DMA: Data and Marketing Association
Consumer Help

Privacy Shield Privacy Principles: Recourse, Enforcement and Liability

Each participating company should take reasonable steps to ensure that any consumer privacy concern will be addressed by:

  1. referring consumers to your customer service department or other in-house dispute resolution program;
  2. subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints (DMA is pleased to offer members this service.) or selecting a Data Protection Authority (DPA) in EU or Swiss Federal Data Protection and Information Commission’s Authority to serve as a dispute resolution provider (you must select a DPA or Commissioner for trans-Atlantic transfers involving human resource data); and
  3. disclosing to individuals the right to invoke binding arbitration — if steps one and two do not resolve the consumer’s inquiry.

Your company should also have appropriate monitoring, verification and remedy procedures in place. The Shield Principles require companies to:

  1. Refer consumers to their customer service department or other in-house dispute resolution program – companies must respond to inquiry within 45 days and must include assessment of the merits of the complaint and how the company seeks to resolve the matter;
  2. Subscribe to a readily available and free-of-charge independent third-party dispute resolution mechanism – The DMA is pleased to serve as your third-party dispute resolution mechanism to address unresolved in-house consumer data privacy complaints. DMA has never charged consumers for such services. (For a complete description regarding the DMA’s process for handling complaints and serving as your independent enforcement mechanism, please refer to The DMA Privacy Shield Program Complaint Process;
  3. Disclose that consumers can seek binding arbitration to resolve their data privacy concern if steps one and two listed above did not resolve the matter to the consumer’s satisfaction.
  4. Have appropriate verification procedures in place to comply with your Shield privacy policy. This policy must be verified at least annually by either an internal self-assessment review process, or by an outside third-party review/audit. (The DMA’s Privacy Shield Program does not provide for the DMA to act as the independent third-party auditor); and
  5. Train staff regarding your Shield privacy policy.
  6. In the event of a non-compliance issue with a sub-processor, the Privacy Shield organization acting as the data controller of the personal data will have to prove that it is not responsible for this event.

In addition, your company should consider offering consumer education packages in languages which reflect your European and/or Swiss customer markets.

Learn more about the Privacy Shield
Go back to Privacy Shield Guide