Failure to Re-certify Questionnaire

A Federal agency may not conduct or sponsor an information collection subject to the requirements of the Paperwork Reduction Act of 1995
unless the information collection has a currently valid OMB Control Number. The approved OMB Control Number for this information
collection is 06XX-XXXX (expires MM/DD/YYYY). Without this approval, we could not conduct this information collection. Public reporting for
this information collection is estimated to be approximately 25 minutes per response, including the time for reviewing instructions, searching
existing data sources, gathering and maintaining the data needed, and completing and reviewing the information collection. All responses to
this information collection are voluntary. Send comments regarding this burden estimate or any other aspect of this information collection,
including suggestions for reducing this burden to ITA Paperwork Reduction Act Officer at [email protected].

You are receiving this questionnaire because your organization has failed to complete its annual re-certification to the U.S.
Department of Commerce's International Trade Administration (ITA) regarding participation in the EU-U.S. Data Privacy
Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy
Framework (Swiss-U.S. DPF). As a result, the ITA has removed your organization from the Data Privacy Framework List with
regard to the relevant part(s) of the DPF program.
Your organization must continue to apply the DPF Principles to the personal data that it received under the the relevant
part(s) of the DPF program and affirm to the ITA on an annual basis its commitment to do so, for as long as it stores, uses or
discloses such data; otherwise, your organization must return or delete the data or provide “adequate” protection for the
data by another authorized means.
Your organization must cease making any explicit or implicit claims, whether on its website(s) or in other materials (e.g., any
privacy policy or marketing materials), that it participates in or complies with and may receive personal data pursuant to the
relevant part(s) of the DPF program.
Your organization must verify whether it intends to withdraw or instead intends to re-certify. If your organization intends to
withdraw, it must further verify what it will do and/or has done (as applicable) with the personal data that it received in
reliance on its participation in the relevant part(s) of the DPF program. If your organization intends to re-certify, it must
further verify to the ITA that during the lapse of its certification status it applied the DPF Principles to personal data received
in reliance on its participation in the relevant part(s) of the DPF program and clarify what steps it will take to address the
outstanding issues that have delayed its re-certification. In either case your organization must also verify who within the
organization will serve as an ongoing point of contact for DPF-related questions.
Failure to respond to this request within 30 days may be subject to enforcement action by the Federal Trade Commission, 
the U.S. Department of Transportation, or other enforcement authorities.   

Failure to Re-certify Questionnaire 
1) Please confirm that: (i) you are authorized to make representations on behalf of your organization
and its covered U.S. entities and U.S. subsidiaries regarding its adherence to the DPF Principles;  (ii)
the information submitted to the U.S. Department of Commerce for purposes of self‐certification,
including with regard to personal data received in reliance on its participation in the relevant part(s)
of the DPF program, is accurate and correct; (iii) you understand that misrepresentations in any
information provided to the Department may be actionable under the False Statements Act,
18 U.S.C. § 1001; and (iv) you understand that failure to adhere to the DPF Principles with regard to
such personal data may lead to enforcement actions by the relevant enforcement authority.

2) Please provide the following information concerning the organization that self‐certified its
adherence to the DPF Principles:
a. Organization Name;

b. Organization Contact (the individual and/or office within your organization handling
complaints, access requests, and any other issues concerning your organization’s
compliance with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S.
DPF, and/or the Swiss-U.S. DPF);

i. Name;
ii. Job title;
iii. Phone number; and
iv. E‐mail address
c. Organization Corporate Officer (the individual certifying your organization’s compliance
with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the
Swiss-U.S. DPF);
i.

Name;

ii.

Job title;

iii.

Phone number; and

iv.

E‐mail address

d. Mailing Address

3) Please verify whether your organization wishes to withdraw from part(s) of the DPF program:
a. Yes; or
b. No.
If your organization wishes to withdraw from part(s) of the DPF program, select the relevant part(s):
EU-U.S. DPF

4) With regard to personal data received in reliance on the relevant part(s) of the DPF program, please
verify that your organization will:
a. Retain such data, continue to apply the DPF Principles to such data, and affirm to the ITA
on an annual basis its commitment to apply the DPF Principles to such data;

b. Retain such data and provide “adequate” protection for such data by another authorized
means; or
c. Return or delete such data.  If so, specify the date by which all such data was returned or
deleted.

If your organization intends to re-certify its compliance with the relevant part(s) of the DPF program: 

5) Please verify that, during the lapse of your organization’s certification status, your organization
applied the DPF Principles to personal data received under the relevant part(s) of the DPF
program.

6) Please clarify what steps your organization will take to address the outstanding issues that have
delayed its re-certification: (select all that apply)
a. Submit re-certification application;
b. Make appropriate revisions to privacy policy statements;
c. Make privacy policy statements available for review;
d. Clarify selection of or put in place an appropriate independent recourse mechanism;
e. Submit payment for the relevant DPF fees;
f.

Other step(s) (please describe).