Data Privacy Framework (DPF) Dispute Resolution Procedure

Last Updated: July 19, 2023

Our Annual IRM Reports

As an Independent Recourse Mechanism (“IRM”) under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, VeraSafe published, and will publish a report as an IRM under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), each year describing our dispute resolution activities and the state of our IRM and Compliance Verification programs.

1. Introduction

1.1. The VeraSafe Data Privacy Framework (DPF) Dispute Resolution Procedure (the “Procedure”) is provided and administered by VeraSafe, LLC, (“VeraSafe”), for the resolution of complaints alleging that a Participant in the VeraSafe Privacy Program or VeraSafe Data Privacy Framework (DPF) Dispute Resolution Program (the “Program(s)”), that is also subject to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and as applicable, the UK Extension to the EU-U.S.DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (together, the “Data Privacy Framework”), the EU-U.S. Privacy Shield Framework, Swiss-U.S. Privacy Shield Framework, U.S.-EU Safe Harbor Framework, or U.S.-Swiss Safe Harbor Framework, has failed to comply with the Framework(s). The Procedure combines facilitation, mediation, and arbitration.

1.2. VeraSafe commits to comply with the requirements for independent recourse mechanisms as set forth in Principle 7 “Recourse, Enforcement and Liability” and Supplemental Principle 11 “Dispute Resolution and Enforcement” of the Data Privacy Framework (available at https://www.dataprivacyframework.gov/), Principle 7 “Recourse, Enforcement and Liability” and Supplemental Principle 11 “Dispute Resolution and Enforcement” of the Privacy Shield Framework, and the Enforcement Principle and FAQ 11 “Dispute Resolution and Enforcement” of the Safe Harbor Frameworks. In case of a conflict between the Procedure and one of the Frameworks, the relevant Framework(s) shall control, and the Procedure shall be modified to the minimum extent necessary in order to permit VeraSafe to comply with its obligations as an independent recourse mechanism under the Framework(s).

1.3. By participating in the Procedure, the Parties agree to the terms and conditions of the Procedure, as set forth herein.

2. Definitions

2.1. The following definitions apply to the Procedure:

  1. “Appellate Hearing” means the process described under Section 9 of the Procedure.
  2. “Complainant” means a person who has filed, or attempted to file, a Complaint with VeraSafe under the terms of the Procedure.
  3. “Complaint” means one or more allegation(s) of non-compliance with the Data Privacy Framework, EU-U.S. Privacy Shield Framework, Swiss-U.S. Privacy Shield Framework, U.S.-EU Safe Harbor Framework, or U.S.-Swiss Safe Harbor Framework filed with VeraSafe under the terms of the Procedure.
  4. “Data Privacy Hearing” means the process described under Section 8 of the Procedure.
  5. “EEA” means the European Economic Area.
  6. “Framework(s)” means the Data Privacy Framework, the EU-U.S. Privacy Shield Framework, the Swiss-U.S. Privacy Shield Framework, the U.S.-EU Safe Harbor Framework, and the U.S.-Swiss Safe Harbor Framework.
  7. “Participant” means a member, in good standing, of the VeraSafe Privacy Program or VeraSafe Data Privacy Framework Dispute Resolution Program.
  8. “Party/Parties” means the Complainant or the Participant, or both, as applicable.
  9. “Procedure Submissions” means all documents, writings, briefs, evidence, and other material, submitted under the Procedure by the Parties or by VeraSafe.
  10. “Settlement Agreement” means an agreement reached by the Parties that resolves the Complaint. To be effective, the terms of such agreement must be recorded in writing and signed by both Parties.

2.2. Capitalized terms not defined herein shall be understood to have the same meaning as ascribed to such terms in the VeraSafe Privacy Program Certification Criteria set forth at https://www.verasafe.com/privacy-solutions/privacy-program-certification-criteria/ (such hyperlink may be revised and redirected from time to time).

3. General Terms and Eligibility

3.1. Legal Representation. One or both Parties may choose to be represented by legal counsel at any stage of the Procedure. If either Party chooses to be represented, that party will notify VeraSafe, providing the name and contact information of the attorney who will be representing the Party. VeraSafe will then notify the other Party of the representation and the attorney’s name and contact information.

