Don’t Get Caught Out: How US Companies Can Comply with the GDPR after the Adequacy decision from the EU

In the recent blog Finally Unlocking Transatlantic Data Flow: How the Adequacy Decision Impacts US and EU Companies we explain how this EU decision unlocked the transatlantic personal data flow from EEA and in near future UK and Switzerland to the US.

But what does this unlocked flow mean for US companies that receive personal data from EEA companies, UK and Swizz after 10 July the day when this decision was adopted?

Three types of US companies are affected by the EU-US Data Privacy Framework (DPF) and these are:

Current Privacy Shield Participant Converting to the Data Privacy Framework (DPF):

These are US companies that were participants in the previous Privacy Shield framework (before the Adequacy decision and invalidating the Privacy Shield by the ECJ in July 2020 in a case called “Schrems II) and are now willing to transition to the new (DPF).

New DPF Participant:

These are US companies that were not previously self-certified to the Privacy Shield but are now interested in transferring personal data from the EU, Norway, Iceland, Liechtenstein, the UK, or Switzerland.

U.S. Entity Not Self-Certified to the DPF:

US entities that have not participated in the Privacy Shield or DPF but are eligible to do so.

Each of these companies can receive personal data from EEA, UK and Switzerland but there are some conditions that have to be met:

The first group – Current Privacy Shield Participants needs to go through a self certification process and to do the following:

– Gather Information (necessary details about the company, including its legal name, display name, address, city, state/territory, and zip code).

– Identify a company contact for handling complaints and access requests, providing their office details, name, job title, email, and phone.

– Provide Corporate Officer Information responsible for certifying your company’s compliance, including their name, job title, email, and phone.

– List all U.S. entities or subsidiaries to be covered by your self-certification.

– Describe Data Activities including the types of personal data covered under the DPF and, if applicable, the UK Extension to the DPF, and/or the Swiss-U.S. DPF.

– Briefly explain the purposes for processing personal data, the types of data processed (e.g., company, customer, client, visitor data), and any third-party disclosures.

– List any privacy programs your company is a member of.

– Provide Company Characteristics – indicate your company’s annual revenue range to determine the self-certification fee, the number of employees in your company and select the relevant industry sector(s) applicable to your company.

– Review and align their Privacy Policy with current practices and DPF Principles no later than October 10, 2023 and upload a draft privacy policy consistent with the DPF principles.

– Ensure an Independent recourse mechanism (IRM) for complaint investigation.

– Verify DPF privacy practices through self-assessment or compliance reviews.

– Contribute to the Annex I Binding Arbitration Mechanism, if applicable.

– Go through the self-certification process for the U.K. extension of the EU-U.S. Data Privacy Framework (DPF) after the U.K.-U.S. Data Bridge receives authorization from the UK Government. This is for UK companies.

– Update its privacy policy no later than 17 Oct. 2023 to reflect compliance with the Swiss-U.S. DPF but this will be effective after adoption of the pending Swiss adequacy decision (for Swiss companies) from the Swiss authorities. 

The second group of companies – New DPF Participant need to apply for joining the DPF, go through a self certification process and do the following:

– The steps for Current Privacy Shield Participants with the fact that for these companies the deadline for aligning the privacy policy is linked to the day of submission of the application to be part of the framework.

The U.S. Entity Not Self-Certified to the DPF if they want to receive personal data from EU/EEA/UK/Swiss can use some of the substitute methods for transferring data, such as:

– Standard Contractual Clauses, while referring to the European Data Protection Board’s advice on additional measures for data transfers and provided with approval by relevant authorities.

– Binding Corporate Rules (BCRs) that multinational organisations can adopt to ensure that personal data is protected consistently across their subsidiaries and affiliates with approval by relevant data protection authorities.

– Explicit Consent: If individuals provide explicit and informed consent for their data to be transferred.

The process for re-certifying under the Data Privacy Framework (DPF) Program, which enables the transfer of personal data from the EU to the US is detailed and explained on the Data Privacy Framework (DPF) Program website. 

Irrespective of their category, participating organisations must fulfil certain common requirements like:

Informing individuals about data processing

– Include commitment to comply with DPF Principles in privacy policy.

– Include links to DPF program website and independent resource mechanisms.

– Inform individuals about rights to access data, lawful disclosure, enforcement authority, and onward data transfer liability.

Providing free and accessible dispute resolution

– Respond to individual complaints within 45 days.

– Offer independent recourse mechanism for complaint investigation and resolution.

– Facilitate resolution of complaints submitted to data protection authorities.

– Commit to binding arbitration for unresolved complaints.

Cooperating with the U.S. Department of Commerce

– Respond promptly to ITA inquiries about the DPF program.

Maintaining data integrity and purpose limitation

– Process only relevant personal information.
– Comply with data retention provisions.

Ensuring accountability for data transferred to third parties

To third-party controllers:
– Comply with Notice and Choice Principles.
– Enter a contract ensuring limited and specified processing.

To third-party agents:
– Transfer data for limited purposes.
– Ensure agents provide the same privacy protection.
– Ensure agents process data consistently with DPF Principles.
– Take action if the agent can’t meet protection obligations.
– Provide contract summary to U.S. Department of Commerce upon request.

Transparency related to enforcement actions

– Publicise relevant DPF-related compliance reports if subject to FTC or court order.

Ensuring commitments are kept as long as data is held

– Affirm commitment to DPF Principles if leaving the program and keeping data.
– Provide “adequate” protection for data if leaving the program by other means.

These are the basic requirements that outline the responsibilities of organisations participating in the DPF program in order to ensure compliance with data privacy principles and standards.

Regardless of category, participating organisations must adhere to common requirements that delineate the obligations for organisations within the DPF program to uphold data privacy standards and principles while facilitating seamless transatlantic data transfers.

How can we help you?

By offering services such as acting as an EU & UK representative, compliance consultancy, and access to a Compliance Hub, GDPRLocal can help you navigate the complex landscape of data transfer regulations, ensuring you’re meeting the obligations and protecting sensitive data in accordance with GDPR and other global regulations.

Find the right GDPR rep for you now, get data protection advice or, for questions about your next steps, give us a call on +1 303 317 5998.