If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, it must ensure the third party provides the same level of privacy protection as the organization, notifies the organization if it can no longer meet its requirements for proper data handling, and enters a contract that states it will process data according to the consent agreement. However, it does not necessarily need to ensure the transferred data is used for limited purposes, which is more about the scope of data usage rather than the privacy protection obligations.
To transfer personal data to a third party acting as an agent, organizations must: Accountability for Onward Transfer... (i) Transfer such data only for limited and specified purposes; (ii) Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) Require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) Upon notice, including under (vi) Take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vii) Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
Accountability for onward transfer / vendor agreements Privacy Shield expands regulation of and accountability for third party personal data transfers. A Privacy Shield certified organization must specify in third party contracts that transferred personal data “may only be processed for limited and specified purposes consistent with” the data subject’s consent. Third parties must agree to “provide the same level of protection as the Principles.” Where the third party is acting as an agent, such as a vendor, the organization must in addition “take reasonable and appropriate steps” to ensure the agent upholds the Principles A Privacy Shield certified organization must even provide the DOC with relevant third party contractual provisions, which place some restrictions on contractual confidentiality.