U.S. Department of Commerce (DOC), EU-US Data Privacy Framework



Which are the benefits of the EU-US Data Privacy Framework, according to the U.S. Department of Commerce?

The EU-U.S. Data Privacy Framework (EU-U.S. DPF) provides a number of important benefits to U.S.-based organizations, as well as their partners in Europe. These include:

1. All Member States of the European Union will be bound by the European Commission’s adequacy decision for the EU-U.S. DPF, the United Kingdom and Gibraltar will be bound by the UK Government’s data bridge for the UK Extension to the EU-U.S. DPF, and Switzerland will be bound by the Swiss Federal Administration's recognition of adequacy for the Swiss-U.S. DPF once those government actions enter into force.

2. Participating organizations are deemed to provide “adequate” data protection (i.e., privacy protection), a requirement (subject to limited derogations) for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR), outside of the United Kingdom under the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), and outside of Switzerland under the Swiss Federal Act on Data Protection (FADP).

3. Because adequate protection is provided by participating organizations, contracts with such organizations for mere processing do not require prior authorization.

4. Compliance requirements are clearly laid out and cost-effective, which should particularly benefit small and medium-sized enterprises.


What circumstances or events contributed to reaching the agreement and the EU-US Data Privacy Framework?

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment, known as the Schrems II decision, which declared as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

As a result of the Schrems II decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. That decision did not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.

On October 7, 2022 President Biden signed Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities” (the Executive Order). Following the signing of the Executive Order, U.S. Secretary of Commerce Gina Raimondo issued a statement on its implementation of the EU-U.S. DPF.

The Executive Order, U.S. Intelligence Communities’ policies and procedures implementing the privacy and civil liberties safeguards specified in the Executive Order, and regulations governing the new Data Protection Review Court (DPRC) implement U.S. commitments under the EU-U.S. DPF. These commitments fully address the concerns raised by the CJEU in its Schrems II decision. The EU-U.S. DPF also amends the privacy principles that organizations adhered to under the EU-U.S. Privacy Shield Framework as the “EU-U.S. Data Privacy Framework Principles” (EU-U.S. DPF Principles).

On the basis of the EU-U.S. DPF Principles, Executive Order 14086, 28 CFR part 201, and accompanying letters and materials, including the commitments by the U.S. Department of Commerce’s International Trade Administration (ITA) regarding the administration and supervision of the Data Privacy Framework (DPF) program, the European Commission was able to adopt a new adequacy decision recognizing the adequacy of protection provided by the EU-U.S. DPF.

The European Commission’s new adequacy decision affirms that the strengthened safeguards in U.S. law on signals intelligence activities, new redress mechanism, and the amended privacy principles under the EU-U.S. DPF meet EU legal requirements thereby enabling participating organizations to use the EU-U.S. DPF Principles to transfer EU personal data to the United States in compliance with EU law.

The Department expects that those arrangements will further facilitate transfers to U.S. organizations made in reliance on other data transfer mechanisms under EU law, such as Standard Contractual Clauses and Binding Corporate Rules.


Understanding better the EU-US Data Privacy Framework, according to the U.S. Department of Commerce

The following have been developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland that are consistent with EU, UK, and Swiss law:

- The EU-U.S. Data Privacy Framework (EU-U.S. DPF),

- The UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF),

- The Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Organizations participating in the EU-U.S. DPF may receive personal data from the European Union / European Economic Area in reliance on the EU-U.S. DPF effective July 10, 2023. July 10, 2023 is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF and the effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.

Organizations participating in the UK Extension to the EU-U.S. DPF may receive personal data from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF effective October 12, 2023, which is the date of entry into force of the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF. The data bridge for the UK Extension to the EU-U.S. DPF enables the transfer of UK and Gibraltar personal data to participating organizations consistent with UK law.

The effective date of the Swiss-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 17, 2023; however, personal data cannot be received from Switzerland in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. The recognition of adequacy will enable the transfer of Swiss personal data to participating organizations consistent with Swiss law.

The Data Privacy Framework (DPF) program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables eligible U.S.-based organizations to self-certify their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF.

To participate in the DPF program, a U.S.-based organization is required to self-certify to the ITA via the Department's DPF program website and publicly commit to comply with the DPF Principles. While the decision by an eligible U.S.-based organization to self-certify its compliance pursuant to and participate in the relevant part(s) of the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under U.S. law.

