Page 289 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 289
To qualify for Privacy Shield protection, U.S. companies conducting
business in Europe must meet these seven requirements for the
processing of personal information:
Informing Individuals About Data Processing Companies must
include a commitment to the Privacy Shield Principles in their privacy
policy, making it enforceable by U.S. law. They must also inform
individuals of their rights under the Privacy Shield framework.
Providing Free and Accessible Dispute Resolution Companies
participating in the Privacy Shield must provide consumers with a
response to any complaints within 45 days and agree to an appeal
process that includes binding arbitration.
Cooperating with the Department of Commerce Companies
covered by the agreement must respond in a timely manner to any
requests for information received from the U.S. Department of
Commerce related to their participation in the Privacy Shield.
Maintaining Data Integrity and Purpose Limitation
Companies participating in Privacy Shield must only collect and retain
personal information that is relevant to their stated purpose for
collecting information.
Ensuring Accountability for Data Transferred to Third
Parties Privacy Shield participants must follow strict requirements
before transferring information to a third party. These requirements
are designed to ensure that the transfer is for a limited and specific
purpose and that the recipient will protect the privacy of the
information adequately.
Transparency Related to Enforcement Actions If a Privacy
Shield participant receives an enforcement action or court order
because they fail to comply with program requirements, they must
make public any compliance or assessment reports submitted to the
FTC.
Ensuring Commitments Are Kept As Long As Data Is Held
Organizations that leave the Privacy Shield agreement must continue
to annually certify their compliance as long as they retain information
