For DMA Members Only
Please note that the DMA Safe Harbor Program is only available to DMA members. Please check to make sure that your company is a DMA member before applying for membership in the DMA Safe Harbor Program. If you would like to join DMA or have questions regarding membership then please contact us.
In order to avoid potential disruptions in trade between the United States and the EU, the US Department of Commerce in consultation with the European Commission and the industry developed the safe harbor framework. This framework allows US companies a means of assuring European consumers that they will provide an adequate level of privacy protection, thereby satisfying the “adequacy” requirement of the European Directive on Data Protection.
US companies that wish to continue to receive personal information from the EU and who choose not to enter the Safe Harbor must find some other means to assure European authorities that such protection will be available through contractual terms, or the transfer of information must fall within one or more of the following exceptions:
1. The data subject has given his/her consent unambiguously to the proposed transfer,
2. The transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of precontractual measures taken in response to the data subject’s request,
3. The transfer is necessary for the conclusion or for the performance of a contract concluded in the interest of the data subject between the controller and a third party,
4. The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims,
5. The transfer is necessary in order to protect the vital interests of the data subject, or
6. The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
The US Department of Commerce has entered into a Safe Harbor framework with Switzerland. If your organization transfers data from Switzerland to the US and you would like it to be covered under the Safe Harbor framework then you would need to review the US-Swiss Safe Harbor principles and FAQs posted on the US Department of Commerce’s website at www.export.gov/safeharbor. It is important to note that the US-Swiss safe harbor principles are based on the US-EU safe harbor principles.
What are the key elements of the US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework?
Participation by companies in either the US-EU or the US-Swiss safe harbor framework is completely voluntary. However, if your company decides to take advantage of the safe harbor framework, then you must:
- Comply with the seven safe harbor principles (notice, choice, onward transfer, access, security, data integrity and enforcement);
- Review the 15 frequently asked questions prepared by the U.S. Department of Commerce;
- Certify to the US Department of Commerce that you have implemented and comply with the safe harbor principles;
- Have in-house and third-party dispute and enforcement mechanisms in place to ensure your compliance; and
- Continue to adhere to the safe harbor principles for data collected while participating in the framework, even if your company decides to leave the framework at a later date. This information must always be protected by the safe harbor principles even if your company decides to no longer participate in the program.
It is important to note that the DMA Safe Harbor Program does not cover issues relating to the transfer of human resources data. However, the transfer of such data does fall under the safe harbor framework. For further clarification, please refer to the Department of Commerce’s FAQ #9 export.gov/safeharbor.
By adhering to the core principles of: notice, choice, onward transfer, access, security, data integrity and enforcement, your company is indicating that you place great value on data privacy protection and will make every effort to respect Europeans’ and/or Swiss’ requests regarding use of their personal information.
By adhering to the following principles as developed by the Department of Commerce and European Commission and the Department of Commerce and the Federal Data Protection and Information Commission of Switzerland, you will stand out in the marketplace as one of the trusted organizations that promises to meet the requirements of the safe harbor framework.
These safe harbor principles pertain to the personal information that your company transfers from the EU and/or Switzerland to the US. Personal information is defined as information that directly identifies an individual – name, address, telephone number and similar identifying information.
SAFE HARBOR PRINCIPLES
You must clearly inform customers in a timely manner about what information you are collecting, why you are collecting it, who you are forwarding it to, how its use can be limited and how the customer can contact you for additional information;
- Be easy to find, easy to read and easy to understand;
- Be provided to your customers at the time you collect the personal information or as soon thereafter as practicable – in any case, before you use the personal information for a purpose other than that for which it was originally collected or before you disclose it to a third party;
- Specify the types of information being collected;
- Specify the purposes and uses of information collection;
- Specify the types of third parties to which you are disclosing the information you collect;
- Provide the choices and means available to the customer to limit the use and disclosure of information; and
- Provide your company contact information for customer inquiries.
You must honor customers requests to opt-out of certain information uses and exchanges and opt-in if sensitive information is being used. You must provide customers with the ability to opt-out of certain information uses and exchanges. Where the information is sensitive, you must obtain opt-in consent. These choices should be clear and conspicuous, readily available and affordable.
Your company must offer customers the ability to opt-out of your disclosing their information to a third-party or using their information for a purpose incompatible with that for which it was originally collected.
In addition, the DMA Safe Harbor Program requires that your company accept and maintain consumer requests to be placed on your in-house suppression file to stop receiving solicitations from your company. The DMA also recommends that your company utilize European Preference Service Systems to update your list. If you need assistance in locating the appropriate European system, please feel free to contact DMA staff.
It is important to note that for “sensitive” information, consumers must be given the explicit ability to opt-in before you disclose that information to a third-party or use that information for a purpose different from that for which it was originally collected. You may not use or transfer this information unless the individuals have given affirmative or explicit “opt-in” choice.
Sensitive information includes personal information regarding a medical or health condition, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual lifestyle. There are limited exceptions to the opt-in requirement. For further clarification, please refer to the Department of Commerce’s FAQ #1 at export.gov/safeharbor.
