I. THE HOTH PRIVACY POLICY

Last Modified: April 25, 2018

1. Introduction

The Hoth is dedicated to protecting your personal information and informing you about how we use your information. This privacy policy applies to your use of The Hoth services including our website and services (collectively “Platform”). This Privacy Policy should be read in conjunction with the Terms of Use and is integrated into the Terms of Use. All capitalized proper nouns not defined in this Agreement will have the same definitions and meanings as defined by the Terms of Use. Please review this Privacy Policy periodically as we may revise it from time to time. If you do not agree with or accept our Privacy Policy in it’s entirety, you must not access or use the Platform. If you use the Platform following a change to the terms of this Privacy Policy you agree to accept the revised policies.

2. Information Collected

At The Hoth, we collect personally identifiable information (“PII”) and non-personally identifiable (“Non-PII”) information from you. Personally identifiable information is information that can be used to identify you personally. Non-personally identifiable information is information that must be combined with other information to identify you personally.

Personally Identifiable Information Collected

You will not be required to provide us any information when you visit our Platform. However, in order to fully use our Platform, we may collect PII such as your name, date of birth, email, telephone number, website and business information, and address. We may also collect your relevant payment or credit card information if you wish to pay for any services offered via the Platform. Please be aware that all payment information shall be stored and processed by our third party payment processors.

Non-Identifying Information

Whenever you use our website, we may collect Non-PII from you, such as your IP address, zip code, gender, browsing history, search history, and registration history, interactions with the Platform, usage information, location, referring URL, browser, operating system, data usage, data transferred, and Internet service provider. We may also collect information including but not limited to postings you make on the public areas of our website, messages you send to us, and correspondence we receive from other members or third parties about your activities or postings.

 3. Use of Your Information

Some of your information will be visible to other users of the Platform to facilitate communication between users. We will never sell your information without your permission; however you agree that we may use your information in the following ways:

  • To provide any services offered and to operate The Hoth Platform.
  • To enhance or improve our users’ experiences.
  • To to contact you via email or other electronic communications where you have an inquiry.
  • To notify you of additional The Hoth services and updates.
  • To share with third parties, with whom you have requested additional information relating to their products and services.
  • To process your transactions.
  • To share your information with third party partners or third parties hired by us to perform functions and provide services to us subject to the obligations consistent with this Privacy Policy and on the condition that the third parties use your information only on our behalf and pursuant to our instructions.

4. Anonymized Data

Please be aware that we me may collect and aggregate personally identifiable information from our Platform and may anonymize that information for our own research or internal purposes. Once such data has been anonymized, it cannot be traced back to you, the user.

5. Accessing, Editing, and Removing Your Information

You will be able to access any information contained in your account through our Platform. You may edit that information by removing or changing the information listed in your account. If you have any questions or wish to review, remove, change, or access any of your information collected by us, please contact us by submitting a ticket here. After you have cancelled your account please be aware that we may keep inaccessible copies of your PII and non-PII subject to our data retention policies.

6. Permanent Removal Requests

If you wish to have any of your PII stored within The Hoth Platform permanently removed, please follow our instructions as stated within the policy titled “Removal of Information”. If you have any questions regarding such removal please contact us by submitting a ticket here.

7. Cookies and Tracking

We use cookies as stated within our Cookie Policy. Cookies must be enabled in your browser in order for our Platform to function properly. Additionally, while using portions of our Platform, we may track your usage information so that we understand how you interact with our Platform. If you disable cookies from your web browser some portions of our Platform may not work.

8. Third Party Access to Your Information

Although you are entering into an Agreement with The Hoth to disclose your information to us, we do use third party individuals and organizations to assist us, including contractors, web hosts, and others to allow you to access the Platform.

Throughout the course of our provision of our services to you, we may delegate our authority to collect, access, use, and disseminate your information. It is therefore necessary that you grant the third parties we may use in the course of our business the same rights that you afford us under this Privacy Policy. For this reason, you hereby agree that for every authorization which you grant to us in this Privacy Policy, you also grant to any third party that we may hire, contract, or otherwise retain the services of for the purpose of operating, maintaining, repairing, or otherwise improving or preserving our website or its underlying files or systems. You agree not to hold us liable for the actions of any of these third parties, even if we would normally be held vicariously liable for their actions, and that you must take legal action against them directly should they commit any tort or other actionable wrong against you.

