FAQ - Self-Certification

How does an organization self-certify that it adheres to the Safe Harbor Principles?

Safe Harbor benefits are assured from the date on which an organization self-certifies to the Department of Commerce (or its designee) its adherence to the Principles in accordance with the guidance set forth below.

To self-certify for the Safe Harbor, organizations can provide to the Department of Commerce (or its designee) a letter – signed by a corporate officer on behalf of the organization that is joining the Safe Harbor – that contains at least the following information:

Name of the organization, mailing address, e-mail address, telephone and fax numbers;

Description of the activities of the organization with respect to personal information received from Switzerland; and

Description of the organization’s privacy policy for such personal information, including:

  • where the privacy policy is available for viewing by the public,
  • its effective date of implementation,
  • a contact office for the handling of complaints, access requests, and any other issues arising under the Safe Harbor,
  • the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the annex to the Principles),
  • the name of any privacy programs in which the organization is a member,
  • the method of verification (e.g., in-house, third party) (see FAQ 7: Verification), and
  • the independent recourse mechanism that is available to investigate unresolved complaints.

Where the organization wishes its Safe Harbor benefits to cover human resources information transferred from Switzerland for use in the context of the employment relationship, it may do so where there is a statutory body with jurisdiction to hear claims against the organization arising out of human resources information that is listed in the annex to the Principles. In addition, the organization must indicate this in its letter and declare its commitment to cooperate with the Commissioner or authorities concerned in conformity with the FAQ 9: Human Resources and the FAQ 5: The Role of the Commissioner as applicable and that it will comply with the advice given by such authorities.

The Department (or its designee) will maintain a list of all organizations that file such letters, thereby assuring the availability of Safe Harbor benefits, and will update such list on the basis of annual letters and notifications received pursuant to the FAQ 11: Dispute Resolution and Enforcement. Such self-certification letters should be provided not less than annually. Otherwise the organization will be removed from the list and Safe Harbor benefits will no longer be assured. Both the list and the self-certification letters submitted by the organizations will be made publicly available. All organizations that self-certify for the Safe Harbor must also state in their relevant published privacy policy statements that they adhere to the Safe Harbor Principles.

The undertaking to adhere to the Safe Harbor Principles is not time-limited in respect of data received during the period in which the organization enjoys the benefits of the Safe Harbor. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Safe Harbor for any reason.

An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of Commerce (or its designee) of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will: (1) continue to be bound by the Safe Harbor Principles by the operation of law governing the takeover or merger or (2) elect to self-certify its adherence to the Safe Harbor Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Safe Harbor Principles. Where neither (1) nor (2) apply, any data that has been acquired under the Safe Harbor must be promptly deleted.

An organization does not need to subject all personal information to the Safe Harbor Principles, but it must subject to the Safe Harbor Principles all personal data received from Switzerland after it joins the Safe Harbor.

Any misrepresentation to the general public concerning an organization’s adherence to the Safe Harbor Principles may be actionable by the Federal Trade Commission or other relevant government body. Misrepresentations to the Department of Commerce (or its designee) may be actionable under the False Statements Act (18 U.S.C. § 1001).