- Safe Harbor Home
- U.S.-EU Safe Harbor Home
- U.S.-EU Safe Harbor List
- U.S.-EU Safe Harbor Overview
- U.S.-EU Safe Harbor Documents
- U.S.-EU Safe Harbor Certification Checklist
- U.S.-EU Safe Guide to Self-Certification
- Certification Workbook
- Safe Harbor Login/Certification Form
- U.S.-EU Safe Harbor Framework Certification Mark Instructions
- Annual Reaffirmation
- News & Events
- Contact Safe Harbor
Helpful Hints on Self-Certifying Compliance with the U.S.-EU Safe Harbor Framework
Prior to submitting your organization's self-certification to the Department of Commerce, we recommend that you follow these helpful hints. These should be read in conjunction with the complete set of U.S.-EU Safe Harbor Framework Documents and the Safe Harbor Workbook . Following these helpful hints will help to ensure that your organization is meeting the requirements for self-certification, as set forth in FAQ 6.
Confirm that Your Organization is Subject to the Jurisdiction of the U.S. Federal Trade Commission or the U.S. Department of Transportation: Any U.S. organization that is subject to the jurisdiction of the Federal Trade Commission (FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DoT) may participate in the Safe Harbor. The FTC and DoT have both stated in letters to the European Commission (located with the Framework documents under Letters G and H) that they will take enforcement action against organizations that state that they are in compliance with the Framework, but then fail to live up to their statements. If you are uncertain as to whether your organization falls under the jurisdiction of either the FTC or DoT, then please be sure to contact those agencies for more information.
Develop a Safe Harbor Compliant Privacy Policy Statement: Remember to develop a Safe Harbor compliant privacy policy before submitting your organization’s self-certification to the Department of Commerce.
- Make Sure that Your Privacy Policy Conforms to the U.S.-EU Safe Harbor Privacy Principles: In order for a privacy policy to be compliant with the Framework, the privacy policy must conform to the Safe Harbor Privacy Principles, as well as any relevant points covered in the Frequently Asked Questions (FAQs), which are located with the other Framework documents. In addition, the privacy policy should reflect your organization’s actual and anticipated information handling practices. It is also important to write a policy that is clear, concise, and easy to understand.
- Make Specific Reference in the Text of Your Privacy Policy to Your Organization's Safe Harbor Compliance: FAQ 6 requires each organization that self-certifies to state in its applicable published privacy policy that it complies with the U.S.-EU Safe Harbor Framework and that it has certified its adherence to the Safe Harbor Privacy Principles. In addition, each organization should include either a hyperlink to the Safe Harbor website or the corresponding URL (e.g. http://export.gov/safeharbor/).
- Provide an Accurate Privacy Policy Location and Make Sure that Your Privacy Policy is Publicly* Available: At the time of self-certification, each organization must provide an accurate location for its applicable privacy policy. In addition, each organization should verify that its privacy policy is effective prior to self-certification. If your organization decides to post your privacy policy on an Internet or Intranet site, it must provide an accurate URL. Unless your privacy policy exclusively covers your own organization’s human resources data – in which case it need only be made available to your organization’s employees and as part of the Safe Harbor review process – the privacy policy must be made readily available either on your organization’s public website or as a copy uploaded to your organization’s Safe Harbor submission. If the privacy policy exclusively covers your own organization’s human resources data and is listed as being located at corporate headquarters or on the corporate Intranet or is otherwise inaccessible to the general public via your organization’s public website, then your organization must provide the Department of Commerce with a copy of the policy so that it can be reviewed. If a copy of such a policy is provided for the reason just described, then please clarify whether or not your organization would object to having the copy uploaded to your organization’s Safe Harbor submission.
Establish Your Organization's Independent Recourse Mechanism: Under the Framework’s Enforcement Principle, organizations self-certifying must establish an independent recourse mechanism available to investigate unresolved complaints. (See FAQ 11 for more information regarding dispute resolution under Safe Harbor). Each organization must ensure that its recourse mechanism is in place prior to self-certification. In addition, each organization should include in its privacy policy an appropriate reference to the independent recourse mechanism(s), as well as relevant contact information for said mechanism(s).
- In most cases, organizations self-certifying to Safe Harbor may choose to utilize private sector dispute resolution programs. While programs vary, organizations like BBB EU Safe Harbor Program, TRUSTe, Direct Marketing Association, the Entertainment Software Rating Board, JAMS and the American Arbitration Association have developed programs that assist in compliance with the Framework's Enforcement Principle and FAQ 11.
- Alternatively, organizations may choose to cooperate and comply with the EU data protection authorities (DPAs) with respect to all types of data. In doing so, an organization must follow the procedures outlined in FAQ 5.
- If organization human resources data (i.e. personal information about your organization's own employees, past or present, collected in the context of the employment relationship) is being covered in your organization's self-certification, then your organization must agree to cooperate and comply with the EU DPAs with respect to such data. Additional guidance on the handling of human resources data under the Framework is provided in FAQ 9.
- Organizations that either choose to or must utilize the EU DPAs are required to pay an annual fee of US $50 in order to cover the operating costs of the EU DPAs' panel. This fee is payable to the United States Council for International Business (c/o Mr. Paul Cronin, U.S. Council for International Business (USCIB); 1212 Avenue of the Americas; New York, NY 10036), which has agreed to act as trusted third party for this purpose. If your organization requires further information on how to carry out the payment, please contact Mr. Cronin, USCIB, at: 212-703-5088, or pcronin@uscib.org. If your organization requires further information on how the cooperation / compliance with the EU DPAs works, your organization may contact the DPAs directly (see http://ec.europa.eu/justice/data-protection/bodies/authorities/eu/index_en.htm).
Ensure that Your Organization's Verification Mechanism is in Place: As discussed in FAQ 7, organizations self-certifying to the Framework are required to have procedures in place for verifying compliance. To meet this requirement, an organization may use either a self-assessment or an outside/third-party assessment program. For additional guidance on the Framework's verification requirement, please see FAQ 7.
Designate a Contact within Your Organization Regarding Safe Harbor: Each organization is required to provide a contact for the handling of questions, complaints, access requests, and any other issues arising under the Safe Harbor. This contact can be either the corporate officer that is certifying your organization's compliance with the Framework, or another official within your organization, such as a Chief Privacy Officer.
We hope that these hints prove helpful as your organizations works to achieve compliance with the Framework. Further questions regarding the Safe Harbor self-certification process or compliance with the EU data protection requirements may be directed to:
Safe Harbor Team Inbox
E-mail: safe.harbor@trade.gov
David Ritchie
U.S. Department of Commerce
International Trade Administration
Telephone: (202) 482-4936
E-mail: david.ritchie@trade.gov
Christopher Hoff
U.S. Department of Commerce
International Trade Administration
Telephone: (202) 482-3120
E-mail: christopher.hoff@trade.gov
Mailing Address:
U.S. Department of Commerce
Safe Harbor Frameworks
1401 Constitution Avenue, N.W.
Room 20007
Washington, D. C. 20230