Organizations that only wish to self-certify their compliance pursuant to the EU-U.S. DPF and/or the Swiss-U.S. DPF may do so; however, organizations that wish to participate in the UK Extension to the EU-U.S. DPF must participate in the EU-U.S. DPF. Such organizations' commitment to comply with the DPF Principles must be reflected in their self-certification submissions to the ITA, and at appropriate times in their relevant privacy policies.

Organizations that self-certified their compliance pursuant to the EU-U.S. Privacy Shield that wish to enjoy the benefits of participating in the EU-U.S. DPF must comply with the EU-U.S. DPF Principles; and organizations that self-certified their compliance pursuant to the Swiss-U.S. Privacy Shield that wish to enjoy the benefits of participating in the Swiss-U.S. DPF must comply with the Swiss-U.S. DPF Principles.

To rely on the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, an organization must self-certify its adherence to the DPF Principles to the ITA and be placed and remain on the Data Privacy Framework List. The ITA will update the Data Privacy Framework List on the basis of annual re-certification submissions made by participating organizations and by removing organizations when they voluntarily withdraw, fail to complete the annual re-certification in accordance with the ITA's procedures, or are found to persistently fail to comply.

The ITA will also maintain and make available to the public an authoritative record of U.S. organizations that have been removed from the Data Privacy Framework List and will identify the reason each organization was removed. The aforementioned authoritative list and record will remain available to the public on the Department's DPF program website.

Any organization removed from the Data Privacy Framework List must cease making claims that it participates in or complies with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and that it may receive personal information pursuant to the relevant part(s) of the DPF program. Such an organization must continue to apply the DPF Principles to personal information received while participating in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF for as long as it retains such information.


Key Requirements for DPF Program Participating Organizations

Informing individuals about data processing

1. A participating organization must include in its privacy policy a declaration of the participating organization’s commitment to comply with the DPF Principles, so that the commitment becomes enforceable under U.S. law.

2. A participating organization’s privacy policy must include a link to the U.S. Department of Commerce’s DPF program website and a link to or the web address for the relevant website or complaint submission form of the independent recourse mechanisms that is available to investigate individual complaints brought under the DPF Principles.

3. A participating organization must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the participating organization’s compliance with the DPF Principles, and the participating organization’s liability in cases of onward transfer of data to third parties.


Providing free and accessible dispute resolution

1. Individuals may bring a complaint directly to a participating organization, and the participant must respond to the individual within 45 days.

2. Participating organizations must provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved.

3. If an individual submits a complaint to a data protection authority (DPA) in the European Union / European Economic Area, the United Kingdom (and/or, as applicable, Gibraltar) or Switzerland, the U.S. Department of Commerce’s International Trade Administration (ITA) has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days.

4. Participating organizations must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.


Cooperating with the U.S. Department of Commerce

Participating organizations must respond promptly to inquiries and requests by the ITA for information relating to the EU-U.S Data Privacy Framework (EU-U.S. DPF) and, as applicable the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).


Maintaining data integrity and purpose limitation

1. Participating organizations must limit personal information to the information relevant for the purposes of processing.

2. Participating organizations must comply with the data retention provision.


Ensuring accountability for data transferred to third parties

To transfer personal information to a third party acting as a controller, a participating organization must:

1. Comply with the Notice and Choice Principles; and

2. Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the DPF Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate.

To transfer personal data to a third party acting as an agent, a participating organization must:

1. Transfer such data only for limited and specified purposes;

2. Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the DPF Principles;

3. Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the DPF Principles;

4. Require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles;

5. Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and

6. Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the U.S. Department of Commerce upon request.


Transparency related to enforcement actions

Participating organizations must make public any relevant DPF-related sections of any compliance or assessment report submitted to the Federal Trade Commission (FTC) or the U.S. Department of Transportation if the organization becomes subject to an FTC or court order based on non-compliance.


Ensuring commitments are kept as long as data is held

If an organization leaves the relevant part(s) of the DPF program, it must annually affirm to the ITA its commitment to apply the DPF Principles to information received under the relevant part(s) of the DPF program if it chooses to keep such data; otherwise, it must provide “adequate” protection for the information by another authorized means.


How to Join the Data Privacy Framework (DPF) Program?

The decision by a U.S.-based organization to join the Data Privacy Framework (DPF) program is entirely voluntary. However, once an eligible U.S.-based organization self-certifies to the U.S. Department of Commerce’s International Trade Administration (ITA) and publicly declares its commitment to adhere to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles that commitment is enforceable under U.S. law by the relevant enforcement authority (i.e., by the Federal Trade Commission (FTC), the U.S. Department of Transportation (DOT), or other relevant government body).

