VeraSafe Privacy Shield and Safe Harbor Dispute Resolution Procedure
Last Updated: October 24, 2016

1. Introduction.

1.1. The VeraSafe Privacy Shield and Safe Harbor Dispute Resolution Procedure (the “Procedure”) is provided and administered by Advanced Partnerships LLC (“VeraSafe”) for the resolution of complaints alleging that a Participant in the VeraSafe Privacy Program or VeraSafe Privacy Shield/Safe Harbor Dispute Resolution Program (the “Program(s)”), who is also subject to the EU-U.S. Privacy Shield Framework, U.S-EU Safe Harbor Framework, or U.S.-Swiss Safe Harbor Framework, has failed to comply with the Framework(s). The Procedure combines facilitation, mediation, and arbitration.

1.2. VeraSafe commits to comply with the requirements for independent recourse mechanisms as set forth in Principle 7 “Recourse, Enforcement and Liability” and Supplemental Principle 11 “Dispute Resolution and Enforcement” of the Privacy Shield Framework and the Enforcement Principle and FAQ 11 “Dispute Resolution and Enforcement” of the Safe Harbor Frameworks. In case of a conflict between the Procedure and one of the Frameworks, the relevant Framework(s) shall control, and the Procedure shall be modified to the minimum extent necessary in order to permit VeraSafe to comply with its obligations as an independent recourse mechanism under the Framework(s).
1.3. By participating in the Procedure, the Parties agree to the terms and conditions of the Procedure as set forth herein.

2. Definitions.

2.1. The following definitions apply to the Procedure:

  1. “Appellate Hearing” means the process described under Section 9 of the Procedure.
  2. “Complainant” means a person who has filed, or attempted to file, a Complaint with VeraSafe under the terms of the Procedure.
  3. “Complaint” means an allegation of non-compliance with the EU-U.S. Privacy Shield Framework, U.S.-EU Safe Harbor Framework, or U.S.-Swiss Safe Harbor Framework registered with VeraSafe under the terms of the Procedure.
  4. “Credible Evidence” means facts that, when viewed in light of surrounding circumstances, are highly and substantially likely to be true.
  5. “EEA” means the European Economic Area.
  6. “Framework(s)” means the EU-U.S. Privacy Shield Framework, the U.S.-EU Safe Harbor Framework, and the U.S.-Swiss Safe Harbor Frameworks.
  7. “Participant” means a member of the VeraSafe Privacy Program or VeraSafe Privacy Shield/Safe Harbor Dispute Resolution Program.
  8. “Party/Parties” means the Complainant or the Participant, or both as applicable.
  9. “Procedure Submissions” means all documents, writings, briefs, evidence and other material, submitted to the Procedure by the Parties or by VeraSafe.
  10. “Settlement Agreement” means an agreement reached by the Parties that resolves the Complaint. The terms of such agreement must be recorded in writing to be effective.

2.2. Capitalized terms not defined herein shall be understood to have the same meaning as ascribed to such terms in the VeraSafe Privacy Program Certification Criteria.

3. Complaint Filing Procedure.

3.1. Information Required. A Complainant must provide certain information to VeraSafe in order to successfully file a Complaint with the Procedure. Therefore the Complaint must:

  1. allege a Participant’s failure to comply with the Framework(s);
  2. name a Participant that is in good standing in the Program(s) and that has listed VeraSafe as its independent dispute resolution mechanism on its EU-U.S. Privacy Shield, U.S.-EU Safe Harbor, or U.S.-Swiss Safe Harbor self-certification(s) with the U.S. Department of Commerce, as a defendant in the Complaint;
  3. include the desired outcome(s) that are being sought;
  4. include the fullest possible account of facts and events giving rise to the Complaint;
  5. if any damages or harm is alleged, include specific details of the harm and/or damages;
  6. include valid contact information for the Complainant;
  7. include consent to share the Complaint with the Participant;
  8. include all available documentation to support the Complaint; and
  9. include a declaration, under penalty of perjury under the laws of the United States of America, that all information submitted to VeraSafe in the Procedure is true and correct.