3.2. No Payment Required. The Complainant is not required to pay any remuneration to VeraSafe in order to file a Complaint with the Procedure.

3.3. Eligible Complainant. For a Complainant to be eligible to file a Complaint, the Complainant must be:

  1. at least thirteen years of age on the date the Complaint is filed under the Procedure and a Data Subject whose PII was exported from the EEA, UK (or Gibraltar), or Switzerland by or to a Participant; or
  2. the parent or legal guardian of a Data Subject (1) who is under eighteen years of age at the time that the Complaint is filed with VeraSafe and (2) whose PII was exported from the EEA, UK (or Gibraltar), or Switzerland by or to a Participant.

3.4. Eligible Complaint. For a Complaint to be eligible under the Procedure, the Complaint must:

  1. name a Participant that has listed VeraSafe as its independent dispute resolution mechanism on its Data Privacy Framework, EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield, U.S.-EU Safe Harbor, or U.S.-Swiss Safe Harbor self-certification(s) with the U.S. Department of Commerce, as a defendant in the Complaint;
  2. not have been previously resolved or settled by court action, arbitration, or other form of dispute resolution;
  3. be filed using the Procedure for the first time, except for Complaints (1) alleging a Participant’s failure to comply with a previous Settlement Agreement or (2) being amended pursuant to Section 4.3; and
  4. not seek remedies that are not Permitted Outcomes

3.5. Ineligibility Determination. If, based on the information available to VeraSafe, the Complaint or Complainant is found to be ineligible (an “Ineligibility Determination”), VeraSafe shall close the Complaint, record an outcome of “Ineligible,” and notify the Complainant of the outcome.

3.6. Complainant’s Right to Appeal the Ineligibility Determination. The Complainant has the right to appeal VeraSafe’s Ineligibility Determination within ten business days of being sent the Ineligibility Determination. If the Complainant can show a reasonable likelihood that VeraSafe made a material error in the Ineligibility Determination, VeraSafe shall duly re-examine the Complaint and make a final determination as to its eligibility. VeraSafe’s determination shall be final after the appeal and no further appeal may be taken.

4. Complaint Filing Procedure

4.1. Prior Good Faith Attempt to Resolve Complaint. The Complainant must make a good faith effort to resolve his dispute directly with the Participant before filing the Complaint with VeraSafe. Complainants are further encouraged to read the Participant’s applicable privacy notice(s) entirely before filing a Complaint with VeraSafe. If VeraSafe determines, in its sole discretion, that Complainant did not make a good faith effort to resolve the dispute before filing a Complaint, VeraSafe shall require the Complainant to try to resolve the Complaint directly with the Participant and shall advise the Complainant that he or she may re-file the Complaint using the Procedure, as outlined herein, if the attempt to resolve the Complaint with the Participant does not yield satisfactory results.

4.2. Information Required. A Complainant must provide certain information to VeraSafe in order to successfully file a Complaint with the Procedure. Therefore, the Complaint must:

  1. allege a Participant’s failure to comply with the Framework(s);
  2. include the fullest possible account of facts and events giving rise to the Complaint;
  3. seek one or more of the Permitted Outcomes (see Section 5.1);
  4. if any damages or harm is alleged, include specific details of the harm and/or damages (where applicable, quantification of monetary damages is preferred, but not required);
  5. include valid contact information (mailing address, email address, and contact person) for the Complainant;
  6. include consent to share the Complaint with the Participant;
  7. include all available documentation to support the Complaint;
  8. include a description of Complainant’s good faith effort to resolve the dispute with the Participant, before filing the Complaint; and
  9. include a declaration, under penalty of perjury under the laws of the United States of America, that all information submitted to VeraSafe in the Procedure is true and correct.

4.3. Right to Correct Defective Complaint. Within ten business days of receiving the Complaint, VeraSafe will inform the Complainant if the Complaint fails to meet any of the requirements enumerated in Section 4.2 and will give the Complainant the opportunity to amend the Complaint to satisfy such requirement(s). As a matter of course, the Complainant will have two opportunities to amend the Complaint for failure to address any defects in the Complaint. Further opportunities to amend the Complaint to satisfy the requirements of Section 4.2 shall be given solely at VeraSafe’s discretion.

