European Court of Justice’s Decision and Impact to the U.S.-EU and U.S. Swiss Safe Harbor Frameworks
NAVEX Global works with you to protect your people, reputation and bottom line. As part of that commitment, we understand that recent decisions by the European Union Court of Justice have raised questions for our customers. Please read below for information on how we can help ensure that transfers of personal data from the European Union (EU) and Switzerland to the U.S. can occur in line with EU and Swiss data protection laws.
Q: What has happened to the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks?
A: On 6 October 2015, the European Union Court of Justice (CJEU) declared the U.S.-EU Safe Harbor program invalid resulting in transfers of personal data from the EU to the U.S. being deemed a violation of EU data protection laws where Safe Harbor was relied upon as the basis for such transfer.
On 22 October 2015, the Swiss data protection regulator also declared the Swiss-U.S. Safe Harbor program in question, stopping just short of full invalidation, based upon the CJEU’s ruling.
Q: What are the EU-U.S. and Swiss-U.S. Privacy Shield Programs?
The EU-U.S. and Swiss-U.S. Privacy Shield Programs were developed and agreed to by the European Commission and Information Commissioner of Switzerland in cooperation with the U.S. Department of Commerce, as replacements to the old Safe Harbor arrangements. Each of these programs enables certified participants (limited to U.S. organizations) to legitimately receive personal data from the EU and/or Switzerland.
More information about the programs may be found at the U.S. Department of Commerce’s website at: https://www.privacyshield.gov/welcome
Q: How do the EU-U.S. and Swiss-U.S. Privacy Shield Programs apply to NAVEX Global products and services?
A: Any transfer of personal data (any information that can identify an individual) from the EU and/or Switzerland to the U.S. is subject to certain data transfer restrictions. Given that all NAVEX Global products and services collect personal data, and the data is transferred—or may be transferred—to the U.S., all products and services are affected.
Q: What does this mean for my company using NAVEX Global products and services?
A: Client organizations wanting to provide our services to their employees located in the EU and Switzerland can now rely upon NAVEX Global’s certification to support their European and Swiss data protection compliance initiatives. Further, we are happy to update any existing agreement to incorporate references to Privacy Shield, through an amendment or Data Processing agreement.
Q: What about the European Commission Model or Standard Contractual Clauses?
A: Given that the Privacy Shield Program may now be relied upon as a legitimate basis for transfer of personal data from the EU and Switzerland, the Model or Standard Contractual Clauses are not required. As noted, we are happy to update any existing agreement to incorporate our commitment to the Privacy Shield Programs through a Data Processing agreement.
Q: How does my company obtain a copy of the Data Processing Agreement incorporating Privacy Shield commitments?
A: You should contact your sales or client care representative and they will submit a request on your behalf.
Q: What should I do if I have additional questions?
A: Please contact your sales account manager or our client support team (as noted below) and they will be happy to assist you.
US: 1-866-297-0224, option 3 for Support, then…
1 for AlertLine/IntegriLink
2 for EthicsPoint
3 for PolicyTech
4 for Online Training
5 for RiskRate
6 for GRC Suite
7 if Unsure of product
EU: +44 (0)208 939 1650
Email (by product):
GRC Suite (formerly TNW product)