Writing the EU Safe Harbor Policy Template document
Introduction to Safe Harbor
The European Commission's Directive on Data Protection (October, 1998) prohibits the transfer of Personal Data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce, in consultation with the European Commission, developed a "Safe Harbor" framework. The Safe Harbor - approved by the EU in July of 2000 - is a way for U.S. companies to avoid experiencing difficulties with their dealings with the EU or potentially facing prosecution by EU authorities under European privacy laws.
Compliance with Safe Harbor
The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the "Safe Harbor Principles") to enable U.S. companies to satisfy the "adequacy standard" requirement under EU law that protection be given to Personal Data transferred from the EU to the United States.
Consistent with its commitment to protect personal privacy, Company Name adheres to the following Safe Harbor Principles:
For purposes of this Safe Harbor Policy, the following definitions shall apply:
"Company" means Company Name, its predecessors, successors, subsidiaries, divisions, and groups. "Agent" means any third party that collects or processes or otherwise uses Personal Data or Personal Sensitive Data solely on behalf or under the instruction of Company Name. "Personal Data" means any information or set of information that identifies or can reasonably be used to identify an individual.
Personal Data does not include data that is encoded, encrypted, or made anonymous in part or in whole, or publicly available information that has not been combined with non-public Personal Data. "Sensitive Personal Data" means Personal Data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns an individual's health or sex life. Information is treated as sensitive Personal Data when it is received from a user or third party that treats and identifies it as sensitive.
The following privacy principles apply to the collection, use, and disclosure of Personal Data by Company Name activities:
The Information Collected and How it is Used:
Aggregate and Statistical Data
Company Name collects certain aggregate data for general statistical information every time a web site is visited. This information is collected through the server web logs, and may consist of: Dates and times of visits to our web site(s); the IP addresses of visitors to our web site(s); the operating system and browser version of the computers of visitors to our web site(s). This data is not used individually to identify users of our web site(s). This data is used to analyze system performance, usage, peak usage and usage trends.
Cookies sent by Company Namethat are rejected may limit access to Company Name's web sites or the web site may no longer function as intended or be accessible to the user.
Personal Data Submitted by Users
All personally identifiable information received by Company Name is voluntarily submitted by users or submitted on the users' behalf by our client company. This information is only used by the specific client web site for the intended purposes of that web site. Web sites are designed to fulfill specific business needs and all Personal Data that is voluntarily collected by Company Name is to provide services, or is used to improve the service that the Company Name web site(s) provide.
Company Name Safe Harbor Privacy Principals
The privacy principles in this Policy are based on the Safe Harbor Principles:
Where Company Name collects Personal Data directly from individuals in the EU, it will inform them about the type of Personal Data collected, the purposes for which it collects and uses the Personal Data, and the types of non-agent third parties to which Company Name discloses or may disclose that information, and the choices and means, if any, Company Name offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Company Name, or as soon as practicable thereafter, and in any event before Company Name uses or discloses the information for a purpose other than that for which it was originally collected. Where Company Name receives Personal Data from their subsidiaries, affiliates, or other entities in the EU, they will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such Personal Data relates.
Company Name will offer individuals the opportunity to choose ("opt out") whether their Personal Data is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive Personal Data, Company Name will give individuals the opportunity to affirmatively and explicitly consent ("opt in") to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Company Name will provide individuals with reasonable mechanisms to exercise their choices.
Integrity of Data:
Company Name will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Company Name will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current.
Transfers to Agents:
On occasion, Company Name will provide information stored on our web sites to agents, for the purpose of integrating with that agent's product or service offerings. This integration is performed at the request of our client company to further their business needs and to provide services, or is used to improve the service that Company Name's web site(s) provide. Data that is shared may include name, email address, employee ID, and a unique system identifier.
Contractual agreements are made between the agent to whom the data is being transferred and our client for whom the data is being stored. Company Name's agents are assumed to hold similar privacy standards as Company Name. When Company Name becomes aware that an agent is using or disclosing Personal Data or Personal Sensitive in a manner that is improper or that is contrary to this Safe Harbor Policy, Company Name will take all reasonable measures to stop or prevent the use or disclosure of such data.
Access and Correction:
Information that is stored about the users of our web site(s) is accessible and editable directly from within our web site(s). Company Name permits users to edit, correct, or delete any information that they feel is inaccurate or incomplete. Should an individual not be able to access or correct this information, please contact the Safe Harbor Office listed at the bottom of this Safe Harbor Policy to obtain information about how to access and edit their Personal Data or Personal Sensitive data within the site. In the event that the individual still cannot access or correct their Personal Data, they may contact Company Name through one of the communication methods described below.
Security of Information:
Company Name is committed to your privacy and to ensure the security and safety of your information. Company Name will take all reasonable precautions to protect all "Personal" and "Sensitive Personal" data in its possession from unauthorized access, loss, or misuse. This includes, but is not limited to, the use of 128-bit encryption technology, regularly scheduled backups of data, secured storage of all Sensitive Personal information and access limitations and restrictions to the servers and computers that contain such data.
Enforcement of Policy:
Company Name will conduct periodic audits of its relevant privacy practices to verify its compliance and adherence to this Safe Harbor Policy. Any employee or agent that Company Name determines is in violation of this policy will be subject to disciplinary action including, but not limited to: fines, sanctions, criminal prosecution, revocation of contract and/or termination of employment.
Resolution of Disputes:
Any questions or concerns regarding the use or disclosure of Personal Data should be directed to Company Name's Safe Harbor Officer at the address given below. Company Name will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy. For complaints that cannot be resolved between Company Name and the complainant, Company Name has agreed to participate in the dispute resolution procedures of the panel established by the European Data Protection Authorities to resolve disputes pursuant to the Safe Harbor Principles.
Limitations on Application:
Adherence by Company Name to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule, or regulation. Web sites created by Company Name may contain links to other Web sites. Please be aware that Company Name is not responsible for the privacy practices of these web sites.
Company Name does not endorse them or make any representations about them or any information, services, products, or materials found on them. Users are strongly encouraged to read the privacy policies of any third-party sites accessed through links.
Questions, comments or concerns regarding the Safe Harbor Policy may be directed to Email Address or to the following Safe Harbor Officer or Company representative by mail:
Company Name, Address Address, City, State Postal Code.
Changes to this Safe Harbor Agreement
The practices described in this Safe Harbor Policy are current as of Current Date. Company Name reserves the right to modify or amend this Policy at any time consistent with the requirements of the Safe Harbor Principles. Appropriate public notice will be given concerning such amendments.
This Policy may be changed periodically in accordance with the requirements of the Safe Harbor Principles. Changes to the Safe Harbor policy will be posted on our web site or users of our web site may be notified via email.