4.4. Medium for all Procedure Submissions.

  1. Complaints must be initiated by: (i) submitting VeraSafe’s online complaint form located at: https://www.verasafe.com/public-resources/dispute-resolution/submit-dispute/ or (ii) by submitting the required information to VeraSafe via email ([email protected]) and including the following statement: “I represent and warrant that I have read, understand, and agree to be bound by the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure”.
  2. VeraSafe shall provide all correspondence to the Parties electronically, either by email or fax.
  3. The Parties shall submit all information, correspondence, and other material required by, or intended for use in, the Procedure (“Procedure Submissions”) to VeraSafe electronically.
  4. Procedure Submissions shall be considered delivered to the recipient immediately upon their electronic transmission by the sender.

5. Permitted Outcomes

5.1. The Parties agree that the possible outcomes that a Complainant may seek via the Procedure, and the maximum relief that VeraSafe shall assign in a Data Privacy Hearing or Appellate Hearing during the Procedure, are limited to the non-exclusive remedies described below (the “Permitted Outcomes”). Permitted Outcomes are only those that may require:

  1. the effects of noncompliance with the Framework(s) to be reversed or corrected by the Participant;
  2. that future data processing by the Participant be in conformity with the Framework(s);
  3. the Participant to cease processing PII of the Complainant;
  4. the Participant to delete relevant PII that was processed contrary to the Framework(s);
  5. the temporary suspension and/or removal of Participant’s license to display VeraSafe Seal(s);
  6. the Participant to compensate the Complainant for actual, direct losses incurred as a result of Participant’s non-compliance with the Framework(s); or
  7. the Participant to comply with any orders set forth by the Hearing Officer or Appeal Officer

5.2. In order to ensure that any sanctions are sufficiently rigorous – in accordance with Supplemental Principle 11(e)(i) of the Data Privacy Framework – VeraSafe reserves the right to impose additional sanctions upon the Participant that are more severe than those sought by the Complainant in situations where VeraSafe determines that such requested sanctions are inadequate to ensure Participant’s compliance with the Framework(s); provided, however, that the fulfillment of the Complainant’s desired outcome(s) shall be satisfied, at minimum.

6. Complaint Response Procedure

6.1. Participant’s Response to Complaint. Complaints that VeraSafe determines to be eligible shall be forwarded by VeraSafe to the Participant. The Participant must file its response to the Complaint (“Response”) with VeraSafe within twenty business days of Participant’s receipt of the Complaint from VeraSafe. The Participant’s Response must either:

  1. defend the Participant’s actions as permitted under the applicable Framework(s);
  2. dispute the validity of information presented in the Complaint and contain all available documentation to support the dispute; or
  3. admit fault and agree to remedy the alleged violation(s) as determined by VeraSafe in its sole discretion.

6.2. Upon VeraSafe’s receipt of the Participant’s Response, VeraSafe will forward it to the Complainant.

6.3. Participant’s Failure to Respond. If the Participant fails to file a timely Response, the failure to comply with the Procedure will be duly noted in the next Annual Procedure Report (as such term is defined in Section 15 of the Procedure) and VeraSafe shall refer the matter to the appropriate government agency in accordance with Section 14 of the Procedure.

7. Consultative Mediation

7.1. Mediation Teleconference. If the Complainant is not satisfied by the Participant’s Response to the Complaint, and desires to continue with the Procedure, the Complainant must file with VeraSafe a request for a mediation session to be conducted via telephone (hereinafter, a “Mediation Teleconference”) within ten business days of receiving the Participant’s Response. The Mediation Teleconference is an informal process for the Parties to reexamine the details of the Complaint and work towards a mutually agreeable resolution with the assistance of an approved mediator under the requirements set forth herein.

  1. If the Complainant is satisfied by the Participant’s Response to the Complaint, the Complainant shall notify VeraSafe in writing that the Complaint has been resolved.
  2. If VeraSafe receives notification from the Complainant that the Complainant is satisfied with the Participant’s Response, or otherwise receives no request for a Mediation Teleconference from the Complainant within the timeframe specified in Section 7.1, VeraSafe shall close the Complaint with an outcome of “Closed by Default” and duly notify the Parties.