9. Law Enforcement

You agree that we may disclose your information to authorities if compelled to by a court order. Additionally, you agree that we may disclose your information if we reasonably believe that you have violated US laws, the terms of our Terms of Use or our Privacy Policy, or if we believe that a third party is at risk of bodily or economic harm. In the event that we receive a subpoena affecting your privacy, we may elect to notify you to give you an opportunity to file a motion to quash the subpoena, or we may attempt to quash it ourselves, but we are not obligated to do either. We may also proactively report you and release your information without receiving any request to third parties where we believe that it is proper to do so for legal reasons, where your actions violate any law of the United States or any other country having jurisdiction over us, our Platform, or our Terms of Use. You release us from any damages that may arise from or relate to the release of your information to a request from law enforcement agencies or private litigants. We may release your information under the conditions listed in this paragraph whether it is to individuals or entities and to any state or federal authorities, as required.

10. Opt Out of Commercial, Non-Commercial Communications and Do Not Track

If you decide to provide us with your contact information, you agree that we may send you communications via text and emails. However, you may unsubscribe from certain communications by notifying The Hoth that you no longer wish to receive these communications, we will endeavour to promptly remove you from our once we have received that request. We currently do not offer functionality for you to opt out through “do not track” listings. If you wish to opt out of certain communications or information collection, please contact us by submitting a ticket here.

11. Third Parties

The Hoth or other users may post links to third party websites on Platform, which may include information that we have no control over. When accessing a third party site through our Platform, you acknowledge that you are aware that these third party websites are not screened for privacy or security issues by us, and you release us from any liability for the conduct of these third party websites.

Please be aware that this Privacy Policy, and any other policies in place, in addition to any amendments, does not create rights enforceable by third parties. The Hoth bears no responsibility for the information collected or used by any advertiser or third party website. You must review their Terms of Use and Privacy to understand how their information collection practices work.

12. Security Measures

We make reasonable attempts to protect your information by using physical and electronic safeguards. For this reason we use SSL certificates to enhance our Platform security. However, as this is the Internet, we can make no guarantees as to the security or privacy of your information. For this reason, we recommend that you use anti-virus software, routine credit checks, firewalls, and other precautions to protect yourself from security and privacy threats.

13. Your California Privacy Rights

The Hoth permits residents of the State of California to use its Platform, and complies with the California Business and Professions Code §§ 22575-22579. If you are a California resident you may request certain information regarding our disclosure of personal information to any third parties for their direct marketing purposes. Various provisions throughout this Privacy Policy address requirements of the Californian privacy statutes. Although we do not disseminate your information to third parties without permission, you must presume that we collect electronic information from all visitors. You may contact us by submitting a ticket here with any questions.

14. Age Compliance

We intend to fully comply with American and international laws respecting children’s privacy including COPPA. Therefore, we do not collect or process any information for any persons under the age of 18. If you are under 18 and using our Platform, please stop immediately and do not submit any information to us. In the event that we have inadvertently collected any information from users under the age of 18 please contact us immediately.

15. International Transfer

Your information may be transferred to – and maintained on – computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer. PII and Non-PII that is submitted to The Hoth will be collected, processed, stored, disclosed and disposed of in accordance with applicable U.S. law and this policy. If you are a non-U.S. member, you acknowledge and agree that The Hoth may collect and use your Information and disclose it to other entities outside your resident jurisdiction. In addition, such information may be stored on servers located outside your resident jurisdiction. U.S. law may not provide the degree of protection for information that is available in other countries.

16. Merger and Acquisition

In the event that The Hoth is involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, your information may be sold or transferred as part of that transaction. Please be aware that once the information is transferred your privacy rights may change.

17. Amendments

Like our Terms of Use, we may amend this Privacy Policy from time to time. When we amend this Privacy Policy, we will modify the date listed on this Agreement or we may contact you. You must agree to the amendments as a condition of your continued use of our Platform. If you do not agree, you must immediately cease using our Platform and notify us of your refusal by submitting a ticket here.

18. Privacy Notice for European Citizens

We respect the rights of persons living within the European Economic Community (EEC) and the rights afforded to them under the General Data Protection Regulation (GDPR), the sections 18-23 are referred to as our Privacy Notice and address additional privileges that EEC users may have under our Privacy Policy. This Privacy Notice explains how we shall assist our users who live within the EEC.

