Responsible Onward Transfer of Personal Data: Liability Extends Beyond Your Walls

Post Date: 07/20/2016
feature image

As if your own data privacy policies weren’t complex enough, the responsibility now extends outside your walls to vendors and partners. Privacy Shield expands on Safe Harbor’s requirements for regulation of and accountability for onward transfer of personal data, requiring certified organizations to specify in third party contracts that transferred personal data may only be processed for limited and specified purposes consistent with the data subject’s consent. By agreeing to such contracts, third parties are held to the same purpose limitations as the certified organization.

This means that now, not only are companies responsible for ensuring that they are complying with their own stated privacy and data protection policies, but they also must ensure that the third parties with whom they share data have comparable policies and procedures of their own.

What are third parties responsible for?

Where the third party is acting as an agent, such as a vendor, the certified organization must in addition take reasonable and appropriate steps to ensure the agent upholds the Principles – including stopping and remediating any unauthorized processing. This downstream data protection accountability puts significant pressure on vendor selection and monitoring practices. A Privacy Shield certified organization must even provide the Department of Commerce (DOC) with relevant third party contractual provisions, which place some restrictions on contractual confidentiality.

Regardless of contractual language, a Privacy Shield certificate holder remains liable to the data subject for its vendor’s violation of the Principles. The only exception is if it proves that it is not responsible for the event giving rise to the damage.

Requirements for Responsible Onward Transfer of Personal Data

For transfer of personal data to a third party acting as a controller, a Privacy Shield participant must:

  • Comply with the Notice and Choice principles
  • Enter into a contract with the third-party controller that says data may only be processed for limited and specified purposes consistent with the consent provided by the individual, and that the recipient will provide the same level of protection as the Principles

For transfer of personal data to a third party acting as an agent, a Privacy Shield participant must:

  • Transfer such data only for limited and specified purposes
  • Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles
  • Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles
  • Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing
  • Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the department upon request

What does this mean to your organization?

First, you need to:

  • Absolutely and clearly indicate what personal information you are requesting and collecting from consumers
  • Give them a choice about whether or not to provide it
  • Clearly mark the data you have collected with the specific purpose for collection

This means that you cannot leave your policies to chance or luck. Privacy Shield requires that you not only create policies that meet its mandate, but that you operationalize those policies and be able to prove that you’ve done so.


Organizations must provide “clear, conspicuous, and readily available mechanisms” by which individuals can opt out of any transfer of personal data to a third party or the use of data for a purpose other than the one for which it was initially collected. Beyond this initial obligation, for specific categories of sensitive information (including data related to health, racial or ethnic origin, political and religious opinions, trade union membership, or information revealing an individual’s sex life), the individual must affirmatively opt in to allowing the for transfer of personal data to a third party or use the information for a separate purpose.

This is an incredibly important requirement to understand. This will very directly impact companies that regularly share customer data with external parties, particularly if the sharing of information is not related to the original data collection purpose. It may also have implications for companies that hold collected data over a period of time and are later subject to a merger or acquisition.

Also, the opt in requirement means that many organizations will need to create layered consent mechanisms under which they can specifically demonstrate that an individual has chosen to allow transfer of personal data to third parties. As many organizations collect data and obtain consent through their websites, this will require a major revamp of existing consent mechanisms and opt in/opt out practices. This will also be true for in-person or non-web based consent forms.

What are your responsibilities?

In terms of data that you plan to share with your vendors, you are now your partner’s keeper. You must:

  • Limit the data you share with your partners and vendors to only that data you have permission to share
  • Proactively confirm that your partners and vendors understand purpose limitations
  • Ensure partners and vendors will make reasonable efforts to comply with the purpose limitation and appropriate protection of that data

These obligations must be specified in your contracts. If something bad should happen to your data under the care of your partner or vendor, you may find yourself having to defend your having shared it in the first place. So, third party vendor risk assessment should take on a whole new level of importance and priority.

Be sure to turn these assessments into regular proactive reviews and do your due diligence in assuring that these are not simply check box exercises, but that you are crystal clear with third parties about their obligations to protect the data you provide to them. Failure to do so may result in their mistakes costing your company.

Learn More

Prepare for certification with our EU-U.S. Privacy Shield Guide!

eu us privacy shield guide


Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities. Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School. LinkedIn: Twitter:

View all posts by Dana S.

Subscribe to our blog