7.2. Mediation Teleconference Procedure. VeraSafe will provide and appoint a mediator to lead the Mediation Teleconference with a requisite knowledge of data privacy concepts and the issues involved in the Parties’ dispute to lead the Mediation Teleconference (the “Mediator”). VeraSafe will make a reasonable effort to schedule the teleconference with due regard for the schedules of the Parties and will notify the Parties of the scheduled time and date not less than fifteen business days before the date of the Mediation Teleconference.

  1. Possible Outcomes of the Mediation Teleconference.
    1. Complainant’s Failure to Comply. If the Complainant fails to appear at the scheduled time of the Mediation Teleconference, it will be assumed that the Participant’s Response has satisfied the Complainant and the Complaint will be closed with an outcome of “Closed by Default” and the Parties duly notified.
    2. Participant’s Failure to Comply. If the Participant fails to appear at the scheduled time of the Mediation Teleconference, such failure to comply with the Procedure will be duly noted in the next Annual Procedure Report and VeraSafe shall refer the matter to the appropriate regulatory agency in accordance with Section 14.
    3. Mutual Settlement Agreement. If the Parties reach an agreement during the Mediation Teleconference, VeraSafe will record the terms of the Settlement Agreement (as decided by the Parties) and notify both Parties in writing of those terms within five business days of the Mediation Teleconference.
    4. No Settlement Reached. If no Settlement Agreement is reached during the Mediation Teleconference, the Complainant must file with VeraSafe a request for a Data Privacy Hearing within ten business days of the Mediation Teleconference or the Complaint will be closed with an outcome of “Closed by Default” and the Parties duly notified.

8. Data Privacy Hearing

8.1. Overview. Upon the request of the Complainant made to VeraSafe in accordance with the requirements of the Procedure, an officer appointed by VeraSafe (the “Data Privacy Hearing Officer”) will review the Complaint and all Procedure Submissions in a fair and impartial way and determine if the available evidence does, by a preponderance of the evidence, substantiate the alleged violation of the Framework(s) made in the Complaint.

8.2. Exchange of Briefs. The Complainant’s request for a Data Privacy Hearing should include a detailed brief supporting the allegation(s) in the Complaint (attaching evidence, if appropriate). Upon receipt, VeraSafe will forward the brief to the Participant. The Participant shall provide a brief in rebuttal to VeraSafe (attaching evidence, if appropriate) within ten business days of receiving the Complainant’s brief.

8.3. Data Privacy Hearing Officer.

  1. The Data Privacy Hearing Officer shall: (i) hold a current Certified Information Privacy Professional or Certified Information Privacy Manager credential from the International Association of Privacy Professionals; (ii) hold a Juris Doctor degree from an American Bar Association accredited law school; or (iii) be currently licensed to practice law in a jurisdiction of the United States or an EEA member state.
  2. The Data Privacy Hearing Officer shall be impartial and neutral in the application of the Procedure.
  3. The Data Privacy Hearing Officer shall not be the same individual who served as the Mediator

8.4. Data Privacy Hearing Administration and Procedure.

  1. Data Privacy Hearing Officer’s Request for Information.
    1. The Data Privacy Hearing Officer may request additional information or seek clarification from either Party regarding the Procedure Submissions.
    2. Late Filings and Extensions. If a Party submits required information after the specified time limits, the untimely information shall not be submitted to the Data Privacy Hearing Officer unless VeraSafe grants an extension for good cause. In lieu of such untimely Procedure Submissions, the Data Privacy Hearing Officer will proceed to use all other available Procedure Submissions in making its Hearing Decision.
  2. Scheduling of Data Privacy Hearing. VeraSafe will make a reasonable effort to schedule a teleconference for the Data Privacy Hearing with due regard for the schedules of the Parties and will notify the Parties of the scheduled time and date not less than fifteen business days before the date of the teleconference.
  3. Data Privacy Hearing Procedure. The Parties shall appear telephonically at the hearing, where they will be allowed to present their arguments and evidence (although no new arguments or evidence not contained in the Procedure Submissions will be allowed, unless good cause is shown as to why they were not included). Additionally, the Data Privacy Hearing Officer may ask questions of the Parties about their arguments and evidence.
  4. Hearing Decision and Burden of Proof. The Data Privacy Hearing Officer shall, based on the Procedure Submissions and Data Privacy Hearing, decide if the available evidence does, by a preponderance of the evidence, substantiate the allegation(s) made in the Complaint and, if so, whether or not the alleged action or inaction of the Participant does violate the Framework(s) (the “Hearing Decision”).
    1. Sustained Complaints. If, after weighing the arguments and evidence presented in the Procedure Submissions and Data Privacy Hearing, and in due consideration of the totality of the circumstances, the Data Privacy Hearing Officer determines that the available evidence does, by a preponderance of the evidence, substantiate the allegation(s) made in the Complaint, and that the action or inaction of the Participant does violate the Framework(s), the Data Privacy Hearing Officer shall require the Participant to comply with one or more Permitted Outcomes, as appropriate under the circumstances (a “Reparation Order”). The Parties will be duly notified of the Reparation Order.
    2. No Action Taken. If, after weighing the arguments and evidence presented in the Procedure Submissions and Data Privacy Hearing, and in due consideration of the totality of the circumstances, the Data Privacy Hearing Officer determines that the available evidence does not, by a preponderance of the evidence, substantiate the allegation(s) made in the Complaint, or that the alleged action or inaction of the Participant does not violate the applicable Framework(s), the Complaint shall be closed with an outcome of “Closed – No Action Taken” and the Parties duly notified.