Legal Rights   Your Rights Under the GDPR
The right to be informed   The Hoth wishes to keep you informed as to what we do with your personal information. We strive to be transparent about how we use your data.
The right to access   You have the right to access your information at any time. Please contact us by submitting a ticket here if you wish to access the personal information The Hoth holds about you.
The right to rectification   If the information The Hoth holds about you is inaccurate or not complete, you have the right to ask us to rectify it. If that data has been passed to a third party with your consent or for legal reasons, then we must also ask them to rectify the data. Please contact us by submitting a ticket here for more information.
The right to erasure   Sometimes called ‘the right to be forgotten’. You have the right to request that The Hoth to erase all your personal data, if you wish to do so please our team by submitting a ticket here.
The right to restrict processing   You have the right to ask The Hoth to restrict how we process your data. This means we are permitted to store the data but not further process it. We will only keep enough data to ensure that we can accommodate any additional requests. Please contact our team by submitting a ticket here.
The right to data portability   The Hoth must allow you to port and reuse your personal data for your own purposes across different platforms. Please contact our team by submitting a ticket here if you wish to receive additional information on how to port your data elsewhere. This right only applies to personal data that you have provided to us as a data controller.
The right to object   You have the right to object to The Hoth processing your data even if our processing is due to legitimate purposes as described in our Privacy Notice, if you have any objections please contact our team by submitting a ticket here.
The right to withdraw consent   If you have given us your consent to process your data but change your mind later, you have the right to withdraw your consent at any time, and The Hoth must stop processing your data. If you want to withdraw your consent, please contact our team by submitting a ticket here.

19. Legitimate Purposes for Collecting Your PII

The following are the specific legitimate purposes that we may use your PII for:

  • Contract Administration – We may use your PII to (1) negotiate, execute, renew and/or manage a contract with you; (2) process billing information and payments related thereto; and/or (3) communicate with you in respect of the above (including sending (legal) notifications).
  • Access and Communications to Our Platform – We may use your PII to (1) set-up and manage your The Hoth account; (2) interact with you through our Platform (e.g. software updates, Platform announcements, etc.): and/or (3) manage and respond to your questions or comments (e.g. technical, commercial or administrative) or requests for maintenance and support.
  • Use of the Platform – We may use your PII to (1) enable you to enjoy the use of, and easily navigate the Platform; and/or (2) better understand your needs and interests.
  • Sharing with Third Parties – We may use your PII to share with our partner companies that we share data with.
  • Allowing You To Access or Download Content – We may use your PII to allow you download data or content from the Platform.
  • Training and Improvements – We may use your PII to (1) train our employees or contractors to allow for a better Platform experience; and/or (2) improve the Platform.
  • Direct Marketing – We may use your PII to contact you for additional products and services that you may be interested in.

Please be aware that all legitimate purposes will be taken with minimal amounts of additional processing. Aside from the purposes listed, we may share your information where investigations or a legal dispute has occurred in accordance with our Privacy Policy.

20. Retention of PII

The Hoth will only retain your PII for as long as required. We will keep your personal information:

  • For any legally required duration.
  • Until we no longer have a valid reason to keep or use your PII.
  • Upon your request to eliminate, delete, or modify any of you PII stored with us.

Where you have requested modification or deletion of your PII, we may keep just enough of your personal information to ensure that we comply with your requests not use your personal information or comply with your right to erasure. If you require additional details regarding the retention of your PII please contact us.

21. Transfer of PII Outside of the EEC

Where your PII is transferred outside of the EEC, The Hoth shall ensure that your PII shall have an adequate level of protection and that your information will be accessible as stated under the Privacy Notice.

22. Sharing of Data with Third Parties

Aside from the uses listed within this Privacy Notice, The Hoth does not share any of your PII with any third parties aside from third parties that are hired by us to assist us in processing your data (Data Processors). All Data Processors have entered into binding agreements with us to ensure that your rights to your PII are respected.

23. Contact Information

If you have any questions or require additional information related to our information collection practices, please contact us by submitting a ticket here.

 

II. REMOVING YOUR INFORMATION

At The Hoth we value your privacy and your right to access and control your personal information. We have implemented this policy so that you may request the permanent removal of any personal information stored within The Hoth Platform.

If you wish to have any of your personal information stored within The Hoth Platform removed, please contact us by submitting a ticket here and follow the directions stated within this policy. With each removal request you must list the information you wish to have removed exactly as listed. Please be aware that removal requests are not processed instantaneously. There may be a reasonable delay in processing and removing any information requested.

Although we will attempt to remove all of your personal information upon receipt of your removal request, please be aware that The Hoth may have multiple areas where your personal data is stored and a single removal request may not eliminate all of your personal information stored within our Platform. Therefore, you may be required to submit multiple requests. If your information repeatedly reappears please contact us.

You may make a removal request by submitting a ticket here, please label the first line of the ticket with the following: “Removal Request – Your Full Name and Account Name”.

ADDITIONAL RIGHTS FOR EEC USERS

If you reside in the European Economic Community (EEC) or if you are an EEC citizen you are afforded additional rights to your information.

