Failure to Recertify Questionnaire

You are receiving this questionnaire because your organization has failed to complete its annual recertification to the Department of Commerce regarding participation in the Privacy Shield program. As a result, the Department will remove your organization from the Privacy Shield List, meaning that your organization may no longer benefit from the European Commission’s adequacy decision to receive personal information from the EU and your organization must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits.  

Your organization must verify whether it will return, delete, or continue to apply the Privacy Shield Principles to the personal information that it received in reliance upon the Privacy Shield, and if personal information will be retained, verify who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions.

Failure to respond to this request within 30 days may be subject to enforcement action by the Federal Trade Commission, the Department of Transportation, or other enforcement authorities.

Failure to Recertify Questionnaire

1. Please confirm that: (i) you are authorized to make representations on behalf of the organization and its covered entities regarding its adherence to the Privacy Shield Principles; (ii) the information submitted to the Department of Commerce for purposes of self-certification is accurate and correct; (iii) you understand that misrepresentations in any information provided to the Department may be actionable under the False Statements Act, 18 U.S.C. § 1001; and (iv) you understand that failure to adhere to the Privacy Shield Principles with regard to such personal data may lead to enforcement actions by the relevant enforcement authority.

2. Please provide the following information concerning the organization that self-certified its adherence to the Privacy Shield Principles:

   1. Organization Name;

   2. Organization Contact (the individual or office within the organization handling complaints, access requests, and any other issues concerning the organization’s compliance with the Privacy Shield Framework);

      1. Name;

      2. Title;

      3. Phone number; and

      4. E-mail address

   3. Organization Corporate Officer (the individual certifying the organization’s compliance with the Privacy Shield Framework);

1. Name;

2. Title;

3. Phone number; and

4. E-mail address

4. Mailing Address

3. The organization has failed to complete the recertification process in a timely manner. Please verify whether the organization wishes to withdraw from the Privacy Shield:

   1. Yes; or

   2. No.

If the organization wishes to withdraw from the Privacy Shield:

4. With respect to personal data received in reliance upon the Privacy Shield, please verify that the organization will:

   1. Retain such data, continue to apply the Privacy Shield Principles to such data, and affirm to the Department of Commerce on an annual basis its commitment to apply the Principles to such data;

   2. Retain such data and provide “adequate” protection for such data by another authorized means;

   3. Return or delete such data. If so, specify the date by which all such data was returned or deleted; or

   4. A combination of the above options (please describe).

If the organization intends to recertify its compliance with the Privacy Shield:

5. Please verify that, during the lapse of the organization’s certification status, the organization applied the Principles to personal data received under the Privacy Shield.

6. Please clarify what steps the organization will take to address the outstanding issues that have delayed its recertification: (select all that apply)

   1. Submit recertification application;

   2. Make appropriate revisions to privacy policy statements;

   3. Make privacy policy statements available for review;

   4. Clarify selection of or put in place an appropriate independent recourse mechanism;

   5. Submit payment for the relevant Privacy Shield fees;

   6. Other step(s) (please describe).