3. Identify Your Organization's Independent Recourse Mechanism: Under the Framework's Recourse, Enforcement and Liability Principle, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual. (See Supplemental Principle 11 (Dispute Resolution and Enforcement) for more information regarding dispute resolution under Privacy Shield.)
  • Your organization must ensure that its recourse mechanism is in place prior to self-certification and must register with the relevant mechanism prior to self-certification when the mechanism requires registration. The Department of Commerce’s Privacy Shield team will work with the independent recourse mechanisms to verify such registrations prior to finalizing organizations’ self-certifications. In addition, your organization must include in its privacy policy a reference to, as well as relevant contact information for, the independent recourse mechanism, as noted in section 2 above.
  • Organizations self-certifying under Privacy Shield may utilize private sector dispute resolution programs. Organizations like the BBB National Programs (BBB NP), TRUSTe, the American Arbitration Association (AAA), JAMS, and the ANA have developed programs that assist in compliance with the Framework's Recourse, Enforcement and Liability Principle and Supplemental Principle 11 (Dispute Resolution and Enforcement).
  • Alternatively, organizations may choose to cooperate and comply with the EU data protection authorities (DPAs) under the EU-U.S. Privacy Shield Framework or with the Swiss Federal Data Protection and Information Commissioner under the Swiss-U.S. Privacy Shield Framework with respect to all types of data. In doing so, an organization must follow the procedures outlined in Supplemental Principle 5 (The Role of Data Protection Authorities).
  • If your organization's self-certification will cover human resources data (personal information about your organization's own employees, past or present, collected in the context of the employment relationship), then your organization must agree to cooperate and comply with the EU DPAs under the EU-U.S. Privacy Shield Framework or with the Swiss Federal Data Protection and Information Commissioner under the Swiss-U.S. Privacy Shield Framework with respect to such data. Additional guidance on the handling of human resources data under the Framework is provided in Supplemental Principle 9 (Human Resources Data).
  • Organizations that either choose to utilize the EU DPAs with regard to all data or must utilize the EU DPAs with regard to HR data are required to pay an annual fee of US $50 in order to cover the operating costs of the EU DPA panel. This fee is payable to the United States Council for International Business (USCIB), which has agreed to act as trusted third party for this purpose. The fee can be paid online here. No fee is required with respect to the Swiss Data Protection and Information Commissioner. 

4. Pay the Required Fee to ICDR-AAA for the Annex I Binding Arbitration Mechanism: As described in Annex I of the EU-U.S. Privacy Shield Framework and Annex I of the Swiss-U.S. Privacy Shield Framework, the Privacy Shield frameworks respectively provide the option for an EU and a Swiss individual to invoke binding arbitration to determine whether a Privacy Shield organization has violated its obligations under the Principles as to that individual and whether any such violation remains fully or partially unremedied (“residual claims”). In Annex I, the Department of Commerce committed to facilitating the establishment of a fund into which Privacy Shield organizations will be required to pay contributions to cover the arbitral costs, including arbitrator fees, up to maximum amounts, in consultation with the European Commission and the Swiss Administration. The International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) was selected to administer these arbitrations and manage this fund. Please visit ICDR-AAA’s website at http://go.adr.org/privacyshieldfund.html to pay the required fee.

5. Ensure that Your Organization's Verification Mechanism is in Place: As discussed in Supplemental Principle 7 (Verification), organizations self-certifying to the Framework are required to have procedures in place for verifying compliance. To meet this requirement, your organization may use either a self-assessment or an outside/third-party assessment program. For additional guidance on the Framework's verification requirement, please see Supplemental Principle 7.

6. Designate a Contact within Your Organization Regarding Privacy Shield: Each organization is required to provide a contact for the handling of questions, complaints, access requests, and any other issues arising under the Privacy Shield. This contact can be either the corporate officer that is certifying your organization's compliance with the Framework, or another official within your organization, such as a Chief Privacy Officer. Under the Privacy Shield, organizations must respond to individuals within 45 days of receiving a complaint.

7. Review the Information Required to Self-Certify: Prior to submitting a self-certification, your organization should review and compile the information required as part of the Department of Commerce's online self-certification process (see required self-certification information).

8. Submit Your Organization's Self-Certification to the Department of Commerce: Click on the "Self-Certify" link on this website to create a profile and submit your organization's self-certification. Submission of your certification will also require payment of a certification fee. The certification fee is part of the International Trade Administration's cost recovery program to support the operation of the Privacy Shield Program (see online submission process guide).