3.2. The Complainant is not required to pay any remuneration to VeraSafe in order to file a complaint with the Procedure.

3.3. Medium for all Procedure Submissions.

  1. Complaints must be initiated by submitting VeraSafe’s online complaint form located at: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/ or by submitting the required information to VeraSafe via fax.
  2. VeraSafe shall provide correspondence to the Parties electronically, either by email or fax.
  3. The Parties shall submit all information, correspondence, and other material required by, or intended for use in, the Procedure (“Procedure Submissions”) to VeraSafe electronically.
  4. Procedure Submissions shall be considered delivered to the recipient immediately upon their electronic transmission by the sender.

4. Permitted Outcomes.

4.1. The Parties agree that the possible outcomes that a Complainant may seek via the Procedure, and the maximum relief that VeraSafe shall assign in a Data Privacy Hearing (as such term is defined in Section 8) or Appellate Hearing during the Procedure are limited to the outcomes described below (the “Permitted Outcomes”). Permitted Outcomes are only those that may require:

  1. the effects of noncompliance with the Framework(s) to be reversed or corrected by the Participant;
  2. that future data processing by the Participant be in conformity with the Framework(s);
  3. that the Participant cease processing PII of the Complainant;
  4. the Participant to delete relevant PII that was processed contrary to the Framework(s);
  5. the temporary suspension and/or removal of Participant’s license to display VeraSafe Seal(s);
  6. the Participant to compensate the Complainant for actual, direct losses incurred as a result of Participant’s non-compliance with the Framework(s); or
  7. the Participant to comply with other injunctive orders.

5. Eligibility.

5.1. Eligible Complainant. For a Complainant to be eligible to file a Complaint with the Procedure, the Complainant must be:

  1. above twelve years of age at the moment the Complaint is filed with the Procedure; and
  2. the Data Subject of PII exported from the EEA or Switzerland by or to a Participant; or
  3. the parent or legal guardian of a Data Subject who is under eighteen years of age at the time that the Complaint is filed with VeraSafe and whose PII was exported from the EEA or Switzerland by or to a Participant.

5.2. For a Complaint to be eligible under the Procedure, the Complaint must include the required information described in Section 3.1 and must:

  1. not have been previously resolved or settled by court action, arbitration, or other form of dispute resolution;
  2. not seek relief or other outcomes beyond the Procedure’s Permitted Outcomes; and
  3. be filed with the Procedure for the first time, except for Complaints alleging a Participant’s failure to comply with a previous Settlement Agreement.

5.3. Prior Good Faith Attempt to Resolve Complaint. The Complainant must make a good faith effort to resolve his dispute directly with the Participant before filing the Complaint with VeraSafe. Complainants are further encouraged to read the Participant’s privacy notice(s) entirely before filing a Complaint with VeraSafe. If VeraSafe determines, in its sole discretion, no good faith effort to resolve the dispute has been made, VeraSafe shall ask the Complainant to try to resolve the Complaint directly with the Participant and shall advise the Complainant that he may re-file the Complaint with the Procedure, as outlined herein, if the attempt to resolve the Complaint with the Participant does not yield satisfactory results.

5.4. If VeraSafe, in its sole discretion, concludes that additional information is needed to sustain a Complaint, it shall promptly contact the Complainant and advise him of the need for further information. If VeraSafe does not receive the requested information within fifteen business days of its request, VeraSafe shall close the Complaint, record an outcome of “Ineligible,” and notify the Complainant of the outcome.

5.5. Ineligibility Determination. If, based on the information available to VeraSafe, the Complaint or Complainant is found to be ineligible (an “Ineligibility Determination”), VeraSafe shall close the Complaint, record an outcome of “Ineligible,” and notify the Complainant of the outcome.

  1. Complainant’s Right to Appeal the Ineligibility Determination. The Complainant has the right to appeal VeraSafe’s Ineligibility Determination within ten business days of receiving the Ineligibility Determination. If the Complainant can furnish Credible Evidence to VeraSafe that a material error was made in the Ineligibility Determination, VeraSafe shall duly re-examine the Complaint and make a final determination as to the eligibility of the Complaint and Complainant.

