As a provider of a software solution that enables our customers to manage the health and wellness of their employees and to maintain compliance with occupational health regulations, Enterprise Health complies with Privacy Shield Frameworks regarding the collection, use, and retention of personal information transferred from the European Union member countries, the United Kingdom and Switzerland.
Enterprise Health is a data processor not a data controller, which means many of the provisions of the Privacy Shield Frameworks may not be applicable to us. However, we strongly believe in the benefits of these Frameworks; therefore, each year we go through a process to certify that we adhere to the Privacy Shield Principles with the U.S. Department of Commerce’s International Trade Administration (ITA).
Privacy Shield Frameworks
Privacy Shield Frameworks are agreements that allow for the transfer of personal data from the EU to the U.S. There are two frameworks: one between the European Union and the United States and another between Switzerland and the United States. Both were developed by the U.S. Department of Commerce in consultation with the European Commission and the Swiss Government, respectively.
The EU-U.S. Privacy Shield Framework replaced the U.S.-EU Safe Harbor Framework in July 2016. The Swiss-U.S. Privacy Shield Framework replaced the U.S.-Swiss Safe Harbor Framework in January 2017. The Privacy Shield program includes important benefits to U.S.-based organizations, as well as their partners in Europe. These include:
- The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were deemed adequate by the European Commission and Swiss Government respectively, meaning they are recognized mechanisms to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
- Participating organizations are deemed to provide “adequate” privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive and outside of Switzerland under the Swiss Federal Act on Data Protection.
Even though the United Kingdom formally exited the European Union on January 31, 2020, the EU-U.S. Privacy Shield will continue to apply to and in the UK until December 31, 2020.
General Data Protection Regulation (GDPR)
The GDPR is a law that has specific requirements for companies that handle EU data in any country, not just the U.S. According to GDPR, data transfer may only occur to countries deemed by data protection authorities as having adequate data protection laws. Currently, the U.S. is not generally listed as one of those countries. In short, Privacy Shield allows U.S. companies, or EU companies working with U.S. companies, to meet this requirement of the GDPR.
Enterprise Health has participated in the EU-U.S. Privacy Shield Framework since 2017 and the Swiss-U.S. Privacy Shield Framework since 2018. On the Privacy Shield Framework website, there is a list of all U.S. companies that are participating in Privacy Shield, including the Enterprise Health entry. In addition, there is a link to the Enterprise Health EU-U.S. and Swiss-U.S. Privacy Shield Policy at the bottom of every page on the Enterprise Health website.