instr_DPF self-cert form_draft 06-01-23

Download: docx | pdf

Data Privacy Framework (DPF) Program Self-Certification / Re-Certification Application Form

This application form has been optimized for Chrome, Edge, Firefox, and Safari.

Getting Started

A Federal agency may not conduct or sponsor an information collection subject to the requirements of the Paperwork Reduction Act of 1995 unless the information collection has a currently valid OMB Control Number. The approved OMB Control Number for this information collection is 06XX-XXXX (expires MM/DD/YYYY). Without this approval, we could not conduct this information collection. Public reporting for this information collection is estimated to be approximately 40 minutes per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the information collection. All responses to this information collection are voluntary. Send comments regarding this burden estimate or any other aspect of this information collection, including suggestions for reducing this burden to ITA Paperwork Reduction Act Officer at [email protected].

The OMB control number and expiration date cited above relate to the form itself rather than your organization's self-certification to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Self-certifying an Organization's Compliance with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF:

Please review the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and prepare the required information before completing this form.

• To proceed, please confirm, by checking this box, that you have reviewed the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and prepared the required information cited above.

If you have any difficulty completing this form or have questions concerning the Data Privacy Framework (DPF) program self-certification process, please contact the Data Privacy Framework (DPF) team at the International Trade Administration, U.S. Department of Commerce online, whenever possible, via the DPF program website by using the Assistance tool provided above, or by phone at 202-482-1512. 

Please indicate with which of the following your organization self-certifies its compliance:

• EU-U.S. Data Privacy Framework (EU-U.S. DPF)

• UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF)

• Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

Additional information regarding the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, including the annual fee payable to the U.S. Department of Commerce’s International Trade Administration (ITA) to participate in the DPF program, is available on the DPF program website at: [URL TBD]

Organization Information

*Organization Legal Name (i.e., legal name of self-certifying U.S. organization)

Organization Display Name (i.e., this name, along with the legal name, would be displayed on the Data Privacy Framework List if the organization is placed on that public list)

*Address

*City

*U.S. State or Territory

*Zip Code

Contact Information

Note: You must include at least one Organization Contact, as well as one Organization Corporate Officer.

Organization Contact

Provide a contact office and individual within your organization for the handling of complaints, access requests, and any other issues concerning your organization's compliance with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF.

Organization Corporate Officer

Provide the individual certifying your organization’s compliance with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, including such compliance by all of your organization’s U.S. entities or U.S. subsidiaries that it intends to be covered under its self-certification.

Organization Characteristics

Indicate your organization's annual revenue.

Note: This information will be used to determine the fee your organization must pay to self-certify to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and will not be publicly disclosed on the DPF program website.

*Annual Revenue

Although your organization is not required to do so for purposes of its self-certification, please indicate the number of employees in your organization.

Note: This information will not be publicly disclosed on the DPF program website.

Number of Employees

Although your organization is not required to do so for purposes of its self-certification, please select the industry sector(s) applicable to your organization.

Note: This information will be publicly disclosed on the DPF program website.

Other Covered U.S. Entities and U.S. Subsidiaries

List all U.S. entities or U.S. subsidiaries of your organization that are also adhering to the EU-U.S. DPF Principles, including as applicable under the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles and are covered under your organization's self-certification.

Note: The references to an organization in this form, as well as in the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles, include all covered U.S. entities and U.S. subsidiaries listed herein. Neither non-U.S. entities nor non-U.S. subsidiaries should be listed in this section of the form. In addition, the self-certifying organization itself should not be listed in this section of the form (i.e., as this section concerns other covered U.S. entities and U.S. subsidiaries).

New Covered Entity or Subsidiary

Covered Data and Dispute Resolution

EU-U.S. Data Privacy Framework (EU-U.S. DPF)

Which types of personal data do your Organization’s commitments cover under the EU-U.S. DPF?

Personal Data other than Human Resources Data

Note: For purposes of this form the term human resources data (human resources sometimes being abbreviated in this form and on the DPF program website as “HR”) refers to personal data about employees, past or present, collected in the context of the employment relationship. Examples of other types of personal data that could be covered include the following: customer or client non-HR data, as well as visitor data, and clinical trial data.

