Privacy Shield Self-Certification FAQ

This Article will attempt to answer some of the frequently asked questions relating to the U.S. Department of Commerce’s Privacy Shield self-certification process.

The Department of Commerce (the “Department”) maintains a list (known as the “Privacy Shield List”) of organizations that have completed a Privacy Shield self-certification submission. The Privacy Shield List, which is publicly available, assures organizations around the world, that by transmitting data to a member of the Privacy Shield list, those organizations will be able to rely on the Privacy Shield as a lawful basis of transmitting data to the Privacy Shield participant under EU data protection laws. An organization’s failure to submit its annual self-recertification will result in the organization’s removal from the Privacy Shield List. Organizations can also choose to withdraw voluntarily from the Privacy Shield program. If an organization is removed from the Privacy Shield List, it must immediately remove all references to the Privacy Shield from its privacy policies.

How do you Self-Certify to the Privacy Shield Program?

VeraSafe provides a complete solution, that combines compliance review, guidance to resolve compliance gaps, and hands-on support with all of the certification formalities. If you’re interested in doing it alone, check out the Department’s guidance on “How to Join Privacy Shield.” The guidance is available in two parts, Part 1: https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-1 and Part 2: https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-2.

Please note that organizations must promptly respond to inquiries from the Department, in relation to their self-certification. Failure to respond or to complete the self-certification within the timeframes designated by the Department, will result in the application being considered abandoned.

How Soon Can an Organization Reference Privacy Shield Participation in Its Published Privacy Policies When Self-Certifying for the First Time?

An organization that is self-certifying for the first time, may not claim Privacy Shield participation in its published privacy policy, until the Department notifies the organization that its submission is complete.

In fact, an organization that is self-certifying for the first time, must provide the Department with a draft privacy policy at the time that it submits its initial self-certification. The draft privacy policy must be consistent with the Privacy Shield requirements. Once the organization’s submission is approved by the Department, the Department will notify the organization that it should publish in its relevant privacy policy, which will always include a statement that it adheres to the Privacy Shield principles. Furthermore, the organization should promptly notify the Department, as soon as the relevant privacy policy is published. The Department will then add the organization to the Privacy Shield List.

What Information Must Be Included in the Organization’s Published Privacy Policy in Relation to Its Privacy Shield Participation?

VeraSafe’s Privacy Program Certification Criteria (see Section 2: Notice) enumerates the various disclosures that must be included in an organization’s privacy policy. Our standard incorporates the requirement of the Privacy Shield Framework itself, but benefits from the context provided by Article 13 and 14 of the GDPR, which clarify the European perspective on the principle of “Notice”.

Organizations must publish, in their relevant privacy policy, a statement that it adheres to the Privacy Shield principles. If the organization’s privacy policy is available online, the privacy policy must include a hyperlink to the Department’s Privacy Shield website. It should also include a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. For example, if an organization participates in the VeraSafe Privacy Shield Dispute Resolution Program, it must disclose this in its published privacy policy. When your organization completes its registration in the VeraSafe Privacy Shield Dispute Resolution Program, VeraSafe will send the disclosure that you will need to copy and paste into your privacy policy.

How do you Re-Certify to the Privacy Shield Annually?

Organizations participating in the Privacy Shield must re-certify their compliance and complete the re-certification formalities with the U.S. Department of Commerce, annually. VeraSafe assists our clients with this process, by scheduling re-assessments to begin in a timely manner, and by keeping clients informed about their recertification obligations.

For the DIY audience, information on the re-certification process can be found on the Department’s website located at: https://www.privacyshield.gov/article?id=How-to-Re-certify-to-Privacy-Shield

What If an Organization Has Not Submitted Its Re-Certification and Has Been Removed from the Privacy Shield List?

Organizations which have not submitted their re-certification and have been removed from the Privacy Shield List, must first contact the Department’s Privacy Shield team at [email protected] before it attempts to log in via the Privacy Shield website (https://www.privacyshield.gov/welcome) to make the re-certification submission. The Department’s Privacy Shield team will then review the organization’s re-certification submission and will notify the organization if there are any issues related to their submission. Any issues identified, must be resolved before the organization’s re-certification can be finalized.

The organization must also complete a questionnaire to verify whether the organization wishes to re-certify or withdraw from the Privacy Shield List. If an organization wishes to withdraw from the Privacy Shield List, it must state whether it will return, delete, or continue to apply the Privacy Shield Principles to the personal information that it received under the Privacy Shield. A copy of the questionnaire is available here and must be completed and returned as an email attachment to the Department at the following email address: to [email protected]. Please note that the questionnaire must be filled out electronically. Therefore, responses should be made directly within the form and not handwritten.

How Can VeraSafe Assist Your Organization with Self-Certification?

VeraSafe offers a complete compliance program for your organization‘s Privacy Shield certification. Our all-in-one solution provides all the necessary tools to assist you with complying with the Privacy Shield’s complex requirements, including expert advice, compliance assessment, mitigation consulting, training, penetration testing, and more.

Click here to learn more about the VeraSafe Privacy Shield compliance program or, if you wish to speak with one of our privacy experts, contact us for a free Privacy Shield or GDPR consultation.

Contact VeraSafe today to learn more

Contact VeraSafe to discuss your data security management and privacy program today.