Information Collection for Self-Certification to the EU_U.S. and Swis-U.S. Privacy Shield Framework

Download: docx | pdf

Step 0

Getting Started

OMB control number: 0625-0276 Expiration date: 3/31/2020

Public reporting for this collection is estimated to be 40 minutes per response, including the time to review the instructions, complete, and submit the collection of information, but not including time to review and implement the requirements of the program. Send comments regarding the burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to the Reports Clearance Officer, International Trade Administration, Department of Commerce, Room 4001, 14th and Constitution Avenue, N.W., Washington, D.C. 20230.

The OMB clearance number and expiration date cited above relates to the form itself rather than your organization’s self-certification to the Privacy Shield Framework(s).

Self-certifying an Organization’s Compliance with the EU-U.S. and/or the Swiss-U.S. Privacy Shield Framework(s)

Please review the Privacy Shield Framework(s), as may be relevant to your organization, and prepare the required information before completing this form.

If you have any difficulty completing this form or have questions concerning the Privacy Shield self-certification process, please contact the Privacy Shield team at the International Trade Administration, U.S. Department of Commerce via the Privacy Shield website, whenever possible, by using the “Assistance” tool, or by phone at 202-482-1512.

Please indicate with which Privacy Shield Framework(s) your organization self-certifies its compliance:

{select all that apply} [required]

• EU-U.S. Privacy Shield Framework

• Swiss-U.S. Privacy Shield Framework

Additional information regarding the Privacy Shield Frameworks and cost structures is available here: https://www.privacyshield.gov/Program-Overview

Step 1

Organization Information

Organization Legal Name: [required]

Organization Display Name: [required]

Address: [required]

City: [required]

State: [required]

Zip Code: [required]

Step 2

ORGANIZATION CONTACT Provide a contact office and individual within your organization for the handling of complaints, access requests, and any other issues concerning your organization’s compliance with the Privacy Shield Framework(s).

Contact Office: [required]
Contact Name: [required]
Contact Title: [required]
Contact Phone: [required]
Contact Fax: [optional]
Contact Email: [required]

ORGANIZATION CORPORATE OFFICER Provide information about the individual certifying your organization’s compliance with the Privacy Shield Framework(s). By submitting this self-certification, the corporate officer attests that he/she is authorized to submit the self-certification on behalf of your organization and all entities or subsidiaries indicated below.

Corporate Officer Name: [required]
Corporate Officer Title: [required]
Corporate Officer Phone: [required]
Corporate Officer Fax: [optional]
Corporate Officer Email: [required]

Step 3

Organization Characteristics

Indicate your organization’s annual revenue.

Note: This information will be used to determine the fee your organization must pay to self-certify to the Privacy Shield Framework(s) and will not be disclosed on the Privacy Shield website.

{select one} [required]

• Under $5 million

• Over $5-25 million

• Over $25-500 million

• Over $500 million - $5 billion

• Over $5 billion

Although your organization is not required to do so for purposes of its self-certification, please indicate the number of employees in your organization. Note: This information will not be publicly disclosed on the Privacy Shield website.

{select one} [optional]

• Fewer than 100

• 100-250

• 251-500

• 501 or more

Although your organization is not required to do so for purposes of its self-certification, please select the industry sector(s) applicable to your organization.

Note: This is for information only, but will be disclosed on the Privacy Shield website.

{select all that apply} [optional]

Step 4

Other Covered Entities

List all U.S. entities or subsidiaries of your organization that are also adhering to the Privacy Shield Principles and are covered under your organization’s self-certification.

Note: The references to an “organization” in this form, as well as in the Privacy Shield Principles, include all covered entities and subsidiaries listed herein.

{field, maximum 4,000 characters} [required]

Step 5

Covered Data and Dispute Resolution

What types of personal data does your organization’s Privacy Shield commitments cover?

Note: For purposes of this self-certification form, the term “human resources data” (human resources sometimes being abbreviated in this form and on the Privacy Shield website as HR) refers to personal data about employees, past or present, collected in the context of the employment relationship. Examples of other types of personal data that could be covered include the following: customer or client non-HR data, as well as clinical trial data.