• Personal data other than human resources data

Note regarding the independent recourse mechanism available to investigate unresolved complaints: If your organization wishes its commitments under the EU-U.S. DPF to cover personal data transferred from the European Union other than human resources data, on an annual basis your organization must designate a private sector developed independent recourse mechanism or choose to cooperate with the EU data protection authorities (DPAs) and have a DPA panel serve as your organization’s independent recourse mechanism. Your organization’s annual selection will apply to all information received by your organization under the EU-U.S. DPF other than human resources data.

Designate a Recourse Mechanism

Recourse Mechanisms

• Insights Association Privacy Shield Program

• PrivacyTrust Privacy Shield Program

• BBB EU Privacy Shield Program

• ANA Privacy Shield Program

• EU Data Protection Authorities (DPAs)

• ICDR/AAA Privacy Shield Program

• JAMS Privacy Shield Program

• TRUSTe

• VeraSafe Privacy Shield Program

• NEW REOURSE MECHANISM

Human Resources Data

• Human resources data

Note regarding the independent recourse mechanism available to investigate unresolved complaints: If your organization wishes its commitments under the EU-U.S. DPF to cover human resources data transferred from the European Union for use in the context of the employment relationship, your organization must declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the EU-U.S. DPF Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities and that your organization will comply with the advice given by such authorities.

• My organization receives or processes human resources data from the European Union for use in the context of the employment relationship under the EU-U.S. DPF and agrees to cooperate with the EU data protection authorities (DPAs) and comply with the advice given by such authorities with respect to this data.

Briefly describe the purposes for which your organization processes personal data in reliance on the Data Privacy Framework(s), including the types of personal data processed by your organization (e.g., organization, customer, client, visitor, and clinical trial data) and, if applicable, the type of third parties to which it discloses such personal information.

*Purpose(s) of Collecting Data

Covered Data and Dispute Resolution

UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF)

Which types of personal data do your Organization’s commitments cover under the UK Extension to the EU-U.S. DPF?

Personal Data other than Human Resources Data

Note: For purposes of this form the term human resources data (human resources sometimes being abbreviated in this form and on the DPF program website as “HR”) refers to personal data about employees, past or present, collected in the context of the employment relationship. Examples of other types of personal data that could be covered include the following: customer or client non-HR data, as well as visitor data, and clinical trial data.

• Personal data other than human resources data

Note regarding the independent recourse mechanism available to investigate unresolved complaints: If your organization wishes its commitments under the UK Extension to the EU-U.S. DPF to cover personal data transferred from the United Kingdom other than human resources data, on an annual basis your organization must designate a private sector developed independent recourse mechanism or choose to cooperate with the UK Information Commissioner’s Office (UK ICO) for such data transferred from the United Kingdom. Your organization’s annual selection will apply to all information received by your organization under the UK Extension to the EU-U.S. DPF other than human resources data.

Designate a Recourse Mechanism

Recourse Mechanisms

• Insights Association Privacy Shield Program

• PrivacyTrust Privacy Shield Program

• UK Information Commissioner’s Office (ICO)

• BBB EU Privacy Shield Program

• ANA Privacy Shield Program

• ICDR/AAA Privacy Shield Program

• JAMS Privacy Shield Program

• TRUSTe

• VeraSafe Privacy Shield Program

• NEW RECOURSE MECHANISM
  
  
  

Human Resources Data

• Human resources data

Note regarding the independent recourse mechanism available to investigate unresolved complaints: If your organization wishes its commitments under the UK Extension to the EU-U.S. DPF to cover human resources data transferred from the United Kingdom for use in the context of the employment relationship, your organization must declare its commitment to cooperate with the UK authority concerned in conformity with the EU-U.S. DPF Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities, as applied under the UK Extension to the EU-U.S. DPF, and that your organization will comply with the advice given by the UK Information Commissioner’s Office (UK ICO).