9. Right to Appeal

9.1. Appeal of Data Privacy Hearing Outcome. Within ten business days of receiving notification that the Complaint has been closed with an outcome of “Closed – No Action Taken,” the Complainant may submit an appeal to VeraSafe, if the Complainant reasonably believes that VeraSafe or the Data Privacy Hearing Officer failed to adhere to the Procedure and such failure materially affected the Hearing Decision.

9.2. Exchange of Briefs. To be considered, the Complainant’s appeal brief must include a detailed briefing of the alleged failure to adhere to the Procedure, as well as any supporting evidence. Upon receipt of the appeal brief, VeraSafe will forward the appeal brief to the Participant. The Participant must provide a brief in rebuttal (including any supporting evidence) to VeraSafe within ten business days of receiving the Complainant’s appeal brief. The briefs are the “Appellate Procedure Submissions”.

9.3. Appellate Hearing Officer. VeraSafe will appoint an impartial officer to administer the Appellate Hearing (the “Appellate Hearing Officer”) using the eligibility criteria described in Section 8.3. The Appellate Hearing Officer will not be the same individual who served as the Mediator or the Data Privacy Hearing Officer.

9.4. Appellate Hearing Administration and Procedure.

  1. Consideration of Appeal. The Appellate Hearing Officer will accept an appeal when the Appellate Procedure Submissions demonstrate that there is a reasonable likelihood that VeraSafe or the Data Privacy Hearing Officer failed to adhere to the Procedure and that such failure materially affected the Hearing Decision. If the Appellate Hearing Officer accepts the appeal, he or she will execute the Appellate Hearing Procedure. If the Appellate Hearing Officer declines to accept the appeal, he or she will provide a written explanation of the decision, which will be provided to Complainant and Participant.
    1. The Appellate Hearing Officer may request additional information or seek clarification from either Party regarding the Appellate Procedure Submissions, either when considering the Appeal or when carrying out the Appellate Hearing Procedure.
  2. Appellate Hearing Procedure. The Appellate Hearing Officer will duly examine the Appellate Procedure Submissions, as well as the Procedure Submissions, and shall decide if the available evidence does, by a preponderance of the evidence, substantiate the allegation(s) made in the Complaint and, if so, whether or not the alleged action or inaction of the Participant is in violation of the applicable Framework(s) (the “Hearing Decision”).
    1. Sustained Complaints. If, in due examination of the Appellate Procedure Submissions and Procedure Submissions, and in due consideration of the totality of the circumstances, the Appellate Hearing Officer determines that the available evidence does, by a preponderance of the evidence, substantiate the allegation(s) made in the Complaint, and that the action or inaction of the Participant does violate the applicable Framework(s), the Appellate Hearing officer will issue a Reparation Order requiring the Participant to comply with one or more Permitted Outcomes, as appropriate under the circumstances. The Parties will be duly notified of the Reparation Order.
    2. No Action Taken. If, in due examination of the Appellate Procedure Submissions and Procedure Submissions, and in due consideration of the totality of the circumstances, the Appellate Hearing officer determines that the available evidence does not, by a preponderance of the evidence, substantiate the allegation(s) made in the Complaint, or that the alleged action or inaction of the Participant does not violate the applicable Framework(s), the Complaint will be closed with an outcome of “Closed – No Action Taken” and the Parties duly notified.

