Guide to Self-Certification 

The decision by a U.S.-based organization to join the Privacy Shield program is entirely voluntary. However, once an eligible organization publicly commits to comply with the Privacy Shield Principles through self-certification, that commitment is enforceable under U.S. law by the relevant enforcement authority, either the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT). 

To be assured of Privacy Shield benefits, an organization must self-certify annually to the Department of Commerce (via this website) that it agrees to adhere to the Privacy Shield Principles, a detailed set of requirements based on privacy principles such as notice, choice, access, and accountability for onward transfer. A brief guide to the self-certification process, including steps that the organization must take prior to self-certification, is provided below.

Please note that given the substantive requirements of the EU-U.S. and Swiss-U.S. Privacy Shield are the same, links within descriptive text throughout this website are to the relevant Principle(s) in the EU-U.S. Privacy Shield Framework. Where references are made to the EU or EU DPAs, organizations should understand that the Swiss Framework instead references Switzerland and the Swiss Data Protection and Information Commissioner.  The full text of the Swiss-U.S. Privacy Shield Framework is available here.

This guide should be read in conjunction with the complete set of Privacy Shield Principles, which includes 16 Supplemental Principles. Following these steps will help to ensure that your organization is meeting the requirements for self-certification, as set forth in Supplemental Principle 6 (Self-Certification)
 

1. Confirm Your Organization's Eligibility to Participate in the Privacy Shield: Only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) are eligible to participate in Privacy Shield. To self-certify for Privacy Shield, an eligible U.S. organization must provide to the Department of Commerce a self-certification submission containing the organization’s mailing address, which should be a valid U.S. mailing address. The FTC and DOT have both committed (See FTC letter or DOT letter for reference) that they will enforce the Privacy Shield Framework.

  • Generally, the FTC's jurisdiction covers acts or practices in or affecting commerce by any "person, partnership, or corporation." The FTC does not have jurisdiction over most depository institutions (banks, federal credit unions, and savings & loan institutions), telecommunications and interstate transportation common carrier activities, air carriers, labor associations, most non-profit organizations, and most packer and stockyard activities. In addition, the FTC's jurisdiction with regard to insurance activities is limited to certain circumstances. Note that to be transferred in reliance on the Privacy Shield, personal data must be processed in connection with an activity that is subject to the jurisdiction of at least one appropriate statutory body listed in the Framework. The DOT has exclusive jurisdiction over U.S. and foreign air carriers. The DOT and the FTC share jurisdiction over ticket agents that market air transportation. If you are uncertain as to whether your organization falls under the jurisdiction of either the FTC or DOT, then please be sure to contact the Privacy Shield Team at the Department of Commerce for more information.

2. Develop a Privacy Shield-Compliant Privacy Policy Statement (see Privacy Policy FAQs for additional information): Your organization must develop a Privacy Shield-compliant privacy policy before submitting its self-certification to the Department of Commerce.

  • Ensure that Your Organization's Privacy Policy Conforms to the Privacy Shield Principles: In order to be compliant with the Privacy Shield Framework, the privacy policy must conform to the Privacy Shield Principles. Among other things, the privacy policy should reflect your organization's information handling practices and the choices your organization offers individuals with respect to the use and disclosure of their personal information. The Notice Principle provides a useful checklist of many of the required elements. It is important to write a policy that is clear, concise, and easy to understand.
  • Make Specific Reference in the Privacy Policy to Your Organization's Privacy Shield Compliance: Supplemental Principle 6 (Self-Certification) requires each organization that self-certifies to state in its relevant published privacy policy that it adheres to the Privacy Shield Principles. In addition, the privacy policy must include a hyperlink to the Privacy Shield website (https://www.privacyshield.gov/). Please note that an organization self-certifying for the first time may not claim Privacy Shield participation in its published privacy policy until the Privacy Shield team notifies the organization that its submission is complete. (See Privacy Policy FAQs for specific guidance on when an organization’s privacy policy should be updated to claim Privacy Shield participation.)
  • Identify in the Privacy Policy Your Organization's Independent Recourse Mechanism (see section 3 for additional information): If your organization's privacy policy is available online, it must include a hyperlink to the website of the independent recourse mechanism that is available to investigate unresolved complaints regarding your organization's compliance with the Privacy Shield or to the independent recourse mechanism's complaint submission form.
  • Provide an Accurate Location for Your Organization's Privacy Policy and Make Sure that it is Publicly* Available: At the time of self-certification, your organization must provide accurate information about the location of its applicable privacy policy or policies. If your organization is covering HR and non-HR data, it must indicate the location of the applicable policy or policies for each type of data covered under your organization’s self-certification. If your organization has a public website, it must provide the web address where the privacy policy is available; if your organization does not have a public website, you must provide an address where the privacy policy is available for viewing by the public. In addition, your organization should verify that its privacy policy is effective prior to self-certification. See Supplemental Principle 7 (Verification).

* If your organization's self-certification relates to human resources data, then the privacy policy covering such data need only be made available to your organization's employees and as part of the Privacy Shield review process. In such instances, your organization may either (1) provide the public web address where the privacy policy is available or (2) specify where the privacy policy is available for viewing by your affected employees and upload a copy to your organization's Privacy Shield submission so that it may be reviewed by the Department of Commerce's Privacy Shield team. See Supplemental Principle 6(c) (Self-Certification) for more information.

Continue reading steps 3-7 of the Guide to Self-Certification