3. ONWARD TRANSFER
You must ensure that if information is disclosed to agents or subcontractors that they will agree to abide by the safe harbor principles. You should only transfer data to third parties consistent with the notice and choices you have given the consumers. Any agents of yours who handle or process your data, such as your service bureaus, must themselves either be subject to the EU Directive or be members of the safe harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data.
You must provide customers the ability to access the personal information being maintained by the company and the ability to correct it where it is inaccurate (based on a sliding scale principle – the obligation to provide access to information increases where its use is more likely to significantly affect the individual). You must provide customers the ability to access the personal information being maintained by the company. This access should be provided to the individual unless there would be: (1) a disproportionate effort on the part of the company relative to the potential risk to the individual’s privacy, (2) the rights of others would be violated, or (3) the request by the individual is clearly vexatious or repetitious. Companies can meet this requirement by providing customers with a copy of the personal information that is being maintained about them or by addressing the individual’s concerns through the company’s customer service department. You do not have to give customers access to your database.
In addition, customers must be given the ability to correct, amend or delete their personal information if it is inaccurate. A reasonable fee can be charged to the individual for accessing information.
In general, expense and burden can be considered in providing access to personal information. However, access to certain information that is used to grant or deny a significant benefit or service must always be provided regardless of the expense and burden. The following are examples of important benefits: insurance, grants, mortgages, loans, college admission, employment applications and similar benefits or services.
Companies denying access to information citing disproportionate effort or cost should be in a position to substantiate their decision.
Take reasonable care in protecting the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Your company should make every effort to use appropriate security measures to protect the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Such measures should ensure an appropriate level of security given the nature of the data processed.
6. DATA INTEGRITY
Ensure that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. Your company should not process data that are not relevant to the purpose for which they were collected. Your company is responsible for ensuring that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. You should not use the information in a way that is incompatible with the purpose for which it was collected, unless subsequently authorized by the consumer.
Take reasonable steps to ensure that any consumer privacy concern will be addressed by: (1) referring consumers to your customer service department or other in-house dispute resolution program; (2) subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints. (The DMA is pleased to offer members this service.); and (3) having appropriate monitoring, verification and remedy procedures in place.The Safe Harbor Principles require companies to:
1. Refer consumers to their customer service department or other in-house dispute resolution program;
2. Subscribe to a readily available and affordable independent third-party dispute resolution mechanism – The DMA is pleased to serve as your third-party dispute resolution mechanism to address unresolved in-house consumer data privacy complaints. (For a complete description regarding the DMA’s process for handling complaints and serving as your independent enforcement mechanism, please refer to The DMA Safe Harbor Program Complaint Procedure fact sheet on our web site at: www.dmaresponsibility.org/SafeHarbor.);
In addition, your company should consider offering consumer education packages in languages which reflect your European and/or Swiss customer markets.
- Are you a United States organization that receives or processes personally identifiable information directly from Europe and/or Switzerland?
- Are you a United States organization that gets these data indirectly from Europe and/or Switzerland?
- Are you a subsidiary or affiliated company that processes this information here in the United States? (The safe harbor framework covers personal information that is collected on-line or off-line and filed manually or electronically.)
- Do your company’s business practices fall under the jurisdiction of the Federal Trade Commission?
- Do your company’s business practices fall under the jurisdiction of the US Department of Transportation (e.g., air carriers, travel agents, airlines)?
If your company meets any one condition from each of these categories, then you should consider joining the safe harbor.
- Serve as your third-party dispute and enforcement mechanism. European and/or Swiss consumers, companies and governments can be assured that your company will adhere to the third-party dispute and enforcement requirements of the safe harbor framework. This will solidify Europeans’ and/or Swiss’ trust and confidence in your organization. (For a complete description regarding the DMA’s process for handling complaints and serving as your independent enforcement mechanism, please refer to the DMA Safe Harbor Program ComplaintProcedure fact sheet on our web site at: www.dmaresponsibility.org/SafeHarbor.)
- Provide technical assistance and educational materials to assist you throughout the process for meeting the safe harbor requirements. The DMA stands ready to assist your company in:
- meeting the US Department of Commerce’s registration requirements for safe harbor
- serving as your independent third-party dispute resolution mechanism, and
- addressing any other questions or concerns your company has regarding the safe harbor process.
- Provide a DMA Safe Harbor Program mark. This mark will provide consumers with an easily recognizable symbol that signifies and distinguishes your organization as being in compliance with the safe harbor enforcement principle.
THE DMA SAFE HARBOR PROGRAM THIRD PARTY DISPUTE RESOLUTION MECHANISM
The major component of DMA’s Safe Harbor Program is to provide businesses seeking to certify under the US-EU and/or US-Swiss Safe Harbor Framework with an independent third party dispute mechanism that complies with the Safe Harbor enforcement requirements.