To be entitled to the benefits of participating in the DPF program, an organization must initially self-certify and then annually re-certify to the ITA that it adheres to the DPF Principles, including the Supplemental Principles that collectively consist of a detailed set of requirements based on privacy principles.

To initially self-certify or subsequently re-certify for the relevant part(s) of the DPF program, an organization must on each occasion provide to the ITA a submission made via the DPF program website (i.e., this website) by an individual within the organization who is authorized to make representations on behalf of the organization and any of its covered U.S. entities or U.S. subsidiaries regarding its adherence to the DPF Principles. An organization will be able to receive personal data under the relevant part(s) of the DPF program from the date that the ITA places the organization on the Data Privacy Framework List with regard to said part(s) of the DPF program.

The ITA will only place an organization on the Data Privacy Framework List after having determined that the organization’s initial self-certification submission is complete, and will remove the organization from that list if it voluntarily withdraws, fails to complete its annual re-certification, or if it is found to have persistently failed to comply with the DPF Principles.

Please note that the substantive requirements of the respective DPF Principles, including the Supplemental Principles under the EU-U.S. DPF and the Swiss-U.S. DPF are effectively the same; therefore, the links within descriptive text throughout this website are typically to the relevant EU-U.S. DPF Principle(s) or Supplemental Principle(s).

When reading the specific EU-U.S. DPF Principles and Supplemental Principles accessible via such links organizations should keep in mind that whereas those refer to the European Union and/or the European Commission, EU DPAs, and EU individuals, the analogous Swiss-U.S. DPF Principles and Supplemental Principles refer instead to Switzerland and/or the Swiss Federal Administration, the Swiss FDPIC, and Swiss individuals (i.e., as consistent with relevant differences between Switzerland and the European Union).

In addition, organizations should also keep in mind that under the UK Extension to the EU-U.S. DPF references in the EU-U.S. DPF Principles and Supplemental Principles to the European Union and/or the European Commission, EU DPAs, and EU individuals should generally be understood as referring respectively to the United Kingdom and/or the UK Government, the ICO (and/or, as applicable, the GRA), and UK individuals (i.e., as consistent with relevant differences between the United Kingdom and Gibraltar, and the European Union). The full text of the Swiss-U.S. DPF Principles, including the Supplemental Principles is available here.

A brief guide to the self-certification process, including steps that the organization must take prior to providing its initial self-certification submission is provided below. This guide should be read in conjunction with the complete set of DPF Principles, including the Supplemental Principles. Following these steps will help to ensure that your organization is meeting the requirements for self-certification, as set forth in the Supplemental Principle on Self-Certification.


1. Confirm Your Organization's Eligibility to Participate in the DPF Program: Only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT) are currently eligible to participate in the DPF program. The FTC and DOT have both committed (See FTC and DOT letters) that they will enforce the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Note that to be transferred in reliance on part(s) of the DPF program personal data must be processed in connection with an activity that is subject to the jurisdiction of at least one appropriate statutory body listed in the DPF Principles.

a. Generally, the FTC's jurisdiction covers acts or practices in or affecting commerce by any "person, partnership, or corporation." The FTC does not have jurisdiction over most depository institutions (banks, federal credit unions, and savings & loan institutions), telecommunications and interstate transportation common carrier activities, air carriers, labor associations, most non-profit organizations, and most packer and stockyard activities. In addition, the FTC's jurisdiction with regard to insurance activities is limited to certain circumstances. The DOT has exclusive jurisdiction over U.S. and foreign air carriers. The DOT and the FTC share jurisdiction over ticket agents that market air transportation.

b. If you are uncertain as to whether your organization falls under the jurisdiction of either the FTC or DOT, then you should contact the DPF team at the ITA for more information. The ITA is not in a position of authority to determine the scope of FTC or DOT jurisdiction; therefore, the DPF team would, as appropriate, consult with the FTC or DOT as to whether FTC or DOT jurisdiction would apply to a given organization. Whether a given organization falls under FTC or DOT jurisdiction turns on the particular facts involved and must be determined on a case-by-case basis.

To self-certify to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, an eligible U.S. organization must provide to the ITA a self-certification submission containing the organization’s relevant U.S. mailing address.


