Safe Harbor Questionnaire



Similar documents
The U.S.-EU Safe Harbor Guide to Self-Certification

U. S. EU SAFE HARBOR FRAMEWORK GUIDE TO SELF-CERTIFICATION MARCH 2009

CPA Global North America LLC SAFE HARBOR PRIVACY POLICY. Introduction

RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE. EFFECTIVE AS OF: August 12, 2015

Privacy Policy. February, 2015 Page: 1

The Anti-Corruption Compliance Platform

Privacy Policy documents for

DASSAULT SYSTEMES GROUP HUMAN RESOURCES DATA PRIVACY POLICY

Privacy & Data Security: The Future of the US-EU Safe Harbor

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

AlixPartners, LLP. General Data Protection Statement

AIRBUS GROUP BINDING CORPORATE RULES

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

AN INTRODUCTION TO THE EU DIRECTIVE ON THE PROTECTION OF PERSONAL DATA

LATISYS SAFE HARBOR POLICY

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

Privacy Statement. What Personal Information We Collect. Australia

Privacy Policy for Data Collected by Blue State Digital s Clients

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Membership of the US Safe Harbor Program by Data Processors

PRIVACY POLICY. What Information Is Collected

Privacy Policy Last Modified: April 3,

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students

CW Government Travel Inc. Data Protection and Privacy Policy

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

COMMISSION IMPLEMENTING DECISION. of XXX

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Privacy Policy for Data Collected by Blue State Digital

2. A Note about Children. We do not intentionally gather Personal Data from visitors who are under the age of 13.

Privacy Policy & Terms of Use Effective: 12/13/2011. Terms and Conditions. Changes in this Privacy Policy. Internet Privacy & Security

How To Know What You Can And Can'T Do At The University Of England Students Union

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

POLICY ON DATA PROTECTION AND PRIVACY OF PERSONAL DATA

FIRST DATA CORPORATION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION

Data Processing Agreement for Oracle Cloud Services

Data, Privacy, Cookies and the FTC in Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

Revelian Pty Ltd ABN Privacy Policy Effective 1 September 2014

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Taking care of what s important to you

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

PROTECTION OF PERSONAL INFORMATION

tell you about products and services and provide information to our third party marketing partners, subject to this policy;

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

GUESTBOOK REWARDS, INC. Privacy Policy

Program, you consent to the data practices described in this Privacy Policy.

If you have any questions about our privacy practices, please refer to the end of this privacy policy for information on how to contact us.

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Johnson Controls Privacy Notice

Please read this Policy carefully. Your continued use of our sites means that you understand and consent to the terms of this Policy.

THE TRANSFER OF PERSONAL DATA ABROAD

3Degrees Group, Inc. Privacy Policy

Code of Conduct For Subscribers

ACA is committed to protecting your privacy. ACA ( we, us or our ) safeguards your personal information to maintain member trust.

Trust in the Cloud Legal and Regulatory Framework

Accountability: Data Governance for the Evolving Digital Marketplace 1

INXPO Privacy Policy

Consumer Confidence Trustmarks

Privacy Policy. Effective Date: November 20, 2014

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

I. Personal data and its use in the business to business environment.

Type of Personal Data We Collect and How We Use It

Verified Volunteers. A division of SterlingBackcheck. Privacy Policy. Last Updated: November 5, 2014

Ericsson Group Certificate Value Statement

Article 29 Working Party Issues Opinion on Cloud Computing

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Web Sites Covered This policy covers NASBA.org and all other NASBA affiliated sites that link to this policy.

Abilities Centre collects personal information for the following purposes:

Office 365 Data Processing Agreement with Model Clauses

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Privacy Rules for Customer, Supplier and Business Partner Data

The Importance of Privacy and Consumer Accountability

Fair Credit Reporting Act Compliance Guide

INTRODUCTION We respect your privacy and are committed to protecting it through our compliance with this privacy policy.