The Safe Harbor requires that the dispute resolution mechanism be readily available to consumers, affordable, and be able to ensure compliance with the Safe Harbor privacy protections. The DMA’s Safe Harbor Program adheres to the belief that an independent dispute resolution mechanism should:
- provide a fair and unbiased redress of the consumer’s concerns;
- be visible so that consumers with concerns know where to turn for resolution of their problem;
- be accessible so that there are no barriers to the filing of a complaint, whether they be financial or otherwise;
- provide resolution in a timely manner;
- provide finality for the consumer by reaching an independent determination of the dispute in a fair and timely manner; and
- provide enforceability of the final conclusions in the determination of the consumer’s dispute.
To provide a mechanism that is fair, the DMA has created a Safe Harbor Program Committee that is comprised of respected experts from the direct marketing industry, and recognized consumer representatives. The Committee will have the power to hear both sides of a dispute, and provide a final determination. When businesses join the DMA’s Safe Harbor Program, they will be required to sign a Contract whereby they agree to abide by the decisions of the Committee. They will also be notified in the contract that the Committee will have the authority to issue certain sanctions as a result of their decision. The sanctions available to the Committee include, but are not limited to:
- Correction of actions found not to be in compliance with the Safe Harbor Principles, the EU Directives, or the Safe Harbor FAQ’s.
- Correction or deletion of inaccurate personal information.
- Reimbursement of actual, direct monetary damages incurred by the consumer.
- Removal from the DMA Safe Harbor Program and revocation of the company’s ability to display the DMA Safe Harbor Mark.
- Public notification of the decision and action taken by the Committee.
- Notification to the Department of Commerce of the Committee’s decision and a request for removal from the Safe Harbor Certification List due to failure to comply with the Safe Harbor Principles.
- Referral of the matter to the Federal Trade Commission or other appropriate governmental agency for enforcement action.
The lynchpin to any dispute resolution mechanism is that it be impartial. One way to assure impartiality is to assure openness of the results of the program by publishing the outcomes of the cases on a regular basis, and for DMA staff to be constantly vigilant that the results are fair and legal.
To assure accessibility, there will be no cost to the consumer, and businesses will be required to notify consumers of the availability of DMA’s Safe Harbor Program in an open and conspicuous manner and prominently display the DMA Safe Harbor Program Mark. The program will provide consumers an easy method to bring their disputes before the Committee. It is the goal of the Program to obtain a determination of all cases in a quick and timely manner, but in no case longer than 60 days.
THE DMA SAFE HARBOR PROGRAM COMPLAINT PROCEDURES
1. When a complaint is received, staff will verify that the complaint involves matters over which the DMA Safe Harbor Program Committee has jurisdiction.
2. Staff will verify that the business’ in-house complaint handling system has had a reasonable opportunity to address the consumer’s complaint.
3. Staff will write a letter to the business requesting that the complaint be reviewed and that a response be provided within 10 days.
4. After checking with the consumer, if the complaint has been resolved, the matter will be closed out. If the matter is still in dispute, the complaint (all written materials from both the consumer and the business) will be presented to the Committee for a determination (Initial Decision) on the matter. The meeting will take place by telephone conference call, unless the Committee decides that another meeting form is more appropriate.
5. A conference call will be set up for the Committee to review the case and make an Initial Decision. The Committee can either find no violation of the Safe Harbor Principles and close out the case, or find that a violation(s) of the Principles have occurred, and set a remedy that the Committee determines is appropriate.
6. The business and the consumer will be notified by letter of the Initial Decision of the Committee. Within ten (10) days of their notification, either the consumer or the business can request a Further Consideration Hearing before the Committee. The request must state the reason(s) why the Further Consideration Hearing is being requested. If no request by either party has been made within 10 days, then the Initial Decision automatically becomes the Final Decision. The case will be followed-up by staff to verify adherence to the remedies stated in the Committee’s decision.
7. If the matter is appealed within 10 days by either party, a Further Consideration Hearing will be set-up for the Committee by telephone conference call at a mutually agreed upon time for all the parties. Both the consumer and the business may submit any further informational materials for the Committee’s consideration, and both may take part in the Hearing via telephone conference call. After the Hearing, a Final Decision on the case will be made by the Committee. The consumer and the business will be notified by letter of the Committee’s Final Decision. Staff will provide any necessary follow-up to verify adherence to the Committee’s Final Decision.
8. The cost of the conference call will be the responsibility of the DMA. The DMA will provide a telephone language translation service at no cost to the consumer, if requested.
This panel of experts provides advice and direction in the development of The DMA Safe Harbor Program.
International Privacy Attorney
FEVAD (Federation des Entreprises de Vente a Distance)
This committee is responsible for reviewing data privacy complaints between European and/or Swiss consumers and participants in the DMA Safe Harbor Program. The committee represents a wide variety of consumer and business expertise.
Jennifer Barrett Glasgow
Global Privacy and Public Policy Executive
Vice President Privacy/ISP Relations, CIPP
Jane M. King
VP, Epsilon Targeting