Online Privacy services for Businesses Consumer Privacy services TRUSTe Blog About TRUSTe's online privacy services   
 
TRUSTe - Make Privacy Your Choice
Our Services  ::   Mission Statement  ::   Fact Sheet  ::   Press Room  ::   Member List
Partner Services  ::   Management  ::   Newsletter Archive

October 2008 Tech Tip

By Eileen Rico

EU Safe Harbor Requirements

By becoming self certified by the Department of Commerce (DOC) this brings together the resources from across the US Government to assist American businesses in planning their international sales strategies and succeed in today’s global marketplace. In order for a company to become a TRUSTe EU Safe Harbor sealholder, the organization must abide by the following guidelines.  Doing so will ensure compliance with TRUSTe and Data Protection Laws.

  1. Privacy Practices.  Client must provide a statement of privacy practices that is compliant with the EU Safe Harbor Privacy Principles.
    1. The statement will include: a description of the purposes and uses of data collected; a description of Client’s user complaint mechanism, the types of third parties to which Client shares user information, and the choices and means Client offers individuals for limiting use and disclosure of personal information.
    2. A statement of Client’s internal procedures for implementing its privacy practices; and
    3. A copy of the verification statement required under FAQ 7 of the Safe Harbor Privacy Framework set forth by the Department of Commerce (http://www.export.gov/safeharbor/).  Client must provide TRUSTe with a copy of the certification letter it provides to join the European Commission Directive on Data Protection Safe Harbor within five (5) business days of submitting the certification letter to the Department of Commerce. Client must certify with the U.S. Department of Commerce within twenty (20) business days of receiving approval to use the Notice paragraph below:

    2. “We participate in the EU Safe Harbor Privacy Framework as set forth by the United States Department of Commerce. As part of our participation in the safe harbor, we have agreed to TRUSTe dispute resolution for disputes relating to our compliance with the Safe Harbor Privacy Framework.  If you have any complaints regarding our compliance with the Safe Harbor you should first contact us.” 

  2. Complaints.  Client shall provide individuals with reasonable, appropriate, simple and effective means to submit complaints and express concerns regarding Client’s privacy practices.  Client shall respond to all reasonable submissions in a timely fashion, not to exceed ten (10) business days.  Client shall also reasonably cooperate with TRUSTe’s efforts to resolve complaints, questions and concerns.
    1. Complaints filed through TRUSTe. Client shall reasonably cooperate with TRUSTe to resolve disputes regarding complaints received pertaining to the EU Safe Harbor (“Eligible Disputes”), excluding Ineligible Complaints, Frivolous Complaints, and Harassing Complaints.  Client agrees to the following procedures for handling these complaints:
      1. TRUSTe will accept complaints via its web site, postal mail, or fax.  TRUSTe will notify Client of all complaints, via email or fax. Client should, whenever possible, correspond with TRUSTe via email.  TRUSTe and Client, when appropriate, will respond to the individual filing the complaint in the method the individual has indicated is preferred.
      2. TRUSTe will determine whether a complaint raises an Eligible Dispute.  An Ineligible Complaint is one that seeks only some form of monetary damages, alleges fraud or other violations of statutory or regulatory law that has been resolved under a previous court action, arbitration, or other form of dispute settlement, or does not deal with a privacy issue.  A Frivolous Complaint is one that has no factual basis.  A Harassing Complaint includes successive complaints based on allegations previously rejected by TRUSTe or the filing of multiple complaints with TRUSTe employees other than those designated by TRUSTe to receive complaints.
      3. Client shall acknowledge the receipt of all TRUSTe inquiries that request acknowledgment within five (5) business days after receipt and provide a reasonable estimate of when the inquiry shall be addressed.
      4. Client shall respond within a maximum of ten (10) business days to all reasonable TRUSTe inquiries about Client’s implementation of the EU Safe Harbor requirements or Client’s compliance with its stated privacy policy.  Client may request from TRUSTe an additional twenty (20) business days to respond if circumstances warrant, and consent to such additional time shall not be unreasonably withheld.
      5. Client shall review and update the contact information for Client’s representative assigned to provide TRUSTe with the contact information for individuals that have access to or control of information collected or transferred under the EU Safe Harbor. Such contact information shall not be disclosed by TRUSTe to third parties and shall only be used by TRUSTe, or an independent party designated by TRUSTe, solely for the purpose of resolving disputes pursuant to Client’s participation in the Program.
  3. Reviews.  If concerns regarding the proper implementation of the EU Safe Harbor arise, TRUSTe may itself, or through an independent, qualified, neutral third party designated by TRUSTe, review Client’s privacy policy and practices to resolve disputes regarding compliance with the EU Safe Harbor throughout the term of the Agreement.  In selecting an independent, qualified, neutral third party, TRUSTe shall consider, among other things, cost, experience, and the context of the issue leading to the review.  Such reviews may consist of reviews conducted at TRUSTe’s offices, tracking unique identifiers in the database (seeding), and monitoring changes in Client’s privacy policy.  On-site privacy reviews may also be used as TRUSTe deems necessary.  To comply with this Client agrees to:
    1. At no charge to TRUSTe or its representatives, provide full access to Client’s records relevant to Client’s participation in the Program for the purpose of conducting reviews to ensure that client’s stated privacy policy is consistent with actual practices.
    2. Provide, upon TRUSTe's reasonable request, information regarding how information collected or transferred under the EU Safe Harbor is used.
    3. Be subject to an on-site review in response to Eligible Disputes regarding compliance with the EU Safe Harbor requirements from an individual or TRUSTe that Client has failed to implement and adhere to the policies set forth in Client’s stated privacy policy, or has failed to adhere to the EU Safe Harbor requirements.  Client agrees to compensate TRUSTe as provided in the Agreement and promptly rectify any problems to TRUSTe’s reasonable satisfaction.  In addition, Client agrees to reimburse TRUSTe for any reasonable costs associated with an onsite review.
    4. TRUSTe shall provide, at a minimum, ten (10) business days written notice to Client prior to initiation of an on-site review and shall perform its review during Client’s normal business hours and at a time agreeable to Client.  It is TRUSTe’s intent that the portion of such on-site reviews requiring TRUSTe or an independent party designated by TRUSTe to be physically at Client’s facility will be completed within two business days and shall not exceed five business days as long as Client reasonably cooperates and no unusual circumstances cause additional time to be reasonably necessary.  TRUSTe shall use its reasonable effort to accommodate Client’s schedule and shall perform its review in such a manner as to not unreasonably interfere with Client’s operations.

 

Read past tips on http://www.truste.org/sealholders/tech_tips.php.
 
For Business | For Consumers | About TRUSTe | Careers | Site Map | Privacy Statement - UPDATED | TRUSTe Homepage | Terms & Conditions
© 1997 - 2009 TRUSTe. All Rights Reserved.