29 Nov 2016 - 29 May 2022
Privacy Shield Framework
11. Dispute Res and Enforcement (d-e)

d.    Recourse Mechanisms
e.    Remedies and Sanctions
i.    The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease.  Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance.  Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances.6  Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards.  Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department.

5. Section I.5 of the Principles.
6. Dispute resolution bodies have discretion about the circumstances in which they use these sanctions.  The sensitivity of the data concerned is one factor to be taken into consideration in deciding whether deletion of data should be required, as is whether an organization has collected, used, or disclosed information in blatant contravention of the Privacy Shield Principles.


11. Dispute Resolution and Enforcement (a) - (c)
11. Dispute Resolution and Enforcement (d) - (e)
11. Dispute Resolution and Enforcement (f) - (g)
Privacy Shield List
U.S. Businesses
European Businesses
Individuals in Europe
Data Protection Authorities
Program Overview
Framework Text
Inactive Participants
News & Events

Home  |  Website Feedback  |  Privacy Policy  |  Disclaimer  | FOIA USA.gov     

The International Trade Administration (ITA), U.S. Department of Commerce manages this site to facilitate the Privacy Shield framework in the United States.  External links to other Internet sites should not be construed as an endorsement of the views or privacy policies contained therein. This site contains PDF documents. A PDF Reader is available from Adobe Systems Incorporated.

U.S. Department of Commerce | EU-U.S. Privacy Shield | 1401 Constitution Avenue, N.W. | Room 20001 | Washington, D.C. 20230
Privacy Shield Logo - Link to HomepageSelf-CertifyPrivacy Shield ListAudiencesU.S. BusinessesEuropean BusinessesIndividuals in EuropeData Protection AuthoritiesAboutProgram OverviewFramework TextInactive ParticipantsNews & EventsContact
I. OVERVIEW 1. NOTICE 2. CHOICE 3. ACCOUNTABILITY FOR ONWARD TRANSFER 4. SECURITY 5. DATA INTEGRITY AND PURPOSE LIMITATION 6. ACCESS 7. RECOURSE, ENFORCEMENT AND LIABILITY 8. Access 1. Sensitive Data 2. Journalistic Exceptions 3. Secondary Liability 4. Performing Due Diligence and Conducting Audits 5. The Role of the Data Protection Authorities (a) - (b) 5. The Role of the Data Protection Authorities (c) 5. The Role of the Data Protection Authorities (d) - (e) 6. Self-Certification 7. Verification 9. Human Resources Data 10. Obligatory Contracts for Onward Transfers 11. Dispute Resolution and Enforcement (a) - (c) 11. Dispute Resolution and Enforcement (d) - (e) 11. Dispute Resolution and Enforcement (f) - (g) 12. Choice -- Timing of Opt Out 13. Travel Information 14. Pharmaceutical and Medical Products 15. Public Record and Publicly Available Information 16. Access Requests by Public Authorities ANNEX I (introduction) A. Scope B. Available Remedies C. Pre-Arbitration Requirements D. Binding Nature of Decisions E. Review and Enforcement F. The Arbitration Panel G. Arbitration Procedures H. Costs