10. Complainant’s Right to Withdraw

10.1. A Complainant has the right to withdraw its Complaint at any time during the Procedure by submitting to VeraSafe a request to withdraw the Complaint. The Complaint will then be closed with an outcome of “Closed – Withdrawn” and the Parties duly notified.

11. Complainant’s Noncompliance with the Procedure

11.1. If the Complainant breaches any term(s) of the Procedure in a material way, during any stage of the process, VeraSafe has the right to close the Complaint, record an outcome of “Closed by Default,” and the parties duly notified.

12. Language

12.1. VeraSafe shall conduct the Procedure in English but insofar as the Complainant is only able to read or write in a language other than English, VeraSafe shall make commercially reasonable efforts to provide translation services to the Complainant as necessary during the Procedure.

13. Participant’s Performance Under a Settlement Agreement or Reparation Order

13.1. VeraSafe shall monitor the Participant’s compliance with any Settlement Agreements or Reparation Orders entered or issued under the Procedure.

13.2. When VeraSafe is satisfied with the Participant’s performance regarding an applicable Settlement Agreement or Reparation Order entered or issued under the Procedure, the Complaint will then be closed with an outcome of “Closed by Settlement,” or “Closed by Performance of Reparation Order” and the Parties duly notified.

13.3. Participant’s Non-Compliance. If Participant fails to comply with a Settlement Agreement or Reparation Order entered or issued under the Procedure, the failure to comply with the Procedure shall be duly noted in the next Annual Procedure Report and VeraSafe shall refer the matter to the relevant government agency pursuant to Section 14.

14. Referral to Government Agencies

14.1. VeraSafe in its sole discretion, may refer matters to U.S. government regulatory agencies of competent jurisdiction, if:

  1. the Participant refuses to comply with the Procedure in regard to a Complaint that has been filed with VeraSafe, as described in the Procedure; or
  2. VeraSafe determines that the Participant has failed to comply with a Settlement Agreement or Reparation Order entered or issued under the Procedure within a reasonable time.

14.2. Before referring any matter to a regulatory agency of competent jurisdiction, VeraSafe shall first notify the Participant of the intended referral and give the Participant a reasonable opportunity of at least ten business days to cure any breach of the Framework(s) or any failure to perform its obligations under the Procedure.

14.3. Reports of referrals to government agencies shall be included in VeraSafe’s Annual Procedure Report.

14.4. Complaints that VeraSafe refers to a regulatory agency under this Section shall be closed with an outcome of “Closed by Referral to Regulatory Agency,” and the Parties duly notified.

15. Public Reporting

15.1. VeraSafe shall publish an annual report on the operation of the Procedure (each, an “Annual Procedure Report”). The Annual Procedure Report shall include:

  1. an executive summary, including the period covered in the Annual Procedure Report, the name of the dispute resolution program (the “VeraSafe Data Privacy Framework Dispute Resolution Procedure”) and any highlights from the period;
  2. the number of organizations presently enrolled in the Procedure;
  3. the number of organizations that receive VeraSafe’s Data Privacy Framework verification service, and the number of organizations that receive both the verification service and the dispute resolution service;
  4. a description of how VeraSafe avoids any actual or potential conflicts of interest in situations when it provides an organization with both verification services and dispute resolution services;
  5. a brief description of the types of Data Privacy Framework-related guidance that VeraSafe provides (e.g., online guidance for businesses and consumers, involvement in presentations and other public discussions);
  6. a description of the types of Data Privacy Framework-related compliance activities that VeraSafe engages in (e.g., review methods used by VeraSafe as part of its Data Privacy Framework-related verification service, or other steps that VeraSafe takes to review and/or monitor organizations’ privacy policies);
  7. the requirements for participation in the Program, including the elements of any participation agreement;
  8. a description of how a Complaint can be filed with the Procedure;
  9. a description of the Procedure’s Complaint eligibility requirements and its complaint review process, including how long it takes for Complaints to be processed and resolved and the range of potential remedies; and
  10. statistics for Data Privacy Framework-related complaints during the reporting period, which shall include:
    1. the number Data Privacy Framework-related complaints received during the reporting year;
    2. the types of Data Privacy Framework-related complaints received;
    3. the dispute resolution quality measures for the Data Privacy Framework-related complaints received (e.g., the length of time taken to process those complaints); and
    4. the outcomes of the Data Privacy Framework-related complaints received, notably the number and types of remedies or sanctions imposed.

