DMA: Data and Marketing Association
Consumer Help

What do you need to include in your Privacy Shield Notice?

This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

General notice and choice requirements:

  • Statement of adherence to Shield and its principles.
  • Link to U.S. Department of Commerce Privacy Shield participant list.
  • Link to DMA’s Privacy Shield Compliance Program, for DMA Privacy Shield participants.
  • Types of personal data collected and where applicable, the entities or subsidiaries of the organization also adhering to the Principles.
  • Purpose and use of data collection.
  • Type or identity of third parties to whom you disclose/share personal information, and the purposes for which you do so.
  • Right of individuals to access their personal data.
  • Choices and means the organization offers individuals for limiting the use and disclosure of their personal data.
  • Requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and your organization’s liability in cases of onward transfers to third parties. You may also include information about the new Ombudsperson for consumers with national security concerns.
  • The possibility, under certain conditions, for the EU resident to invoke binding arbitration as a last resort to resolve complaints. Binding arbitration is not yet available under the Swiss Privacy Shield.
  • Being subject to the investigatory & enforcement powers of FTC, DOT or other US authorized statutory body.

For inquiries/enforcement:

  • Provide how an EU or Swiss resident can contact your organization with any inquiries or complaints, including any relevant establishment in the EU or Switzerland that can respond to such inquiries or complaints;
  • Provide the independent dispute resolution body designated to address complaints and provide appropriate recourse free-of-charge to the individual, and whether it is: (1) the panel established by DPAs or Swiss Federal Data Protection and Information Commission’s Authority, (2) an alternative dispute resolution provider based in the EU or Switzerland, or (3) an alternative dispute resolution provider based in the United States, such as the DMA. You must provide the link to your independent dispute resolution provider’s website on how EU or Swiss residents can file a complaint;
  • Disclose which body your organization is subject to — the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body; and
  • For EU individuals who have not had their data privacy complaint resolved to their satisfaction by the company itself and the alternate dispute resolution provider then the individual may invoke binding arbitration.
Learn more about the Privacy Shield Privacy Principles
Go back to Privacy Shield Guide Read on to Privacy Principle: Choice