2. Develop a DPF-Compliant Privacy Policy Statement (See Privacy Policy FAQs for additional information): Your organization must develop a DPF-compliant privacy policy before submitting its initial self-certification to the ITA.

a. Ensure that Your Organization's Privacy Policy Conforms to the DPF Principles: In order to be compliant with the EU-U.S. DPF and, as applicable the UK Extension to the EU-U.S. DPF, the privacy policy must conform to the EU-U.S. DPF Principles. In order to be compliant with the Swiss-U.S. DPF, the privacy policy must conform to the Swiss-U.S. DPF Principles. Among other things, the privacy policy should reflect your organization's information handling practices and the choices your organization offers individuals with respect to the use and disclosure of their personal information. The Notice Principle provides a useful checklist of many of the required elements. It is important to write a policy that is clear, concise, and easy to understand.

b. Make Specific Reference in the Privacy Policy to Your Organization's Compliance with the DPF Principles: Supplemental Principle on Self-Certification requires each organization that self-certifies to state in its relevant published privacy policy that it adheres to the DPF Principles (i.e., the EU-U.S. DPF Principles when self-certifying compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF; and/or the Swiss-U.S. DPF Principles when self-certifying compliance pursuant to the Swiss-U.S. DPF). In addition, the privacy policy must include a hyperlink to the DPF program website. Please note that an organization self-certifying for the first time may not claim DPF participation in its published privacy policy until the DPF team notifies the organization that its submission is otherwise complete. (See Privacy Policy FAQs for specific guidance on when an organization’s privacy policy should be updated to claim DPF participation.)

c. Identify in the Privacy Policy Your Organization's Independent Recourse Mechanism(s) (See section 3 for additional information): If your organization has selected an independent recourse mechanism provided by a private-sector alternative dispute resolution body, it must include an appropriate hyperlink to the relevant website or complaint submission form of the mechanism that is available to investigate unresolved complaints regarding your organization's compliance with the DPF Principles.

d. Provide an Accurate Location for Your Organization's Privacy Policy and Make Sure that it is Publicly* Available: At the time of self-certification, your organization must provide accurate information about the location of its applicable privacy policy or policies. If your organization is covering HR and non-HR data, it must indicate the location of the applicable policy or policies for each type of data covered under your organization’s self-certification. If your organization has a public website, it must provide the web address where the privacy policy is available; if your organization does not have a public website, it must provide the ITA with a copy of the privacy policy and where the privacy policy is available for viewing by affected individuals (i.e., affected employees if the privacy policy is a HR privacy policy or the public if the privacy policy is not a HR privacy policy). In addition, your organization should verify that its privacy policy is effective prior to self-certification. (See Supplemental Principle on Verification).

If your organization's self-certification relates to human resources data, then the privacy policy covering such data need only be made available to your organization's employees and as part of the DPF self-certification review process. In such instances, your organization may either (1) provide the public web address where the privacy policy is available or (2) specify where the privacy policy is available for viewing by your organization’s affected employees and upload a copy to your organization's DPF submission so that it may be reviewed by the ITA's DPF team. (See section (c) of Supplemental Principle on Self-Certification for more information).


3. Ensure That Your Organization Has in Place An Appropriate Independent Recourse Mechanism For Each Type of Personal Data Covered by Its Self-Certification: Under the Recourse, Enforcement and Liability Principle, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints brought under the DPF Principles and provide appropriate recourse free of charge to the affected individual. (See Supplemental Principle on Dispute Resolution and Enforcement for more information regarding dispute resolution).

a. Your organization must ensure that its recourse mechanism is in place prior to self-certification, including registering with the relevant mechanism prior to self-certification when the mechanism requires such registration. The ITA’s DPF team will work with the independent recourse mechanisms to verify such registrations prior to finalizing organizations’ self-certifications. In addition, your organization must include in its privacy policy a reference to, as well as relevant contact information for, the independent recourse mechanism, as noted in section 2 above.

b. If your organization's self-certification will cover human resources data (i.e., personal information about your organization's own employees, past or present, collected in the context of the employment relationship), then your organization must agree to cooperate with and comply with the advice of the appropriate European data protection authorities with regard to such data (i.e., cooperate with the EU DPAs under the EU-U.S. DPF, the UK ICO and the GRA under the UK Extension to the EU-U.S. DPF, and/or the Swiss FDPIC under the Swiss-U.S. DPF in the investigation and resolution of complaints brought under the DPF Principles). Additional guidance on the handling of human resources data under the DPF program is provided in Supplemental Principle on Human Resources Data.