3. Consent for the Collection, Use or Disclosure of Personal Information

Advanced AMC, Inc. Appraiser Services Agreement (Independent Contractor Agreement)

SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

on the transfer of personal data from the European Union

Guidelines on Data Protection. Draft. Version 3.1. Published by

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Personal Information Protection and Electronic Documents Act

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY

GSK Public policy positions

A LIST OF PRIVACY AND DATA SECURITY TRAINING REQUIREMENTS

Privacy Policy EMA Online

MEMBI PRIVACY POLICY

ARYZTA PRIVACY POLICY

Application of Data Protection Concepts to Cloud Computing

Privacy Policy. When you create an account or use our Service, we collect the following types of information from you:

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Elo Touch Solutions Privacy Policy

DATA TRANSFERS WITHIN A MULTINATIONAL GROUP SAFELY NAVIGATING EU DATA PROTECTION RULES

JOB APPLICANT PRIVACY NOTICE

Contact Sport: Mobile Marketing To Sports Fans

technical factsheet 176

ADVANCED CABLE COMMUNICATIONS WEBSITE PRIVACY POLICY COLLECTION AND USE OF INFORMATION FROM USERS

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

Zubi Advertising Privacy Policy

Transcription:

Safe Harbor Questionnaire This questionnaire is aimed at gathering relevant information with regard to the Safe Harbor certification of the data importer. It should be completed by personnel with knowledge of the respective objectives and according to the actual practices within the organization. The column Remark/Recommendation provides guidance/background information for the relevant control objective. In accordance to the control objective, the data importer must state in the column Actual Practice/Statement/Evidence its measures, procedures or activities for complying with the control objective. The description of the actual measures can be made in free text form or by referring to supporting documentation. In any case the data importer should provide evidence for the relevant actual practice (through policies, codes of conduct, other documented operational procedures etc.). # Control Objective Remark/Recommendation Actual Practice/Statement/Evidence 1. General Aspects 1.1 The self-certification to the Safe Harbor Framework is valid. The self-certification to the Safe Harbor Framework has neither expired nor has been revoked by the regulatory body due to noncompliance with its requirements. 1.2 The organization self-certifies annually to the Department of Commerce in writing that it agrees to adhere to the Safe Harbor s requirements. 1.3 Personal data processed by the organization is covered by the Safe Harbor (http://safeharbor.export.gov/list.aspx) The organization must designate a Corporate Officer to ensure that the self-certification process is done in a timely manner. The Safe Harbor Framework may apply only to certain types of personal data. The organization needs to make sure that personal information received by data exporters from the EU or the EEA are covered by the Safe Harbor 1.4 The organization is subject to the The FTC and the DoT can take enforcement

jurisdiction either of the Federal Trade Commission (FTC) or the Department of Transportation (DoT). 1.5 A Corporate Officer is certifying the organization s adherence to the Safe Harbor 1.6 A designated Organization Contact is handling complaints, access requests, and any other issue under the Safe Harbor 1.7 The organization makes use of verification methods (In-house, Third-Party etc.) verifying the attestations and assertions made about the Safe Harbor privacy practices and its implementation. 2. Privacy Policy 2.1 The organization s privacy policy for personal information has been elaborated and is binding to all business processes. actions against organizations that fail to comply with Safe Harbor. Companies that do not fall under the jurisdiction of either the FTC or DoT would not face a regulatory body with regard to Safe Harbor. There must be at least one person in charge making sure the adherence to Safe Harbor. Organizations must designate a contact point for handling access requests etc. The contact point can either be the Corporate Officer certifying the company s adherence to Safe Harbor, or other officials within the organization, such as a Chief Privacy Officer. Safe Harbor asks for follow up procedures for verifying the attestations and assertions made about its principles. This can be done by selfassessments or outside compliance reviews (see No. 7, Verification, of the Frequently Asked Questions by the Department of Commerce 1, hereinafter referred to as FAQ ). The privacy policy statement should reflect the actual and anticipated information handling practices. In addition it has to be clear, concise and easy to understand. A sample privacy policy can be found in the International Trade Administration s (ITA) Guide to Self-Certification (http://trade.gov/publications/pdfs/safeharborselfcert2009.pdf) 1 http://export.gov/safeharbor/eu/eg_main_018493.asp.

