This Article will attempt to answer some of the frequently asked questions relating to the U.S. Department of Commerce’s Privacy Shield self-certification process.
The Department of Commerce (the “Department”) maintains a list (known as the “Privacy Shield List”) of organizations that have completed a Privacy Shield self-certification submission. The Privacy Shield List, which is publicly available, assures organizations around the world, that by transmitting data to a member of the Privacy Shield list, those organizations will be able to rely on the Privacy Shield as a lawful basis of transmitting data to the Privacy Shield participant under EU data protection laws. An organization’s failure to submit its annual self-recertification will result in the organization’s removal from the Privacy Shield List. Organizations can also choose to withdraw voluntarily from the Privacy Shield program. If an organization is removed from the Privacy Shield List, it must immediately remove all references to the Privacy Shield from its privacy policies.
How do you Self-Certify to the Privacy Shield Program?
VeraSafe provides a complete solution, that combines compliance review, guidance to resolve compliance gaps, and hands-on support with all of the certification formalities. If you’re interested in going it alone, check out the Department’s guidance on “How to Join Privacy Shield.” The guidance is available in two parts, Part 1: https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-1 and Part 2: https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-2.
Please note that organizations must promptly respond to inquiries from the Department, in relation to their self-certification. Failure to respond or to complete the self-certification within the timeframes designated by the Department, will result in the application being considered abandoned.
How Soon Can an Organization Reference Privacy Shield Participation in its Published Privacy Policies When Self-Certifying for the First Time?
How do you Re-Certify to the Privacy Shield Annually?
Organizations participating in the Privacy Shield must re-certify their compliance and complete the re-certification formalities with the U.S. Department of Commerce, annually. VeraSafe assists our clients with this process, by scheduling re-assessments to begin in a timely manner, and by keeping clients informed about their recertification obligations.
For the DIY audience, information on the re-certification process can be found on the Department’s website located at: https://www.privacyshield.gov/article?id=How-to-Re-certify-to-Privacy-Shield
What If an Organization Has Not Submitted Its Re-Certification and Has Been Removed from the Privacy Shield List?
Organizations which have not submitted their re-certification and have been removed from the Privacy Shield List, must first contact the Department’s Privacy Shield team at email@example.com before it attempts to log in via the Privacy Shield website (https://www.privacyshield.gov/welcome) to make the re-certification submission. The Department’s Privacy Shield team will then review the organization’s re-certification submission and will notify the organization if there are any issues related to their submission. Any issues identified, must be resolved before the organization’s re-certification can be finalized.
The organization must also complete a questionnaire to verify whether the organization wishes to re-certify or withdraw from the Privacy Shield List. If an organization wishes to withdraw from the Privacy Shield List, it must state whether it will return, delete, or continue to apply the Privacy Shield Principles to the personal information that it received under the Privacy Shield. A copy of the questionnaire is available here and must be completed and returned as an email attachment to the Department at the following email address: to firstname.lastname@example.org. Please note that the questionnaire must be filled out electronically. Therefore, responses should be made directly within the form and not handwritten.
How Can VeraSafe Assist Your Organization with Self-Certification?
VeraSafe offers a complete compliance program for your organization‘s Privacy Shield certification. Our all-in-one solution provides all the necessary tools to assist you with complying with the Privacy Shield’s complex requirements, including expert advice, compliance assessment, mitigation consulting, training, penetration testing, and more.