By adhering to the core principles of: notice, choice, onward transfer, access, security, data integrity and enforcement, your company is indicating that you place great value on data privacy protection and will make every effort to respect Europeans’ and/or Swiss’ requests regarding use of their personal information.
By adhering to the following principles as developed by the Department of Commerce and European Commission and the Department of Commerce and the Federal Data Protection and Information Commission of Switzerland, you will stand out in the marketplace as one of the trusted organizations that promises to meet the requirements of the safe harbor framework.
These safe harbor principles pertain to the personal information that your company transfers from the EU and/or Switzerland to the US. Personal information is defined as information that directly identifies an individual – name, address, telephone number and similar identifying information.
SAFE HARBOR PRINCIPLES
You must clearly inform customers in a timely manner about what information you are collecting, why you are collecting it, who you are forwarding it to, how its use can be limited and how the customer can contact you for additional information;
- Be easy to find, easy to read and easy to understand;
- Be provided to your customers at the time you collect the personal information or as soon thereafter as practicable – in any case, before you use the personal information for a purpose other than that for which it was originally collected or before you disclose it to a third party;
- Specify the types of information being collected;
- Specify the purposes and uses of information collection;
- Specify the types of third parties to which you are disclosing the information you collect;
- Provide the choices and means available to the customer to limit the use and disclosure of information; and
- Provide your company contact information for customer inquiries.
You must honor customers requests to opt-out of certain information uses and exchanges and opt-in if sensitive information is being used. You must provide customers with the ability to opt-out of certain information uses and exchanges. Where the information is sensitive, you must obtain opt-in consent. These choices should be clear and conspicuous, readily available and affordable.
Your company must offer customers the ability to opt-out of your disclosing their information to a third-party or using their information for a purpose incompatible with that for which it was originally collected.
In addition, the DMA Safe Harbor Program requires that your company accept and maintain consumer requests to be placed on your in-house suppression file to stop receiving solicitations from your company. The DMA also recommends that your company utilize European Preference Service Systems to update your list. If you need assistance in locating the appropriate European system, please feel free to contact DMA staff.
It is important to note that for “sensitive” information, consumers must be given the explicit ability to opt-in before you disclose that information to a third-party or use that information for a purpose different from that for which it was originally collected. You may not use or transfer this information unless the individuals have given affirmative or explicit “opt-in” choice.
Sensitive information includes personal information regarding a medical or health condition, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual lifestyle. There are limited exceptions to the opt-in requirement. For further clarification, please refer to the Department of Commerce’s FAQ #1 at export.gov/safeharbor.
3. ONWARD TRANSFER
You must ensure that if information is disclosed to agents or subcontractors that they will agree to abide by the safe harbor principles. You should only transfer data to third parties consistent with the notice and choices you have given the consumers. Any agents of yours who handle or process your data, such as your service bureaus, must themselves either be subject to the EU Directive or be members of the safe harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data.
You must provide customers the ability to access the personal information being maintained by the company and the ability to correct it where it is inaccurate (based on a sliding scale principle – the obligation to provide access to information increases where its use is more likely to significantly affect the individual). You must provide customers the ability to access the personal information being maintained by the company. This access should be provided to the individual unless there would be: (1) a disproportionate effort on the part of the company relative to the potential risk to the individual’s privacy, (2) the rights of others would be violated, or (3) the request by the individual is clearly vexatious or repetitious. Companies can meet this requirement by providing customers with a copy of the personal information that is being maintained about them or by addressing the individual’s concerns through the company’s customer service department. You do not have to give customers access to your database.
In addition, customers must be given the ability to correct, amend or delete their personal information if it is inaccurate. A reasonable fee can be charged to the individual for accessing information.
In general, expense and burden can be considered in providing access to personal information. However, access to certain information that is used to grant or deny a significant benefit or service must always be provided regardless of the expense and burden. The following are examples of important benefits: insurance, grants, mortgages, loans, college admission, employment applications and similar benefits or services.
Companies denying access to information citing disproportionate effort or cost should be in a position to substantiate their decision.
Take reasonable care in protecting the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Your company should make every effort to use appropriate security measures to protect the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Such measures should ensure an appropriate level of security given the nature of the data processed.
6. DATA INTEGRITY
Ensure that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. Your company should not process data that are not relevant to the purpose for which they were collected. Your company is responsible for ensuring that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. You should not use the information in a way that is incompatible with the purpose for which it was collected, unless subsequently authorized by the consumer.
Take reasonable steps to ensure that any consumer privacy concern will be addressed by: (1) referring consumers to your customer service department or other in-house dispute resolution program; (2) subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints. (The DMA is pleased to offer members this service.); and (3) having appropriate monitoring, verification and remedy procedures in place.The Safe Harbor Principles require companies to:
1. Refer consumers to their customer service department or other in-house dispute resolution program;
2. Subscribe to a readily available and affordable independent third-party dispute resolution mechanism – The DMA is pleased to serve as your third-party dispute resolution mechanism to address unresolved in-house consumer data privacy complaints. (For a complete description regarding the DMA’s process for handling complaints and serving as your independent enforcement mechanism, please refer to The DMA Safe Harbor Program Complaint Procedure fact sheet.);
In addition, your company should consider offering consumer education packages in languages which reflect your European and/or Swiss customer markets.