15.2. The Annual Procedure Report’s statistical summaries shall be comprised solely of aggregate, anonymous data.

16. Confidentiality

16.1. Other than the Hearing Decisions and except as noted in Sections 14 and 15, all Procedure Submissions, deliberations, meetings, proceedings, and writings of the Procedure shall be treated as confidential by VeraSafe.

16.2. Each Party must treat any information provided to them by VeraSafe as confidential and must not make such information available to anyone other than those persons directly involved in the handling of the Complaint, except as allowed or required by applicable law or by the Framework(s).

17. LIMITATION OF LIABILITY

17.1. EXCEPT IN THE CASE OF DELIBERATE WRONGDOING, AND EXCEPT TO THE EXTENT THAT SUCH A LIMITATION OF LIABILITY IS PROHIBITED BY APPLICABLE LAW OR BY THE FRAMEWORK(S), AND WITH THE KNOWLEDGE THAT VERASAFE IS PROVIDING THE PROCEDURE FOR THE BENEFIT OF THE PARTIES INVOLVED, THE PARTIES ACKNOWLEDGE AND AGREE THAT THE FOLLOWING ARE NOT LIABLE FOR ANY ACT OR OMISSION IN CONNECTION WITH THE PROCEDURE: ANY MEDIATOR, HEARING OFFICER, VERASAFE, NOR ANY VERASAFE EMPLOYEE, BOARD MEMBER, COMPANY OFFICER, OR INDEPENDENT CONTRACTOR UTILIZED BY VERASAFE IN THE PROCEDURE

17.2. VeraSafe can offer no guarantee that the outcome of the Procedure will be an outcome with which either Party, or the Parties, is satisfied.

18. Interpretation

18.1. This Procedure shall be interpreted under the laws of the United States of America.

19. Waiver of Subpoena

19.1. Each Party agrees that it will not subpoena any of the following in any legal proceeding arising out of the Procedure or any Complaint: any Mediator, Hearing Officer, VeraSafe, nor any VeraSafe employee, board member, company officer, or independent contractor utilized by VeraSafe in the Procedure.

20. Hold Harmless

20.1. The Participant agrees to hold VeraSafe, its officers, agents, independent contractors, and employees harmless from any liability, loss, or damage the Participant may suffer as a result of Complaints, claims, demands, costs, Settlement Agreements, Reparation Orders, or judgments against them arising out of the Procedure.

20.2. The Complainant agrees to hold VeraSafe, its officers, agents and employees harmless from any liability, loss, or damage the Complainant may suffer arising out of the Procedure or the acts or omissions of the Participant that gave rise to the Complaint.

21. Relationship of the Parties

21.1. Nothing contained in the Procedure shall be construed to create the relationship of principal and agent, partnership, or joint venture, or any other commercial relationship between VeraSafe and either Party.

21.2. The Parties have no authority to act as agent for, or on behalf of, VeraSafe, or to represent VeraSafe, or bind VeraSafe in any manner.

22. Contact Information

22.1. VeraSafe may be contacted using the contact information found at https://www.verasafe.com/about-us/contact-us/.

22.2. The International Trade Administration of the U.S. Department of Commerce may be contacted via the website https://www.dataprivacyframework.gov and https://www.export.gov/ITA.

22.3. VeraSafe is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. The Commission may be contacted using the information found on the website https://www.ftc.gov/contact.

Why VeraSafe?

Track record of successful GDPR implementations across industries.

Work directly with our in-house team of US and European attorneys, IT experts, and project managers.

Strategic, risked-based approach to compliance.

Fully customizable GDPR compliance program, tailored to fit your needs.

Holistic approach: We help you identify business opportunity hidden inside the GDPR.

Going beyond just EU privacy law, VeraSafe is your end-to-end partner for the entire privacy and cybersecurity domain.