2.2. The organization s privacy policy for personal information is compliant with the Safe Harbor Principles. 2.3 The Policy makes specific reference to the Safe Harbor. 2.4 The Privacy Policy Statement is available to the Public. 2.6 List any privacy programs in which your organization is a member for Safe Harbor Purposes. 3. Contracts The organization has entered into a written agreement with the data exporter stipulating the obligations for carrying out processing operations. In order for a privacy policy to be compliant with Safe Harbor, the privacy statement must conform to the seven Privacy Principles and any other relevant points that are covered in the FAQs. FAQ No. 6 (Self-Certification) requires all organizations to state in the relevant published privacy policy their adherence to the Safe Harbor. The Privacy Policy Statement has to be made available to the public. A publicly available location is the organization s website for example. See FAQ No. 6 (Self-Certification) of Safe Harbor. Organizations may qualify for the Safe Harbor in different ways. Organizations can, for example, either join a self-regulatory privacy program that adheres to the Safe Harbor s requirements (e.g. etrust Safe Harbor program) or develop its own self-regulatory privacy policy that conforms to the Safe Harbor. Please provide in the Actual Practice/Statement/Evidence field if your organization developed its own privacy program or joined an existing one. Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, see Safe Harbor FAQ No. 10 (Article 17 Contracts).

4. Safe Harbor Principles 2 4.1 Notice a. Organizations must notify individuals about the purposes for which they collect and use information about them. 4.2 Choice a. Organizations must give data subjects the opportunity to choose (opt out) whether their personal data will be disclosed to a third party or used for a purpose incompatible with the initial purpose. b. Whether sensitive information is disclosed to a third party or used for a purpose other than its original purpose, individuals must be given an affirmative or explicit choice (opt in). 4.3 Onwards Transfer a. In case information is disclosed to a third party the notice and choice principles are applied. b. If the organization discloses information to an agent or processor, it has to make sure that the third party subscribes to the Safe Harbor Principles or is subject to the Directive 95/46/EC or any other adequacy finding. 4.4 Access a. The organization makes sure that individuals can access to their personal See ITA s guide to self-certification, p. 12. See ITA s guide to self-certification, p. 12 ff., et sqq. and FAQ No. 12 (Choice and Timing of Opt-Out). See ITA s Self-Certification guide, p. 16 and FAQ No. 1 (Sensitive Data). Please refer to the ITA Self-Certification guide, p. 13. Please refer to the ITA Self-Certification guide, p. 5 and 13. The right of access allows individuals to verify the accuracy of information held about them. 2 Safe Harbor FAQ 10 raises the question, if an organization that adheres to the Safe Harbor needs to comply with all of its Principles when acting merely as data processor for an European data controller. According to European data protection law the Controller remains responsible for the data vis-à-vis the data subject which could lead to the assumption that the Controller should provide for adequate measures with regard to the Principles. On the other hand, US law also applies to questions of interpretation and compliance with the Safe Harbor Principles, which knows no such distinction such as data controller or data processor. Where an US data processor may have no direct contact with European data subjects, the questionnaire should at least indicate how the data processor is cooperating with the original data controller to comply with the Principles.

data and are able to correct, amend or delete that information where it is inaccurate. 4.5 Security a. The organization takes reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. 4.6 Data integrity Reasonable steps are made in order to ensure that data is reliable for its intended use, accurate, complete and current. 4.7 Enforcement Independent recourse mechanisms are available to investigate unresolved complaints (dispute resolution). As a result of dispute resolution the effects of noncompliance should be reversed or corrected by the organization. Furthermore future processing will be in conformity with the Safe Harbor Principles. For additional guidance please refer to the ITA Self-Certification guide, p. 13 and FAQ No. 8 (Access). The organization has implemented processes and procedures to protect personal information, such as company policies, physical safeguards or other IT-security measures. Please refer to the ITA Self-Certification guide p. 5 and 13. Please refer to the ITA Self-Certification guide p. 8, Appendix C (List of Dispute Resolution Providers) and FAQ 11 (Dispute Resolution and Enforcement).

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information