{select all that apply} [required]

• Human resources data

• Personal data other than human resources data
  
  
  

For personal data other than human resources data

Note regarding the independent recourse mechanism available to investigate unresolved complaints: If your organization wishes its Privacy Shield commitments to cover personal data other than human resources data, on an annual basis you must designate a private sector developed independent recourse mechanism, or you may choose to cooperate with the EU data protection authorities (DPA) and have a DPA panel serve as your independent recourse mechanism for such data transferred from the EU or the Swiss Federal Data Protection and Information Commissioner for such data transferred from Switzerland. Your annual selection will apply to all information received by your organization under Privacy Shield other than human resources data.

{select a recourse mechanism from the list that is provided or identify a recourse mechanism not on the list} [required]

If your organization has designated a private sector developed independent recourse mechanism, provide the name and a web address for the designated private sector developed independent recourse mechanism:

{field, maximum 4,000 characters} [required]

For human resources data

Note regarding the independent recourse mechanism available to investigate unresolved complaints: If your organization wishes its Privacy Shield commitments to cover human resources data transferred from the EU and/or Switzerland for use in the context of the employment relationship, you must declare your organization’s commitment to cooperate with the EU and/or Swiss authority concerned in conformity with the Supplemental Principles on Human Resources Data and on the Role of the Data Protection Authorities and that you will comply with the advice given by such authority.

{select all that apply} [required]

• My organization receives or processes human resources data from the EU for use in the context of the employment relationship under Privacy Shield and agrees to cooperate with EU data protection authorities and comply with the advice given by such authorities with respect to this data.

• My organization receives or processes human resources data from Switzerland for use in the context of the employment relationship under Privacy Shield and agrees to cooperate with the Swiss Federal Data Protection Information Commissioner and comply with the advice given by such authorities with respect to this data.

Briefly describe the purposes for which your organization processes personal data in reliance on Privacy Shield, including the types of personal data processed by your organization (e.g., customer, client, visitor, and clinical trial data) and, if applicable, the type of third parties to which it discloses such personal information.

{field, maximum 4,000 characters} [required]

Step 6

Enforcement and Verification

Which appropriate U.S. statutory body has jurisdiction to investigate claims against your organization regarding possible unfair or deceptive practices and violations of laws or regulations covering privacy?

Note that to be transferred in reliance on Privacy Shield, personal data must be processed in connection with an activity that is subject to the jurisdiction of at least one appropriate statutory body listed below to investigate.

{select one} [required]

• Federal Trade Commission

• Department of Transportation

List any privacy program in which your organization is a member:

{field, maximum 4,000 characters} [optional]

What is your organization's verification method?

Note: Your organization must indicate whether the verification performed is through self-assessment or outside compliance reviews in conformity with the Supplemental Principle on Verification.

{select one} [required]

• self-assessment

• outside compliance review

If your organization has chosen an outside compliance review, identify and provide a web address for the third party that conducts the review:

{field, maximum 4,000 characters} [required]

Step 7

Privacy Policies

Enter the effective date of your organization's privacy policy applicable to the personal data covered under your organization’s self-certification: * Enter a valid date. [required]

For personal data other than human resources data

If your organization has a public website, provide the relevant web address where the privacy policy is available:

{field, maximum 4,000 characters}

OR

If your organization does not have a public website, provide information regarding where the privacy policy is available for viewing by the general public and upload a copy of the relevant privacy policy which will be made available on the Privacy Shield website:

{field, maximum 4,000 characters} and {document upload capability}

For human resources data

Although an organization that covers human resources data under its self-certification is not required to make available to the general public the relevant privacy policy that exclusively covers that human resources data, it must provide information regarding where the privacy policy is available for viewing by affected employees and provide a copy of that privacy policy statement to the Department of Commerce. The uploaded policy will not be made available on the Privacy Shield website.

{field, maximum 4,000 characters} and {document upload capability}

[required]

Step 8

Submit Payment and Application

The U.S. Department of Commerce’s International Trade Administration (ITA) has implemented a cost recovery program to support the operation of the Privacy Shield, which requires U.S. organizations to pay an annual fee to the ITA in order to participate in the program. The cost recovery program will support the administration and supervision of the Privacy Shield program and support the provision of the Privacy Shield-related services, including education and outreach. The fee a given organization is charged is based on the organization’s annual revenue.

By clicking the Pay button on this page you will be redirected to the Pay.gov payment site where you will submit your payment information. Once you have submitted your payment information you will be redirected back to this site, so that you can complete your payment and submit your organization’s self-certification application for review.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified	0000-00-00
File Created	2021-01-14