framework only: 

[INSERT your organization name] complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom to the United States in reliance on Privacy Shield.  [INSERT your organization name] has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

 

STEP 3: Identify BBB EU PRIVACY SHIELD as your independent recourse mechanism for Privacy Shield privacy complaints, and provide a link to our online complaint handling system for use by European Union, United Kingdom, and Swiss individuals. 

Please use the following language for this purpose: 

Where self-certifying to both the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework: 

In compliance with the Privacy Shield Principles, [INSERT your organization name] commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union, United Kingdom, and Swiss individuals with Privacy Shield inquiries or complaints should first contact [INSERT your organization name] at: 

[INSERT contact information for your organization's internal complaints mechanism] 

[INSERT your organization name] has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you. 

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See Privacy Shield Annex 1 at  https://www.privacyshield.gov/article?id=ANNEX-I-introduction 

Where self-certifying to the EU-US Privacy Shield Framework only: 

In compliance with the Privacy Shield Principles, [INSERT your organization name] commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and United Kingdom individuals with Privacy Shield inquiries or complaints should first contact [INSERT your organization name] at: 

[INSERT contact information for your organization's internal complaints mechanism] 

[INSERT your organization name] has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers  for more information and to file a complaint. This service is provided free of charge to you. 

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See Privacy Shield Annex 1 at  https://www.privacyshield.gov/article?id=ANNEX-I-introduction 

 

STEP 4: Other privacy policy considerations. 

Does Your Company Process Human Resources Data in the U.S. for Your Employees Based in the EU, the UK, or Switzerland?: Most BBB EU Privacy Shield participants use Privacy Shield only for transfers of commercial Personal Data collected from consumers or others outside their organizations. However, some companies also wish to cover the internal human resources (HR) data of their EU or Swiss employees. If your organization also intends to cover HR Data under your Privacy Shield certification, please ask us for our guidance document, Covering Human Resources Data Under Privacy Shield.

Addressing the General Data Protection Regulation in Your Privacy Policy: Many BBB EU Privacy Shield participants are complying with the EU General Data Protection Regulation (GDPR) with respect to personal data collected in the European Union, and are also using Privacy Shield as a transfer mechanism to authorize processing of that data in the United States. To avoid confusion about the complaint process, it is important to distinguish the obligations and data subject rights under Privacy Shield from those under GDPR and similar laws. 

If your organization is addressing Privacy Shield and GDPR in the same privacy notice, please carefully review our supplemental document Addressing the General Data Protection Regulation in Your Privacy Policy for additional privacy policy guidance. 

 

STEP 5: Make your policy "publicly available" after approval by Department of Commerce. 

We require participating companies to have a readily accessible (consumer-facing) and clearly labeled privacy policy.  At a minimum, the policy should be linked to from your company’s homepage and on all pages where information is collected (not ‘buried’ in the site).  Important Note: Do not post your Privacy Shield-compliant policy to your website until the Department of Commerce has reviewed your policy and instructed you to do so.