If you believe that the US company, association or organisation adhering to the EU-US DPF to which the data has been transferred does not comply with the principles of the EU-US data privacy framework or that your rights are not being respected by them, you have several means of recourse (in addition to filing a complaint with the CNPD against the Luxembourg or European company that transferred your data).
1. Contact the American company, association, or organisation directly
After verifying that the US company, association or organisation is on the list of entities certified under the EU-US DPF, you can contact them directly to submit your complaint. You can find the contact details of the US entity by opening the page dedicated to the entity in the list of certified US entities under the heading ‘Dispute Resolution’.
The entity is then required to respond to your complaint within 45 days of receipt.
2. Contact an independent dispute resolution body, if designated by the company
If the American company, association or organisation has indicated in the ‘Dispute resolution’ section of the list of certified entities that it is possible to appeal to an independent dispute resolution body, you can submit your complaint to that body. You will find the contact details for this body on the page dedicated to the entity in the list of certified US entities under ‘Dispute Resolution’.
The procedure for handling your complaint will then follow the rules established by these bodies.
3. Refer the matter to the competent US authority
You also have the option of contacting the relevant US authority to lodge a complaint against US companies, associations or organisations certified under the EU-US Privacy Framework. The competent authorities are the Federal Trade Commission (FTC) and, in certain cases, the US Department of Transport (DoT). The competent US authority is indicated on the page dedicated to the US entity in the list of certified US entities under the heading ‘Dispute Resolution’.
For more information on submitting your complaint, please refer to the FAQs – EU–U.S. Data Privacy Framework (EU–U.S. DPF) published on the official US website under the heading ‘How to Submit a Complaint Relating to a Participating Organization’s Compliance with the DPF Principles '.
4. Refer to a European data protection authority
You may also lodge a complaint with a European data protection authority (e.g. the CNPD).
To lodge such a complaint with the CNPD, you must first complete and submit the Data Privacy Framework complaint form against the US company, association or organisation. You must then submit the completed and signed form via the Seezam platform.
Once the CNPD has verified that your file is complete and admissible, it will be processed by the competent authorities:
- If the complaint concerns the processing of personal data in the field of human resources, or if the EU data protection authorities have been designated as an independent dispute resolution body by the entity, association or organisation certified under the EU-US DPF, the complaint will be handled by the informal panel of EU authorities.
- In other cases, the CNPD will forward the complaint to the competent US authority for processing (depending on the case: Department of Commerce’s International Trade Administration, Federal Trade Commission or US Department of Transportation).