Legal Rights   Your Rights Under the GDPR
The right to be informed   The Hoth wishes to keep you informed as to what we do with your personal information. We strive to be transparent about how we use your data.
The right to access   You have the right to access your information at any time.
The right to rectification   If the information The Hoth holds about you is inaccurate or not complete, you have the right to ask us to rectify it. If that data has been passed to a third party with your consent or for legal reasons, then we must also ask them to rectify the data.
The right to erasure   Sometimes called ‘the right to be forgotten’. You have the right to request that The Hoth to erase all your personal data.
The right to restrict processing   You have the right to ask The Hoth to restrict how we process your data. This means we are permitted to store the data but not further process it. We will only keep enough data to ensure that we can accommodate any additional requests.
The right to data portability   The Hoth must allow you to port and reuse your personal data for your own purposes across different platforms. This right only applies to personal data that you have provided to us as a data controller.
The right to object   You have the right to object to The Hoth processing your data even if our processing is due to legitimate purposes as described in our Privacy Policy
The right to withdraw consent   If you have given us your consent to process your data but change your mind later, you have the right to withdraw your consent at any time, and The Hoth must stop processing your data.

If you wish to exercise any of these additional rights with regards to any of your PII, we’d be happy to assist you, please contact us by submitting a ticket here, please label the first line of the message with the following: “Request – Your Full Name and Account Name”.

 

III. THE HOTH COOKIE POLICY

Last Updated: April 25, 2018

Thank you for visiting The Hoth platform (“Platform”). The Hoth is committed to protecting your personal information and ensuring your experience with us is as safe and as enjoyable as possible. In this section, you’ll find information on how and why we use “cookies” to improve our service and your web experience. You’ll also find out how to manage the information that is collected.

What Are Cookies?

Most websites use cookies to improve your browsing experience. Cookies are small amounts of information in the form of text files sent by websites to your computer, mobile phone or other device when you visit our website. They allow companies to do various things, including tailor the content you see, and ensure the security of your online experience. Cookies cannot be used to run programs or deliver viruses to your computer.

Cookie Types and Their Uses

The Hoth uses cookies to save your preferences. This allows us to assist you in remembering what types of preferences and settings you have created within The Hoth Platform and last time you have visited our Platform. These cookies also allow us to understand how you use our Platform, we use these cookies in an attempt to optimize your user experience.

Aside from assisting us in identifying you and remembering your preferences, we may use cookies to assist us in processing transactions. cookies allow us to remember your orders and to assist us in ensuring that transactions are properly processed.

Third Party Cookies

You may have seen references on other websites to “first party cookies” and “third party cookies.” Determining whether or not a cookie is a first or third party cookie depends on which website sets the cookie on your device. First party cookies are set by, or on behalf of, the company whose website you visit. Cookies set by any other company are third party cookies. For example, third party cookies may be used by advertising companies to serve ads when you visit their website.

Currently, The Hoth uses first party cookies as identified above. Please be aware that third party cookies may be employed on the Platform for the purposes of advertising.

What If I Don’t Want to Accept Cookies?

You can choose to restrict or block access to cookies set by The Hoth or any other company. You can set your browser to notify you when a web server attempts to write or load a cookie to your computer. This gives you a chance to accept or reject the cookie. Please be aware that rejecting any cookies may render some portions of the Platform inaccessible or otherwise cause the improper functioning of portions of the Platform.

How Can I Control Cookies?

Web Browser Cookies

If you don’t want to receive cookies, you can modify your browser so that you are alerted when any cookies are being placed on your computer. Additionally, you can reject all cookies or you may delete cookies that have already been set.

If you wish to restrict or block web browser cookies you may do so via your browser settings. The Help function within your browser should be able to assist you in this matter. Alternatively, you may wish to visit www.aboutcookies.org, which contains comprehensive information regarding the management of cookies on your browser. Aboutcookies.org contains both general information and specific information regarding cookies and their usage.

 

IV. Privacy Shield Framework

Last Updated: October 24, 2018

The HOTH complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. The HOTH has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

1. ACCOUNTABILITY FOR ONWARD TRANSFER

A. To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.

B. To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

2. OVERVIEW

1. While the United States and the European Union share the goal of enhancing privacy protection, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. Given those differences and to provide organizations in the United States with a reliable mechanism for personal data transfers to the United States from the European Union while ensuring that EU data subjects continue to benefit from effective safeguards and protection as required by European legislation with respect to the processing of their personal data when they have been transferred to non-EU countries, the Department of Commerce is issuing these Privacy Shield Principles, including the Supplemental Principles (collectively “the Principles”) under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. § 1512). The Principles were developed in consultation with the European Commission, and with industry and other stakeholders, to facilitate trade and commerce between the United States and European Union. They are intended for use solely by organizations in the United States receiving personal data from the European Union for the purpose of qualifying for the Privacy Shield and thus benefitting from the European Commission’s adequacy decision.1 The Principles do not affect the application of national provisions implementing Directive 95/46/EC (“the Directive”) that apply to the processing of personal data in the Member States. Nor do the Principles limit privacy obligations that otherwise apply under U.S. law.

