The new mechanism for the safeguard of personal data in the transfer of data for commercial purposes between the European Union and United States entered into force on 1st August 2016.
As expected, on the same date, the European Commission published an explicative guide for European citizens on guaranteeing their right to the protection of data under the Privacy Shield and possible redress when they deem that their data have been misused or the right to privacy has not been respected.
Given that in our previous article we dealt with available remedies, in this article we shall look at the issue of guaranteeing the protection of personal data of European citizens.
The Privacy Shield guarantees the following points:
- Right to be informed
The companies regulated by the privacy shield are obliged to inform individuals regarding the following:
- Type of data being used
- Reason for using personal data
- Reason for transferring personal data to other companies, where applicable
- Regarding the right to access personal data
- Form of contact
- Institutions for the resolution of conflicts in the case of litigation
- Government Authorities of the US.
- Regarding the possibility of disclosing personal data when required by the U.S. public authorities.
On the other hand, companies are obliged to publish the link of the Privacy Shield on their websites
- Limitations to use
As a general rule, companies regulated by the Privacy Shield are not authorised to make use of personal data for purposes other than that of the original purpose. Otherwise, the limitations shall vary depending upon the extent of the relationship between the original purpose and the new purpose.
- Using data for a purpose that is incompatible with the original purpose is never allowed.
- If there is a difference in the purpose, but the new purpose is related to the original one, personal data may be used unless there is opposition from the individual who has provided the data.
- If there is a difference in the purpose, but a similarity exists, the data may be used.
- Data minimisation and limit to the period of use
Companies regulated by the Privacy Shield may obtain and use personal data to the extent that they are relevant for the purpose of processing, ensuring that the data are correct, reliable and current. Furthermore, the data must be kept for the time deemed necessary for the purpose of processing.
- Obligation to secure the data
Companies regulated by the Privacy Shield must ensure that the data are secured in a safe environment against loss, misuse, unauthorised access, disclosure, alteration or destruction.
- Obligation to protect data if transferred to another company
When transferring personal data to third parties, the recipient company must guarantee the same level of protection of personal data as required by the Privacy Shield. This requires a contract between the company regulated by the Privacy Shield and third parties to whom the data are transferred, establishing the conditions under which the third party may use the personal data and its responsibilities for protecting the data.
- Right to access and correct one’s data
It is possible to request access to one’s personal data from the companies regulated by the Privacy Shield.
- Right to lodge a complaint and obtain a remedy
If the company regulated by the Privacy Shield does not obey the rules of the Privacy Shield and breaches obligations to protect personal data, the right to lodge a complaint and obtain a remedy exists, free of any cost. For more information, consult our previous articles.
- Redress in case of access by U.S. public authorities
It is a possibility that the U.S. public authorities may access personal data, but the Privacy Shield assures that this shall only occur if absolutely necessary in the public interest, for example for the sake of national security or pubic order.
Mika Otomo
Vilá Abogados
For more information, please contact:
26th August 2016
