Prior to submitting your organization's self-certification to the Department of Commerce, we recommend that you follow these helpful hints. These should be read in conjunction with the complete set of U.S.-EU Safe Harbor Framework Documents and the Safe Harbor Workbook . Following these helpful hints will help to ensure that your organization is meeting the requirements for self-certification, as set forth in FAQ 6.
Confirm that Your Organization is Subject to the Jurisdiction of the U.S. Federal Trade Commission or the U.S. Department of Transportation: Any U.S. organization that is subject to the jurisdiction of the Federal Trade Commission (FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DOT) may participate in the Safe Harbor. The FTC and DOT have both stated in letters to the European Commission (located with the Framework documents under Letters G and H) that they will take enforcement action against organizations that state that they are in compliance with the Framework, but then fail to live up to their statements. If you are uncertain as to whether your organization falls under the jurisdiction of either the FTC or DOT, then please be sure to contact those agencies for more information.
- In most cases, organizations self-certifying under Safe Harbor may choose to utilize private sector dispute resolution programs. Organizations like the Council of Better Business Bureaus (BBB), TRUSTe, the American Arbitration Association (AAA), JAMS, and the Direct Marketing Association (DMA) have developed programs that assist in compliance with the Framework's Enforcement Principle and FAQ 11.
- Alternatively, organizations may choose to cooperate and comply with the EU data protection authorities (DPAs) with respect to all types of data. In doing so, an organization must follow the procedures outlined in FAQ 5.
- If organization human resources data (i.e. personal information about your organization's own employees, past or present, collected in the context of the employment relationship) is being covered in your organization's self-certification, then your organization must agree to cooperate and comply with the EU DPAs with respect to such data. Additional guidance on the handling of human resources data under the Framework is provided in FAQ 9.
- Organizations that either choose to or must utilize the EU DPAs are required to pay an annual fee of US $50 in order to cover the operating costs of the EU DPAs' panel. This fee is payable to the United States Council for International Business (U.S. Council for International Business c/o Safe Harbor – EU DPAs; 1212 Avenue of the Americas, 21st Floor; New York, NY 10036), which has agreed to act as trusted third party for this purpose. If you require further information on how to carry out the payment, please see: http://uscib.org/index.asp?documentID=4495.
- If your organization requires further information on how the cooperation / compliance with the EU DPAs works, your organization may refer to the resources concerning the EU DPA panel (e.g., the Standard Complaint Form and Internal Operating Procedures) that are available on the European Commission’s website, contact the panel secretariat at: firstname.lastname@example.org, and/or contact the DPAs directly (see http://ec.europa.eu/justice/data-protection/bodies/authorities/eu/index_en.htm).
Ensure that Your Organization's Verification Mechanism is in Place: As discussed in FAQ 7, organizations self-certifying to the Framework are required to have procedures in place for verifying compliance. To meet this requirement, an organization may use either a self-assessment or an outside/third-party assessment program. For additional guidance on the Framework's verification requirement, please see FAQ 7.
Designate a Contact within Your Organization Regarding Safe Harbor: Each organization is required to provide a contact for the handling of questions, complaints, access requests, and any other issues arising under the Safe Harbor. This contact can be either the corporate officer that is certifying your organization's compliance with the Framework, or another official within your organization, such as a Chief Privacy Officer.
We hope that these hints prove helpful as your organization works to achieve compliance with the Framework. Further questions regarding the Safe Harbor self-certification process or compliance with the EU data protection requirements may be directed to the International Trade Administration (ITA)’s Safe Harbor Team.
- Questions should be directed, whenever possible, via e-mail to email@example.com, so that any member of the Safe Harbor Team could respond (i.e., due to the volume of phone calls received by the Safe Harbor Team, it is often more expedient to correspond via e-mail).
- Phone calls concerning either Safe Harbor Framework should be directed to:
Tel.: (202) 482-4936
Tel.: (202) 482-0142
Tel.: (202) 482-6435
U.S. Department of Commerce
U.S.-EU & U.S.-Swiss Safe Harbor Programs
1401 Constitution Avenue, N.W.
Washington, D. C. 20230