6. Complainant’s Noncompliance With the Procedure.

6.1. If the Complainant breaches any term(s) of the Procedure in a material way, VeraSafe has the right to close the Complaint, record an outcome of “Closed by Default,” and duly notify the Parties.

7. Consultative Mediation.

7.1. Participant’s Response To Complaint. Complaints that VeraSafe determines to be eligible shall be forwarded by VeraSafe to the Participant. The Participant must file its response to the Complaint (“Response to Complaint”) with VeraSafe within twenty business days of its receipt of the Complaint. The Participant’s Response to Complaint must either:

  1. defend the Participant’s actions as permitted under the Framework(s);
  2. dispute the validity of information presented in the Complaint and contain all available documentation to support the dispute; or
  3. admit fault and agree to remedy the alleged violation(s).

7.2. Participant’s Failure to Respond. If the Participant fails to file a timely Response to Complaint, the failure to comply with the Procedure will be duly noted in the next Annual Procedure Report (as such term is defined in Section 14 of the Procedure) and VeraSafe shall refer the matter to the appropriate government agency in accordance with Section 13 of the Procedure.

7.3. Upon VeraSafe’s receipt thereof, the Participant’s Response to Complaint will be forwarded to the Complainant.

  1. Mediation Teleconference. If the Complainant is not satisfied by the Participant’s Response to Complaint, the Complainant may file with VeraSafe, a request for a mediation session to be conducted via telephone (hereinafter, a “Mediation Teleconference”) within ten business days of receiving the Participant’s Response to Complaint. The Mediation Teleconference is an informal process for the Parties to re-examine the details of the Complaint and work towards a mutually agreeable resolution.
  2. If the Complainant is satisfied by the Participant’s Response to Complaint, the Complainant shall notify VeraSafe in writing that the Complaint is resolved.
  3. If VeraSafe receives notification from the Complainant that the Complainant is satisfied with the Participant’s Response to Complaint, or otherwise receives no request for a Mediation Teleconference from the Complainant within the timeframe specified in Section 6.3(a), VeraSafe shall close the complaint with an outcome of “Closed by Default” and duly notify the Parties.

7.4. Mediation Teleconference Procedure. VeraSafe will provide and appoint a mediator to lead the Mediation Teleconference. VeraSafe will make a reasonable effort to schedule the teleconference with due regard for the schedules of the Parties and will notify the Parties of the scheduled time and date not less than fifteen days prior to the date of the Mediation Teleconference.

  1. Possible Outcomes of the Mediation Teleconference. VeraSafe will provide and appoint a mediator to lead the Mediation Teleconference. VeraSafe will schedule the teleconference with due regard for the schedules of the Parties and will notify the Parties of the scheduled time and date no less than 15 days prior to the scheduled Mediation Teleconference. The Mediation Teleconference is an informal process to re-examine the Complaint and guide the Parties towards a mutually agreeable solution or settlement.
    1. Complainant’s Failure to Comply. If the Complainant fails to appear at the scheduled time of the Mediation Teleconference, it will be assumed that the Participant’s Response to Complaint has satisfied the Complainant and the Complaint will be closed with an outcome of “Closed by Default” and the Parties duly notified.
    2. Participant’s Failure to Comply. If the Participant fails to appear at the scheduled time of the Mediation Teleconference, such failure to comply with the Procedure will be duly noted in the next Annual Procedure Report and VeraSafe shall refer the matter to the appropriate regulatory agency in accordance with Section 13.
    3. Mutual Settlement Agreement. If the Parties reach an agreement during the Mediation Teleconference, VeraSafe will record the Settlement Agreement parameters and notify both Parties in writing of the terms of the Settlement Agreement as decided by the Parties, within five business days of the Mediation Teleconference or as soon as reasonably practicable thereafter.
    4. No Settlement Reached. If no Settlement Agreement is reached during the Mediation Teleconference, the Complainant may file with VeraSafe, a request for a Data Privacy Hearing within ten business days of the Mediation Teleconference.
    5. If no Settlement Agreement is reached during the Mediation Teleconference, and the Complainant does not request a Data Privacy Hearing within ten business days of the Mediation Teleconference, the Complaint will be closed with an outcome of “Closed by Default” and the Parties duly notified.

