Clarification from the EU on the Privacy Shield complaint process

In February, the European Commission Article 29 Working Party released new Rules of Procedure to clarify the role of EU data protection authorities (DPAs) in resolving EU-US Privacy Shield-related complaints, including a template form for submitting “commercial related complaints to EU DPAs.”

The release of these guidance documents is a reminder that enforcement of the Privacy Shield is not far off, and that organizations using self-certification need to ensure that contracts involving EU data transfers are compliant.

Rules of Procedure

The rules outline the procedural steps for handing unresolved complaints from individuals. Key points include:

  • The DPA that receives the complaint will assess if the DPA panel is the competent body to handle the complaint. Otherwise, it may refer the complaint to the US Department of Commerce, US Federal Trade Commission or the Department of Transportation.
  • The DPA panel comprises a lead DPA and two co-reviewers.
  • The panel will provide binding advice within 60 days of receiving a complaint.
  • US organizations have 25 days to comply with the panel’s advice. Failure to comply within this timeframe will result in enforcement actions by US authorities and the organization being delisted from the Privacy Shield.

Complaint form
Though individuals are not required to use the form to submit a complaint to their DPA, the form is useful in that it sets out the information required to facilitate the handling of their complaint.

Recommended reading:

EU GDPR & EU-US Privacy Shield – A Pocket Guide

This concise guide is essential reading for US organizations wanting an easy to follow overview of the GDPR and the compliance obligations for handling data of EU residents, including guidance on the EU-US Privacy Shield. Buy now>>