Swiss-U.S. Privacy Shield FAQs

Swiss – U.S. Privacy Shield FAQs

1. How can an organization that is already participating in the EU-U.S. Privacy Shield self-certify to the Swiss-U.S. Privacy Shield?
   • If your organization has already self-certified to the EU-U.S. Privacy Shield Framework, the organization can log into to its Privacy Shield account and click on “self-certify”. The option will then be available to add the Swiss – U.S. Privacy Shield Framework and other relevant information to your self-certification, such as a recourse mechanism.
   • All organizations that add the Swiss – U.S. Privacy Shield Framework will be required to pay a separate annual fee to ITA in order to participate. The cost of self-certifying to the second Framework is half the cost of self-certifying to the first Framework. Information on the fee schedule is available here.
   • Please note that an organization’s recertification date for both the Swiss-U.S. and EU-U.S. Frameworks will be one year from the date the first of its two certifications was finalized. 
2. How can an organization that is not already participating in the EU-U.S. Privacy Shield self-certify to the Swiss-U.S. Privacy Shield or both frameworks?
   • To self-certify to one or both Frameworks, organizations can click on the "Self-Certify" link on this website, create a profile, and then choose whether to certify to one or both frameworks.
3. Does an organization that participated in the U.S.-Swiss Safe Harbor need to update its privacy policy before self-certifying to Privacy Shield?
   • Yes. In addition to updating the privacy policy to align with Privacy Shield requirements, an organization must remove any references to the U.S.-Swiss Safe Harbor Framework.
4. Does the Department of Commerce have sample language that can be used in an organization’s privacy policy to refer to its participation in the Privacy Shield?
   • Yes. The following language is acceptable for this purpose if an organization is participating in only the Swiss – U.S. Privacy Shield Framework:
   • (INSERT your organization name) complies with the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the Switzerland to the United States.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
   • If an organization is participating in both the EU – U.S.  and the Swiss – U.S. Privacy Shield Frameworks, the following language is acceptable:
   • (INSERT your organization name) complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
5. What are the differences between the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks?
   • The Principles under the two frameworks align, with a few exceptions, including:
   • The Swiss Federal Data Protection and Information Commissioner’s authority substitutes for that of the EU DPAs’ authority throughout the Swiss-U.S. Privacy Shield compared to the EU-U.S. Privacy Shield.  For instance, under the Swiss-U.S. Privacy Shield, an organization may satisfy points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by committing to cooperate with the Swiss Federal Data Protection and Information Commissioner. When covering HR data received from Switzerland for use in the context of the employment relationship, organizations must commit to cooperate with and comply with the advice of the Commissioner. There is no fee associated with the commitment to cooperate and comply with the Swiss Commissioner. Under the EU-U.S. Privacy Shield, the comparable commitment is to cooperate with the EU DPAs, which requires an annual fee of US $50 to cover the operating costs of the EU DPA panel.
   • The definition of sensitive data under the Choice Principle is modified slightly under the Swiss-U.S. Privacy Shield, including ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
   • At the first annual review, the Department of Commerce will work with the Swiss Government to put in place the binding arbitration option in Annex I of the Swiss-U.S. Privacy Shield Framework.