8. Data Privacy Hearing.

8.1.Overview. Upon the request of the Complainant made to VeraSafe in accordance with the requirements of the Procedure, an officer appointed by VeraSafe will review the Complaint and all Procedure Submissions in a fair and impartial way and determine if clear, convincing, and satisfactory evidence is present to support the alleged violation of the Framework(s) made in the Complaint (a “Data Privacy Hearing”).

8.2. Exchange of Brief and Rebuttal. The Complainant’s request for a Data Privacy Hearing should include its detailed brief of the Complaint. Upon receipt, VeraSafe will forward the brief to the Participant. The Participant shall provide a rebuttal to VeraSafe within ten business days of receiving the Complainant’s brief.

8.3. Data Privacy Hearing Officer.

  1. The Data Privacy Hearing officer shall hold a current Certified Information Privacy Professional or Certified Information Privacy Manager credential from the International Association of Privacy Professionals, hold a Juris Doctor degree from an American Bar Association accredited law school, or be currently licensed to practice law in a jurisdiction of the United States or an EEA member state.
  2. The Data Privacy Hearing officer shall be impartial and neutral in the application of the Procedure.

8.4. Data Privacy Hearing Administration and Procedure.

  1. Data Privacy Hearing Officer’s Request for Information.
    1. The Data Privacy Hearing officer may request additional information or seek clarification from either Party, or both Parties, regarding the Procedure Submissions.
    2. Late Filings and Extensions. If a Party submits required information after the specified time limits, the untimely information shall not be submitted to the Data Privacy Hearing officer unless VeraSafe grants an extension for good cause. In lieu of such untimely Procedure Submissions, the Data Privacy Hearing officer will proceed to use all other available Procedure Submissions in making its Hearing Decision.
  2. VeraSafe’s Investigative Analysis. During the Data Privacy Hearing, the VeraSafe Program Administrator will independently and impartially investigate the Procedure Submissions and furnish to the Data Privacy Hearing officer its analysis of the validity of each essential fact presented in the Procedure Submissions. Such VeraSafe investigative analysis shall then be included in the Data Privacy Hearing as a Procedure Submission.
  3. Hearing Decision and Burden of Proof. The Hearing Officer shall examine the Procedure Submissions to decide if the available evidence does clearly, convincingly, and satisfactorily substantiate the allegation made in the Complaint and, if so, whether or not the alleged action or inaction of the Participant does violate the Framework(s) (the “Hearing Decision”).
    1. Substantiated Complaints. If in due examination of the Procedure Submissions, and in due consideration of the totality of the circumstances, the Data Privacy Hearing officer determines that the available evidence does clearly, convincingly, and satisfactorily substantiate the allegation made in the Complaint, and that the action or inaction of the Participant does violate the Framework(s), the Data Privacy Hearing officer shall require the Participant to comply with one or more Permitted Outcomes, as appropriate under the circumstances (a “Reparation Order”). The Parties will be duly notified of the Reparation Order.
    2. No Action Taken. If, in due examination of the Procedure Submissions, and in due consideration of the totality of the circumstances, the Data Privacy Hearing officer determines that the available evidence does not clearly, convincingly, and satisfactorily substantiate the allegation made in the Complaint, or that the alleged action or inaction of the Participant does not violate the applicable Framework(s), the Complaint shall be closed with an outcome of “Closed – No Action Taken” and the Parties duly notified.

9. Right to Appeal.

9.1. Eligibility and Acceptance of Appeals.

  1. Within ten business days of receiving notification that the Complaint has been closed with an outcome of “Closed – No Action Taken” the Complainant may submit an appeal to VeraSafe, if the Complainant believes that VeraSafe failed to adhere to the Procedure and such failure significantly affected the Hearing Decision.
  2. To be considered, the appeal must include a detailed briefing of the alleged procedural error(s). VeraSafe will accept appeals when the Complainant’s briefing presents Credible Evidence of a procedural error(s).