c. If your organization’s self-certification will cover personal data other than human resources data, it may either utilize an independent recourse mechanism provided by a private-sector dispute resolution body with regard to such data or choose to cooperate with and comply with the advice of the appropriate European data protection authorities with regard to such data. Private-sector bodies like JAMS, BBB National Programs (BBB NP), TRUSTe, International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA), PrivacyTrust, VeraSafe, Insights Association, and the ANA have developed programs that assist in compliance with the Recourse, Enforcement and Liability Principle and the Supplemental Principle on Dispute Resolution and Enforcement.

d. Organizations that are either required or choose to cooperate and comply with the appropriate European data protection authorities with regard to personal data covered by their self-certification must follow procedures outlined in the Supplemental Principle on the Role of Data Protection Authorities and the Supplemental Principle on the Role of the Federal Data Protection and Information Commissioner (as applicable).

Those organizations that are either required or choose to cooperate and comply with the EU DPAs with regard to data covered by their self-certifications are required to pay an annual fee of U.S. $50 in order to cover the operating costs of the EU DPA panel. The EU DPA panel fee is payable to the United States Council for International Business (USCIB), which has agreed to act as the trusted third party for this purpose (i.e., USCIB serves as the custodian of the funds collected through the EU DPA panel fee, but does not itself serve as an independent recourse mechanism). The EU DPA panel fee can be paid online here. No such independent recourse mechanism-related fee is required with regard to the UK ICO or the Swiss FDPIC.


4. Make the Required Contribution for the Annex I Binding Arbitration Mechanism: As described respectively in Annex I of the EU-U.S. DPF Principles, the Letter from the U.S. Department of Commerce’s International Trade Administration regarding the UK Extension to the EU-U.S. DPF, and Annex I of the Swiss-U.S. DPF Principles, an EU, UK, or Swiss individual has the option to invoke binding arbitration to determine whether a participating organization has violated its obligations under the DPF Principles as to that individual and whether any such violation remains fully or partially unremedied (“residual claims”). In Annex I of the DPF Principles, the U.S. Department of Commerce committed to the maintenance of a fund to which participating organizations will be required to contribute to cover the arbitral costs, including arbitrator fees, up to maximum amounts.

The International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) was selected by the U.S. Department of Commerce to administer arbitrations pursuant to and manage the arbitral fund identified in Annex I of the DPF Principles. Please visit ICDR-AAA’s website at https://go.adr.org/dpf-annexi-fund.html to make the required contribution.


5. Ensure that Your Organization's Verification Mechanism is in Place: Your organization must have procedures in place for verifying that the attestations and assertions that it makes about its DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the DPF Principles. To meet this requirement, your organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. For additional guidance on the verification requirement, please see the Supplemental Principle on Verification.


6. Designate a Contact within Your Organization Regarding DPF Compliance: Your organization is required to provide a contact for the handling of complaints, access requests, and any other issues concerning your organization’s compliance with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. This contact can be either the corporate officer that is certifying your organization's compliance with the DPF Principles, or another official within your organization, such as a Chief Privacy Officer. Under the DPF Principles, organizations must respond to individuals within 45 days of receiving a complaint.


7. Review the Information Required to Self-Certify: Prior to submitting a self-certification via the DPF program website (i.e., this website), your organization should review and compile the information required as part of the ITA's online self-certification process (See required self-certification information).


8. Submit Your Organization's Self-Certification to the ITA: Click on the "Self-Certify" link on this website to create a profile and submit your organization's self-certification. Submission of your organization’s self-certification will also require payment of a self-certification processing fee. The self-certification processing fee is part of the ITA's cost recovery program to support the operation of the DPF Program. Once submitted, your organization’s self-certification will be reviewed by a member of the DPF team to verify that it meets the self-certification requirements.

If the DPF team identifies any issues during its review of your organization’s self-certification submission that must be addressed before the self-certification can be finalized, it will inform your organization via e-mail that your organization must address all such issues within the appropriate timeframe designated by the ITA. Failure to respond within timeframes designated by the ITA or other failure to complete its self-certification in accordance with the ITA’s procedures will lead to the self-certification being considered abandoned. Your organization would be informed via e-mail once its self-certification had been finalized.


Read more - U.S. Department of Commerce, Data Privacy Framework Program

https://www.dataprivacyframework.gov


Cyber Risk GmbH, some of our clients