What is the EU-US Privacy Shield?
The Privacy Shield is a framework designed by the U.S. Department of Commerce and the European Commission and Swiss Administration for complying with the EU data protection requirements when data is transferred between the European Economic Area (EEA) and the United States.
Organizations are recognized as providing adequate protection of personal information under the laws of the GDPR if they follow the seven Privacy Shield principles:
- Notice - businesses and organizations must publish privacy notices with information of their privacy practices, and how they collect, use, and share data of EU residents.
- Choice - opt-in consent is mandatory before businesses and organizations can collect, use, and share personal information. These individuals must have an option to opt-out of these processes.
- Accountability for onward transfer - businesses and organizations must establish contracts with third-party data processors which require them to process or transfer personal data in a manner consistent with Privacy Shield.
- Security - businesses and organizations must ensure the protection of personal data from loss, misuse, disclosure, alteration, unauthorized access, and destruction.
- Data integrity and purpose limitation - businesses and organizations must limit data processing only to the purposes for which it was collected and maintain that the personal data is accurate, complete, and current.
- Access - data subjects must have a means to request access, correct, amend, or delete information the business collects about them.
- Recourse, enforcement, and liability - in the case of individuals being affected by non-compliance, there must be remedies, consequences to organizations and businesses for non-compliance, and verification of compliance.
As of July 16, 2021, the Court of Justice of the European Union invalidated the Privacy Shield, meaning it no longer provides a valid legal basis for data transfers from the EU to the U.S.
Please note that despite the ruling, the US still requires you to comply with the Privacy Shield.
The CJEU ruled that Standard Contractual Clauses (SCCs) are still considered a valid means for transferring data between the EU and US. However, whether SCCs constitute a lawful basis for transferring personal data to a jurisdiction without an adequacy decision depends on whether the jurisdiction affords "a level of protection essentially equivalent to that guaranteed within the EU."
EmailMeForm Compliance Info
EmailMeForm is a GDPR compliant data collector, meaning that all data processes handled through EmailMeForm safeguard personal data and uphold the privacy rights of subjects in EU territory.
EmailMeForm abides by the following principles:
- Right to access, right to be informed, right to data portability
- Right to rectification
- Right to be forgotten, right to object, right to restrict processing
- Right to be notified
As a compliance provider, EmailMeForm ensures that our systems are up to date with all changes in GDPR regulation and operate in accordance with the EU-US Privacy Shield standards.
If you use Emailmeform to manage your business' data privacy compliance, you do not need to be concerned about the invalidation of the Privacy Shield. Customers can continue using Emailmeform to transfer data from Europe to the US and other countries in compliance with EU data protection laws – including the General Data Protection Regulation.
Emailmeform is not a certification body. EmailMeForm will collect, store, and process your data in accordance with the GDPR and EU-US Privacy Shield standard. As such, the parameters of GDPR compliance only extend to your activity within EmailMeForm. We highly recommend that you consult legal advice to further support your GDPR compliance obligations.
If you have more questions about our GDPR Compliance, you can contact our Data Protection Officer (DPO) here.