9.2. Brief and Rebuttal. Upon receipt of the appeal brief, VeraSafe will forward the appeal brief to the Participant. The Participant must provide a rebuttal to VeraSafe within ten business days of receiving the Complainant’s appeal brief.

9.3. Appellate Hearing Officer. VeraSafe will appoint an officer to administer the Appellate Hearing using the eligibility criteria described in Section 8.3(a). The Appellate Hearing officer will not be the same individual as the Data Privacy Hearing officer that administered Section 8 of the Procedure.

9.4. Appellate Hearing Administration and Procedure.

  1. Appellate Hearing Decision.
  2. Examination of Evidence. In its examination of the Procedure Submissions, the Appellate Hearing officer will use the Hearing procedure as described in Section 8.4(c).
    1. Substantiated Complaints. If, in due examination of the Procedure Submissions, and in due consideration of the totality of the circumstances, the Appellate Hearing officer determines that the available evidence does clearly, convincingly and satisfactorily substantiate the allegation made in the Complaint, and that the action or inaction of the Participant does violate the Framework(s), the Appellate Hearing officer will issue a Reparation Order requiring the Participant to comply with one or more Permitted Outcomes, as appropriate under the circumstances. The Parties will be duly notified of the Reparation Order.
    2. No Action Taken. If, in due examination of the Procedure Submissions, and in due consideration of the totality of the circumstances, the Appellate Hearing officer determines that the available evidence does not clearly, convincingly and satisfactorily substantiate the allegation made in the Complaint, or that the alleged action or inaction of the Participant does not violate the applicable Framework(s), the Complaint will be closed with an outcome of “Closed – No Action Taken” and the Parties duly notified.

10. Complainant’s Right To Withdraw.

10.1. A Complainant has the right to withdraw its Complaint at any time during the Procedure by submitting to VeraSafe a request to withdraw the Complaint.

  1. The Complaint will then be closed with an outcome of “Closed – Withdrawn” and the Parties duly notified.

11. Language.

11.1. VeraSafe shall conduct the Procedure in English but insofar as the Complainant is only able to read or write in a language other than English, VeraSafe shall make commercially reasonable efforts to provide translation services to the Complainant as necessary during the Procedure.

12. Participant’s Performance Under a Settlement Agreement or Reparation Order.

12.1. The VeraSafe Program Administrator shall monitor the Participant’s compliance with Settlement Agreements and Reparation Orders issued under the Procedure.

  1. (a) When the VeraSafe Program Administrator is satisfied with the Participant’s performance of an applicable Settlement Agreement or Reparation Order issued under the Procedure, the Complaint will then be closed with an outcome of “Closed by Settlement,” or “Closed by Performance of Reparation Order” and the Parties duly notified.

12.2. Participant’s Non Compliance. If Participant fails to comply with a Settlement or Reparation Order issued under the Procedure, the failure to comply with the Procedure shall be duly noted in the next Annual Procedure Report and VeraSafe shall refer the matter to the relevant government agency pursuant to Section 13.

13. Referral to Government Agencies.

13.1. VeraSafe in its discretion, may refer matters to U.S. government regulatory agencies of competent jurisdiction, if:

  1. the Participant refuses to comply with the Procedure in regards to a Complaint that has been filed with VeraSafe, as described in the Procedure; or
  2. VeraSafe determines that the Participant has failed to comply with a Settlement or Reparation Order issued under the Procedure within a reasonable time.

13.2. Before referring any matter to a regulatory agency of competent jurisdiction, VeraSafe shall first notify the Participant of the intended referral and give the Participant a reasonable opportunity of at least ten business days to cure any breach of the Framework(s) or any failure to perform its obligations under the Procedure.

13.3. Reports of referrals to government agencies shall be included in VeraSafe’s Annual Procedure Report.

13.4. Complaints that VeraSafe refers to a regulatory agency under this Section shall be closed with an outcome of “Closed by Referral to Regulatory Agency,” and the Parties duly notified.