2. In order to rely on the Privacy Shield to effectuate transfers of personal data from the EU, an organization must self-certify its adherence to the Principles to the Department of Commerce (or its designee) (“the Department”). While decisions by organizations to thus enter the Privacy Shield are entirely voluntary, effective compliance is compulsory: organizations that self-certify to the Department and publicly declare their commitment to adhere to the Principles must comply fully with the Principles. In order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (the “FTC”), the Department of Transportation or another statutory body that will effectively ensure compliance with the Principles (other U.S. statutory bodies recognized by the EU may be included as an annex in the future); (b) publicly declare its commitment to comply with the Principles; (c) publicly disclose its privacy policies in line with these Principles; and (d) fully implement them. An organization’s failure to comply is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. § 45(a)) or other laws or regulations prohibiting such acts.

3. The Department of Commerce will maintain and make available to the public an authoritative list of U.S. organizations that have self-certified to the Department and declared their commitment to adhere to the Principles (“the Privacy Shield List”). Privacy Shield benefits are assured from the date that the Department places the organization on the Privacy Shield List. The Department will remove an organization from the Privacy Shield List if it voluntarily withdraws from the Privacy Shield or if it fails to complete its annual re-certification to the Department. An organization’s removal from the Privacy Shield List means it may no longer benefit from the European Commission’s adequacy decision to receive personal information from the EU. The organization must continue to apply the Principles to the personal information it received while it participated in the Privacy Shield, and affirm to the Department on an annual basis its commitment to do so, for as long as it retains such information; otherwise, the organization must return or delete the information or provide “adequate” protection for the information by another authorized means. The Department will also remove from the Privacy Shield List those organizations that have persistently failed to comply with the Principles; these organizations do not qualify for Privacy Shield benefits and must return or delete the personal information they received under the Privacy Shield.

4. The Department will also maintain and make available to the public an authoritative record of U.S. organizations that had previously self-certified to the Department, but that have been removed from the Privacy Shield List. The Department will provide a clear warning that these organizations are not participants in the Privacy Shield; that removal from the Privacy Shield List means that such organizations cannot claim to be Privacy Shield compliant and must avoid any statements or misleading practices implying that they participate in the Privacy Shield; and that such organizations are no longer entitled to benefit from the European Commission’s adequacy decision that would enable those organizations to receive personal information from the EU. An organization that continues to claim participation in the Privacy Shield or makes other Privacy Shield-related misrepresentations after it has been removed from the Privacy Shield List may be subject to enforcement action by the FTC, the Department of Transportation, or other enforcement authorities.

5. Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts. Consistent with the goal of enhancing privacy protection, organizations should strive to implement these Principles fully and transparently, including indicating in their privacy policies where exceptions to the Principles permitted by (b) above will apply on a regular basis. For the same reason, where the option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection where possible.

6. Organizations are obligated to apply the Principles to all personal data transferred in reliance on the Privacy Shield after they enter the Privacy Shield. An organization that chooses to extend Privacy Shield benefits to human resources personal information transferred from the EU for use in the context of an employment relationship must indicate this when it self-certifies to the Department and conform to the requirements set forth in the Supplemental Principle on Self-Certification.

7. U.S. law will apply to questions of interpretation and compliance with the Principles and relevant privacy policies by Privacy Shield organizations, except where such organizations have committed to cooperate with European data protection authorities (“DPAs”). Unless otherwise stated, all provisions of the Principles apply where they are relevant.

8. Definitions:
A. “Personal data” and “personal information” are data about an identified or identifiable individual that are within the scope of the Directive, received by an organization in the United States from the European Union, and recorded in any form.
B. “Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
C. “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

9. The effective date of the Principles is the date of final approval of the European Commission’s adequacy determination.

10. Provided that the Commission Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield applies to Iceland, Liechtenstein and Norway, the Privacy Shield Package will cover both the European Union, as well as these three countries. Consequently, references to the EU and its Member States shall be read as including Iceland, Liechtenstein and Norway.

3. RECOURSE, ENFORCEMENT AND LIABILITY

a. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include:
i. readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide;
ii. follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and
iii. obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

b. Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints.

c. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I.

d. In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

e. When an organization becomes subject to an FTC or court order based on non-compliance, the organization shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions.