Swiss-U.S. Privacy Shield FAQs

Swiss – U.S. Privacy Shield FAQs

  1. When can an organization self-certify to the Swiss-U.S. Privacy Shield?
    • Starting April 12, 2017, organizations can self-certify to the Swiss – U.S. Privacy Shield Framework.
  2. How can an organization that is already participating in the EU-U.S. Privacy Shield self-certify to the Swiss-U.S. Privacy Shield?
    • If your organization has already self-certified to the EU-U.S. Privacy Shield Framework, beginning on April 12, 2017, the organization can log into to its Privacy Shield account and click on “self-certify”. The option will then be available to add the Swiss – U.S. Privacy Shield Framework and other relevant information to your self-certification, such as a recourse mechanism.
    • All organizations that add the Swiss – U.S. Privacy Shield Framework will be required to pay a separate annual fee to ITA in order to participate. The Swiss – U.S. Privacy Shield fee will be tiered based on the organization’s annual revenue. Additional information on the fee structure will be provided here soon.
    • Please note that an organization’s recertification date for both the Swiss-U.S. and EU-U.S. Frameworks will be one year from the date the first of its two certifications was finalized. 
  3. How can an organization that is not already participating in the EU-U.S. Privacy Shield self-certify to the Swiss-U.S. Privacy Shield or both frameworks?
    • To self-certify to one or both Frameworks, organizations can click on the "Self-Certify" link on this website, create a profile, and then choose whether to certify to one or both frameworks.
  4. Does an organization that participated in the U.S.-Swiss Safe Harbor need to update its privacy policy before self-certifying to Privacy Shield?
    • Yes. In addition to updating the privacy policy to align with Privacy Shield requirements, an organization must remove any references to the U.S.-Swiss Safe Harbor Framework.
    • An organization that joins the Swiss -U.S. Privacy Shield Framework will be withdrawn from the Swiss - U.S. Safe Harbor Framework.  Upon finalizing an organization's certification to the Privacy Shield, the Privacy Shield team will also adjust the organization's Safe Harbor record so that the "certified through" date displayed in the record reflects the date of certification to the Privacy Shield.
  5. Does the Department of Commerce have sample language that can be used in an organization’s privacy policy to refer to its participation in the Privacy Shield?
    • Yes. The following language is acceptable for this purpose if an organization is participating in only the Swiss – U.S. Privacy Shield Framework:
    • (INSERT your organization name) complies with the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the Switzerland to the United States.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
    • If an organization is participating in both the EU – U.S.  and the Swiss – U.S. Privacy Shield Frameworks, the following language is acceptable:
    • (INSERT your organization name) complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
  6. What are the differences between the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks?
    • The Principles under the two frameworks include the same requirements, with the only exceptions being:
    • The Swiss Federal Data Protection and Information Commissioner’s authority substitutes for that of the EU DPAs’ authority throughout the Swiss-U.S. Privacy Shield compared to the EU-U.S. Privacy Shield.  For instance, under the Swiss-U.S. Privacy Shield, an organization may satisfy points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by committing to cooperate with the Swiss Federal Data Protection and Information Commissioner. When covering HR data received from Switzerland for use in the context of the employment relationship, organizations must commit to cooperate with and comply with the advice of the Commissioner. Under the EU-U.S. Privacy Shield, the comparable commitment is to cooperate with the EU DPAs.
    • The definition of sensitive data under the Choice Principle is modified slightly under the Swiss-U.S. Privacy Shield, including ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
    • At the first annual review, the Department of Commerce will work with the Swiss Government to put in place the binding arbitration option in Annex I of the Swiss-U.S. Privacy Shield Framework.

Loading...