By Dr. Rao Vepachedu, JD, PhD, LLM1
The Onward Transfer Principle (see ANNEX II) requires that the third-party service providers to organizations that comply with the Privacy Shield must also comply with the Privacy Shield.
Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor: 1. acts only on instructions from the controller; 2. provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access, and understands whether onward transfer is allowed; and 3. taking into account the nature of the processing, assists the controller in responding to individuals exercising their rights under the Principles.
Organizations that are Privacy Shield compliant by September 30, 2016, are given a grace period of nine months to comply with the requirements such as Obligatory Contracts for Onward Transfers. Organizations that are not Privacy Shield compliant by September 30, 2016, will be required to reach full compliance regarding the Onward Transfer Principle prior to certifying with Privacy Shield.
Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.
Cardinal Intellectual Property (CIP) is the first intellectual property services company to receive certification under the new US-EU Privacy Shield data transfer program.