FAQ - Self-Certification

How does an organization self-certify that it adheres to the Safe Harbor Principles?

Safe Harbor benefits are assured from the date on which an organization self-certifies to the Department of Commerce (or its designee) its adherence to the Principles in accordance with the guidance set forth below.

To self-certify for the Safe Harbor, organizations can provide to the Department of Commerce (or its designee) a letter – signed by a corporate officer on behalf of the organization that is joining the Safe Harbor – that contains at least the following information:

1.  name of organization, mailing address, email address, telephone and fax numbers;

2.  description of the activities of the organization with respect to personal information received from the EU; and

3.  description of the organization's privacy policy for such personal information, including:
        a.    where the privacy policy is available for viewing by the public,
        b.    its effective date of implementation,
        c.    a contact office for the handling of complaints, access requests, and any other issues arising under the Safe Harbor,
        d.    the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the annex to the Principles),
        e.    name of any privacy programs in which the organization is a member,
        f.     method of verification (e.g. in-house, third party) (see FAQ 7: Verification), and
        g.    the independent recourse mechanism that is available to investigate unresolved complaints.

Where the organization wishes its Safe Harbor benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where there is a statutory body with jurisdiction to hear claims against the organization arising out of human resources information that is listed in the annex to the Principles. In addition the organization must indicate this in its letter and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the FAQ 9: Human Resources and the FAQ 5: The Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities.

The Department (or its designee) will maintain a list of all organizations that file such letters, thereby assuring the availability of Safe Harbor benefits, and will update such list on the basis of annual letters and notifications received pursuant to the FAQ 11: Dispute Resolution and Enforcement. Such self-certification letters should be provided not less than annually. Otherwise the organization will be removed from the list and Safe Harbor benefits will no longer be assured. Both the list and the self-certification letters submitted by the organizations will be made publicly available. All organizations that self- certify for the Safe Harbor must also state in their relevant published privacy policy statements that they adhere to the Safe Harbor Principles.

The undertaking to adhere to the Safe Harbor Principles is not time-limited in respect of data received during the period in which the organization enjoys the benefits of the Safe Harbor. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Safe Harbor for any reason.

An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of Commerce (or its designee) of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (1) continue to be bound by the Safe Harbor Principles by the operation of law governing the takeover or merger or (2) elect to self-certify its adherence to the Safe Harbor Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Safe Harbor Principles. Where neither (1) nor (2) applies, any data that has been acquired under the Safe Harbor must be promptly deleted.

An organization does not need to subject all personal information to the Safe Harbor Principles, but it must subject to the Safe Harbor Principles all personal data received from the EU after it joins the Safe Harbor.

Any misrepresentation to the general public concerning an organization's adherence to the Safe Harbor Principles may be actionable by the Federal Trade Commission or other relevant government body. Misrepresentations to the Department of Commerce (or its designee) may be actionable under the False Statements Act (18 U.S.C. § 1001).