Recertification: Annual Reaffirmation of an Organization’s Commitment to the Safe Harbor Framework(s)

Safe Harbor FAQ 6 states, in part, that:

“The Department (or its designee) will maintain a list of all organizations that file such [self-certification] letters, thereby assuring the availability of safe harbor benefits, and will update such list on the basis of annual letters and notifications received pursuant to FAQ 11. Such self-certification letters should be provided not less than annually.” (Emphasis Added)

An organization may meet the aforementioned requirement by updating, where appropriate, and reaffirming its existing self-certification. An organization’s submission must be made on or before the anniversary of the day on which the organization’s original self-certification was finalized.

An organization will be provided with a reasonable grace period in which to reaffirm its commitment to the Safe Harbor Framework(s); however, if an organization does not reaffirm by the end of this period, its “Certification Status” will change from “Current” to “Not Current”. An organization’s certification status is reflected on the lists that appear on the Safe Harbor website.

An organization may reaffirm its commitment via the Safe Harbor website, as well as via e-mail or letter. An authorized corporate officer must reaffirm the four reaffirmation points listed below. We strongly recommend that an organization reaffirm via the Safe Harbor website, as this option is the one best equipped to process submissions in a timely and accurate manner. Please note that the four reaffirmation points will appear on a designated web page when an organization reaffirms on-line via the Safe Harbor website.

  • The information previously submitted to the Department of Commerce for purposes of self-certification is still correct and accurate;
  • The officer is authorized to certify the organization's continued adherence to the safe harbor framework;
  • The officer understands that misrepresentations in any information provided by the organization may be actionable under the False Statements Act, 18 U.S.C. ' 1001; and
  • As a consequence of this annual self-certification, failure to adhere to the Safe Harbor framework may lead to enforcement action by the relevant enforcement authority.

For all reaffirmations due on or after April 1, 2009, an organization must remit payment of a nonrefundable $100.00 recertification processing fee. The recertification processing fee is payable annually on or before the anniversary of the original certification. Payment may be made by check or online by credit card. The processing fee is used to defray the costs associated with administering the Safe Harbor program.

Reaffirming via the Safe Harbor Website:

1. Go to the Safe Harbor website homepage: http://export.gov/safeharbor/

2. Click on the Safe Harbor Login / Certification Form link (https://safeharbor.export.gov/login.aspx) located under Safe Harbor on the left navigation bar. A login window will open prompting you to enter the organization’s username and password. Enter the organization’s username and password and then click on the Submit button.

Note: If you remember the username, but not the password, please use the password reset tool available on the login web page. If you cannot remember the username, please contact us and we will attempt to retrieve it. Please do not attempt to register a new username. If we are unable to retrieve the username, we will reset both it and the password and send the new ones to the relevant point of contact within the organization.

3. The next page to open will present three choices: a) Update Profile; b) Change Password; and c) Reaffirm Safe Harbor Application. Click on the Reaffirm Safe Harbor Application link.

Note: Choice (c) should only appear as Reaffirm Safe Harbor Application when the organization is due to reaffirm its commitment (n.b. a period that typically begins one month before the anniversary of the organization’s original self-certification), otherwise it will appear as Update Safe Harbor Application.

4. The next page to open will be the organization’s self-certification record. Review the information contained therein, update as needed, and then click on the Continue button at the bottom of the page.

5. The next page to open will be the reaffirmation page. An authorized corporate officer must read each of the four reaffirmation points, indicate compliance by ticking each of the corresponding boxes, and then click on the Continue button.

6. The next page to open will be the payment page.

  • If the organization chooses to pay by credit card, tick the relevant box, enter the required information, and then click on the Submit button. An electronic receipt will appear, which the organization should print for its own records, and we will begin the review.
  • If the organization chooses to pay by check, tick the relevant box and we will be notified that a check is pending. When we receive confirmation from the organization that the check is being sent in accordance with the instructions, we will begin the review. Unless we are provided with an electronic copy of the check via e-mail (e.g. PDF attachment) before the check itself arrives, the review will begin when the check does arrive.

Note: If the organization receives organization human resources data (i.e. personal information about the organization's own employees, past or present, collected in the context of the employment relationship) from the European Union (EU), then it must select the EU data protection authorities (DPAs) to serve as an independent recourse mechanism for dispute resolution. If the organization has chosen the EU DPAs for dispute resolution, regardless of whether the organization receives organization human resources data, then the organization must pay an annual fee of US $50 to cover the operating costs of the EU DPAs' dispute resolution panel.

  • The relevant fee is payable to the United States Council for International Business (c/o Mr. Paul Cronin, U.S. Council for International Business (USCIB); 1212 Avenue of the Americas; New York, NY 10036), which has agreed to act as trusted third party for this purpose.
  • If you require further information on how to carry out the payment, please contact Mr. Cronin, USCIB, at: 212-703-5088, or pcronin@uscib.org.
  • If you require further information on how the cooperation / compliance with the EU DPAs works, you may contact the DPAs directly (see http://ec.europa.eu/justice/data-protection/bodies/authorities/eu/index_en.htm).

Special Note Regarding the U.S.-Swiss Safe Harbor Framework:

  • The form used for self-certifying compliance with the U.S.-EU Safe Harbor Framework is the same one used for self-certifying compliance with the U.S.-Swiss Safe Harbor Framework; therefore, an organization may reaffirm to one or both of the Safe Harbor Frameworks when reaffirming via the Safe Harbor website.
  • When an organization selects “Switzerland” as a country from which it receives personal data (i.e. whether it specifically ticked the box in its record corresponding to “Switzerland” or used the “All” function), it is indicating that it complies with the U.S.-Swiss Safe Harbor Framework.
  • If an organization intends for its self-certification to cover personal data from Switzerland, then it must meet the requirements of the U.S.-Swiss Safe Harbor Framework, including making specific reference in its privacy policy to that Safe Harbor Framework and its compliance with that Safe Harbor Framework (i.e. it is not sufficient to simply refer to the “Safe Harbor Framework” or the “U.S.-EU Safe Harbor Framework”, as there are two separate, albeit similar, Safe Harbor Frameworks).

Special Note Regarding Renewal Notices:

  • One month prior to an organization's anniversary date, we will send an automated e-mail renewal notice with instructions on how to reaffirm the organization’s commitment to Safe Harbor.
  • Many organizations use spam blockers or filters. To ensure that the organization receives its renewal notice promptly, we ask that the organization add the following e-mail address to its address book: safe.harbor@trade.gov
  • The renewal notice will be sent to the e-mail address that appears in the “Organization Contact” section of the organization’s Safe Harbor List record. To ensure that the organization receives its renewal notice, we ask that the organization update its record whenever the contact e-mail address changes.

Special Note Regarding Lapsed Certification Status:

  • As stated previously, if an organization does not complete the recertification process in a timely manner (i.e. on or before the anniversary of its original certification, or within a reasonable period thereafter), its “Certification Status” will lapse; that is, it will change from “Current” to “Not Current”.
  • If and when an organization is designated as “Not Current”, an e-mail message will be sent to the listed Organization Contact. The standard message will not only identify several possible reasons why the designation was made, but also how the organization can restore its certification status to “Current”.
  • The principal reasons why an organization might be designated as “Not Current” include the following: (1) it has neither reaffirmed nor remitted payment of the recertification processing fee; (2) it has reaffirmed and indicated that it would remit payment of the recertification processing fee by check, but no check has been received; or (3) it has both reaffirmed and remitted payment of the recertification processing fee, but has yet to resolve issue(s) (e.g. deficiencies in its privacy policy and/or selection of independent recourse mechanism(s), etc.) about which it has been contacted.