The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) are administered collectively as the Data Privacy Framework (DPF) Program by the U.S. Department of Commerce’s International Trade Administration. Successfully self-certifying to these frameworks can be a daunting and confusing process to navigate on your own. This guide aims to address common questions and practical considerations for organizations interested in leveraging the DPF for data transfers from the European Economic Area to the U.S.
Frequently Asked Questions:
What is the Data Privacy Framework?
How does my organization certify under the Data Privacy Framework?
What are the costs associated with DPF self-certification?
My organization has an active Privacy Shield certification, what do I need to do?
Is there a DPF fee for existing Privacy Shield participants?
Will my annual recertification due date change?
Does DPF self-certification mean my business is compliant under the GDPR?
Do I still need to use Standard Contractual Clauses (SCCs)?
Do I still need to sign Data Processing Agreements with my clients or vendors?
Do I need to update client or vendor contracts with language about the DPF?
Can I transfer key-coded patient data from clinical sites in the EU using the DPF?
Can VeraSafe help my organization with DPF self-certification?
Are VeraSafe’s certification and assurance programs aligned with the DPF?
Has VeraSafe itself obtained DPF certification?
What is the Data Privacy Framework?
We address this question in more detail in our blog post Decoding the EU-U.S. Data Privacy Framework.
How does my organization certify under the Data Privacy Framework?
The framework functions on a self-certification basis, meaning that each organization must fill out and submit an online application and declare its compliance with the DPF Principles. A regulatory or governmental body does not review the substantive merits of applications or verify that the applicants comply with the DPF Principles. It is the responsibility of each participating organization to ensure that it complies with the DPF Principles, and its failure to do so is enforceable by the U.S. Federal Trade Commission and potentially other law enforcement agencies of the U.S. Federal Government.
To join the DPF, an organization must first verify whether it complies with the DPF Principles in order to make a compliance declaration. Verification can be achieved through a self-assessment or an outside compliance review. VeraSafe offers comprehensive support for either of these paths to certification:
- Outside Compliance Review: VeraSafe can perform an objective, third-party review of your organization’s adherence to the DPF Principles. We will confirm that your privacy practices align with the Principles and issue the required third-party attestation that an outside compliance review was successfully completed.
- Self-Assessment Assistance: If you opt for self-assessment, VeraSafe can guide and support you in ensuring your review is thorough, accurate, and fulfills the DPF verification requirements.
In either case, our goal is to simplify the certification process and streamline compliance with the DPF for your organization. In addition, we can provide assistance in completing the self-certification application itself.
What are the costs associated with DPF self-certification?
To sustain the administration and supervision of the DPF program, participating organizations are required to pay an annual fee to the U.S. Department of Commerce’s International Trade Administration (ITA). The fee starts at $250 USD per year and is tiered based on your organization’s annual revenue and the number of frameworks you wish to certify under.
In addition, all DPF participants must appoint an independent DPF dispute resolution service provider. The fee for VeraSafe’s dispute resolution program starts at $750 USD per year and is tiered based on your organization’s annual revenue.
If you choose to have your own corporate group’s human resources data covered by your DPF certification, you will be required to cooperate and comply with the dispute resolution panel established by the European data protection authorities regarding such data in the investigation and resolution of complaints brought under the DPF Principles. In such an event, you will be required to pay an annual fee of $50 USD to cover the operating costs of the panel. No such fee is required with regard to the UK or Swiss data protection authorities.
Organizations certifying for the first time (rather than those carrying over their existing Privacy Shield certification) are also required to make a once-off contribution to an arbitral fund, which is maintained to cover arbitral costs, such as arbitrator fees. The amount that a participating organization is required to pay will be calculated in accordance with a tiered structure. The International Centre for Dispute Resolution-American Arbitration Association has been appointed to administer arbitrations and manage the arbitral fund. These arbitrations can be invoked by individuals to determine whether a participating organization has violated its obligations under the DPF Principles as to that individual and whether the violation remains fully or partially unremedied.
My organization has an active Privacy Shield certification, what do I need to do?
If your organization has an active certification under the existing Privacy Shield Frameworks (EU-U.S., Swiss-U.S., or both), you do not need to reapply under the new Data Privacy Framework (DPF). This means that your U.S. organization can receive personal data from the EEA in reliance on the DPF based on the recent EU Commission adequacy decision.
In addition, organizations can now self-certify to the UK Extension to the EU-U.S. DPF and can rely on it for transfers from the UK starting October 12, 2023, when the relevant regulations take effect. In order to certify for the UK Extension to the EU-U.S. DPF, an organization must first be EU-U.S. DPF certified.
If an organization is already Swiss-U.S. Privacy Shield certified, this will enable personal data transfers from Switzerland once the Swiss Federal Administration has recognized adequacy of the Swiss-U.S. DPF.
Under all of the above frameworks organizations are required to comply with the DPF Principles, which are nearly identical to the Privacy Shield Principles. In addition, organizations must update their privacy notices (also known as privacy policies) to commit to the DPF Principles. Existing participants must do this by October 10th, 2023 for the EU-U.S. DPF and by October 17th, 2023 for the Swiss-U.S. DPF.
Is there a DPF fee for existing Privacy Shield participants?
No. The transition from the existing Privacy Shield Frameworks to the EU-U.S. DPF and Swiss-U.S. DPF does not trigger payment of a new fee. However, a recertification fee applies when the time for recertification arrives (see below).
Will my annual recertification due date change?
No. Organizations participating in the Privacy Shield Framework were required to recertify annually. This annual recertification requirement remains unchanged and the transition to the DPF will not change an organization’s existing recertification due date. The recertification process will be similar to the prior one, but self-certification will be to the new DPF Principles and be submitted through dataprivacyframework.gov.
Does DPF self-certification mean my business is compliant under the GDPR?
No. DPF self-certification merely serves as assurance that your business meets the GDPR’s requirements in order for an organization in the EU to transfer personal data to you. The certification does not mean that your business complies with the GDPR’s requirements generally.
Do I still need to use Standard Contractual Clauses (SCCs)?
While SCCs can still be used, they are not required when an organization in Europe wishes to transfer personal data to a DPF-certified U.S. organization. Personal data can now be transferred seamlessly based on the EU Commission’s adequacy decision for the DPF. Accordingly, the DPF is the easiest basis for such transfers. By contrast, to use SCCs organizations need to complete complex transfer impact assessments, negotiate the terms of the SCCs, and assess whether they need to implement supplementary measures.
Do I still need to sign Data Processing Agreements with my clients or vendors?
Yes. The DPF merely enables seamless personal data transfers from the EU to DPF-certified organizations in the U.S. Controllers, processors, and sub-processors are still required to enter into data processing agreements (DPAs) that meet the requirements of Article 28 of the GDPR. This requirement is not exclusive to the GDPR. Many other data protection laws, such as the California Consumer Privacy Act, require businesses to have DPAs in place with their service providers.
Do I need to update client or vendor contracts with language about the DPF?
In general, it is good practice to insert a reference to your organization’s DPF certification into client and vendor contracts. A typical clause will acknowledge the data importing party’s participation in the DPF, the application of the DPF to the transfer of personal data to the data importing party, and its commitment to comply with the DPF Principles. A DPF participant must ensure that its contracts with further controller recipients, as well as all processors or subprocessors, oblige them to notify the DPF participant if they are no longer able to provide the same level of data protection as is required by the DPF.
When your organization is DPF certified, it’s important that any personal data obtained through this certification and then shared further, meets the requirements of the Accountability for Onward Transfer Principle. In some cases, that also means ensuring your third-party contracts are updated to comply with these requirements.
VeraSafe can assist your organization in determining whether updates to your client and vendor contracts are necessary and what specific language should be used.
Can I transfer key-coded patient data from clinical sites in the EU using the DPF?
Yes. Key-coded patient data, such as the personal data collected from patients in a clinical trial, was not transferable in reliance on the Privacy Shield Framework, but is transferable under the new DPF. The DPF specifically states that key-coded research data “that is EU personal data under EU law would be covered by the” DPF. This is welcome news for pharmaceutical companies that sponsor clinical research, because easily transferring key-coded data is essential to scientific research and the development of medications, therapeutics, and medical devices.
Can VeraSafe help my organization with DPF self-certification?
Yes. VeraSafe is well equipped to guide your organization through the DPF self-certification process. We have over a decade of experience as a key provider of compliance programs for the previous EU-U.S. data transfer frameworks. We continue that legacy by offering a DPF Fast Track Certification Program and a DPF Verification + Certification Program.
Are VeraSafe’s certification and assurance programs aligned with the DPF?
Yes. VeraSafe has in-depth knowledge and practical experience regarding the new DPF, the former Privacy Shield Principles, and the corresponding self-certification process. We have been monitoring the developments vigilantly and have dedicated significant effort to developing our comprehensive service offering. Accordingly, we can assist clients with all of their needs regarding compliance and related requirements for self-certification under the DPF, including the UK extension to the EU-U.S. DPF, and Swiss-U.S. DPF. Our programs have been thoughtfully designed to strike a balance between simplicity and robustness in order to enable your compliance.
Has VeraSafe itself obtained DPF certification?
Yes. VeraSafe was originally certified under the Privacy Shield Framework in 2016 and as a result of the recent privacy framework transition, we are now certified under the DPF.