14. Public Reporting.

14.1. VeraSafe shall publish an annual report on the operation of the Procedure (each, an “Annual Procedure Report”). The Annual Procedure Reports shall:

  1. include the types of Complaint outcomes arising under the Procedure;
  2. include a statistical summary of the nature of Complaints filed with the Procedure during the reporting period;
  3. include the number of Complaints filed with the Procedure during the reporting period;
    1. include a statistical summary of the number and nature of Settlement Agreements and Reparation Orders issued under the Procedure during the reporting period;
    2. include a statistical summary of the number and nature of Complaints deemed ineligible during the reporting period pursuant to Section 5, including the specific reason(s) for each Ineligibility Determination;
    3. for each Complaint which VeraSafe refers to a regulatory agency pursuant to Section 13, include a summary (including the Participant’s name) of the nature and outcome of the Complaint;
  4. include the minimum, maximum, and average time for Complaints to be closed under the Procedure during the reporting period; and
  5. be published on VeraSafe’s website, https://www.VeraSafe.com.

14.2. The Annual Procedure Report’s statistical summaries shall be comprised solely of aggregate, anonymous data.

15. Confidentiality.

15.1. Other than the Hearing Decisions and except as noted in Sections 13 and 14, all Procedure Submissions, deliberations, meetings, proceedings, and writings of the Procedure shall be treated as confidential by VeraSafe.

15.2. Each Party must treat any information provided to them by VeraSafe as confidential, and must not make such information available to anyone other than those persons directly involved in the handling of the Complaint, except as allowed or required by applicable law or by the Framework(s).

16. LIMITATION OF LIABILITY.

16.1. EXCEPT IN THE CASE OF DELIBERATE WRONGDOING, AND EXCEPT TO THE EXTENT THAT SUCH A LIMITATION OF LIABILITY IS PROHIBITED BY APPLICABLE LAW OR BY THE FRAMEWORK(S), AND WITH THE KNOWLEDGE THAT VERASAFE IS PROVIDING THE PROCEDURE FOR THE BENEFIT OF THE PARTIES INVOLVED, THE PARTIES ACKNOWLEDGE AND AGREE THAT THE FOLLOWING ARE NOT LIABLE FOR ANY ACT OR OMISSION IN CONNECTION WITH THE PROCEDURE: VERASAFE NOR ANY VERASAFE EMPLOYEE, BOARD MEMBER, COMPANY OFFICER, OR INDEPENDENT CONTRACTOR UTILIZED BY VERASAFE IN THE PROCEDURE.

16.2. VeraSafe can offer no guarantee that the outcome of the Procedure will be an outcome with which either Party, or the Parties, is satisfied.

17. Interpretation.

17.1. This Procedure shall be interpreted under the laws of the United States of America.

18. Waiver of Subpoena.

18.1. Each Party agrees that it will not subpoena any of the following in any legal proceeding arising out of the Procedure or any Complaint: VeraSafe nor any VeraSafe employee, board member, company officer, or independent contractor utilized by VeraSafe in the Procedure.

19. Hold Harmless.

19.1. The Participant agrees to hold VeraSafe, its officers, agents and employees harmless from any liability, loss, or damage the Participant may suffer as a result of Complaints, claims, demands, costs, Settlement Agreements, Reparation Orders, or judgments against them arising out of the Procedure.

19.2. The Complainant agrees to hold VeraSafe, its officers, agents and employees harmless from any liability, loss, or damage the Complainant may suffer arising out of the Procedure or the acts or omissions of the Participant that gave rise to the Complaint.

20. Relationship of the Parties.

20.1. Nothing contained in the Procedure shall be construed to create the relationship of principal and agent, partnership, or joint venture, or any other commercial relationship between VeraSafe and either Party.

20.2. The Parties have no authority to act as agent for, or on behalf of, VeraSafe, or to represent VeraSafe, or bind VeraSafe in any manner.

21. Contact Information.

21.1. VeraSafe may be contacted using the contact information found at https://www.VeraSafe.com/contactus.

21.2. The International Trade Administration of the U.S. Department of Commerce may be contacted via the website https://www.privacyshield.gov and http://export.gov/safeharbor/.

21.3. VeraSafe is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. The Commission may be contacted using the information found on the website https://www.ftc.gov/contact.