• My organization receives or processes human resources data from the UK for use in the context of the employment relationship under the UK Extension to the EU-U.S. DPF and agrees to cooperate with the UK Information Commissioner’s Office (UK ICO) and comply with the advice given by the UK ICO with respect to this data.

Covered Data and Dispute Resolution

Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

Which types of personal data do your Organization’s commitments cover under the Swiss-U.S. DPF?

Personal Data other than Human Resources Data

Note: For purposes of this form the term human resources data (human resources sometimes being abbreviated in this form and on the DPF program website as “HR”) refers to personal data about employees, past or present, collected in the context of the employment relationship. Examples of other types of personal data that could be covered include the following: customer or client non-HR data, as well as visitor data, and clinical trial data.

• Personal data other than human resources data

Note regarding the independent recourse mechanism available to investigate unresolved complaints: If your organization wishes its commitments under the Swiss-U.S. DPF to cover personal data transferred from Switzerland other than human resources data, on an annual basis your organization must designate a private sector developed independent recourse mechanism or choose to cooperate with the Swiss Federal Data Protection and Information Commissioner (Swiss FDPIC) for such data transferred from Switzerland. Your organization’s annual selection will apply to all information received by your organization under the Swiss-U.S. DPF other than human resources data.

Designate a Recourse Mechanism

Recourse Mechanisms

• Insights Association Privacy Shield Program

• PrivacyTrust Privacy Shield Program

• Swiss Federal Data Protection and Information Commissioner (FDPIC)

• BBB EU Privacy Shield Program

• ANA Privacy Shield Program

• ICDR/AAA Privacy Shield Program

• JAMS Privacy Shield Program

• TRUSTe

• VeraSafe Privacy Shield Program

• NEW RECOURSE MECHANISM
  
  
  

Human Resources Data

• Human resources data

Note regarding the independent recourse mechanism available to investigate unresolved complaints: If your organization wishes its commitments under the Swiss-U.S. DPF to cover human resources data transferred from Switzerland for use in the context of the employment relationship, your organization must declare its commitment to cooperate with the Swiss Federal Data Protection and Information Commissioner (Swiss FDPIC) in conformity with the Swiss-U.S. DPF Supplemental Principles on Human Resources Data and the Role of the Federal Data Protection and Information Commissioner and that your organization will comply with the advice given by the Swiss FDPIC.

• My organization receives or processes human resources data from Switzerland for use in the context of the employment relationship under the Swiss-U.S. DPF and agrees to cooperate with the Swiss Federal Data Protection and Information Commissioner (Swiss FDPIC) and comply with the advice given by the Swiss FDPIC with respect to this data.

Enforcement and Verification

Which appropriate U.S. statutory body has jurisdiction to investigate claims against your organization regarding possible unfair or deceptive practices and violations of laws or regulations covering privacy?

Note: To be transferred in reliance on the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, personal data must be processed in connection with an activity that is subject to the jurisdiction of at least one appropriate statutory body listed below to investigate.

•  Federal Trade Commission

•  U.S. Department of Transportation
  List any privacy program in which your organization is a member:
  
  
  

What is your organization's verification method?

Note: Your organization must indicate whether the verification performed is through self-assessment or outside compliance reviews in conformity with the Supplemental Principle on Verification. If your organization has chosen an Outside Compliance Review, identify and provide a web address for the third party that conducts such reviews.

My organization's verification method is:

• Self-Assessment

• Outside Compliance Review

Privacy Policies

If your organization is self-certifying for the first time, upload a copy of your organization’s relevant draft privacy policy. The draft privacy policy must be consistent with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. Once the U.S. Department of Commerce’s International Trade Administration (ITA) has determined that your organization’s DPF submission is otherwise complete, the DPF team will notify you to publish the DPF-consistent privacy policy, which must include a statement that your organization adheres to the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (as applicable). In addition, if your organization intends to cover under its self-certification personal data transferred from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF, it must clearly indicate that its adherence to the EU-U.S. DPF Principles extends to such personal data. Your organization may not indicate participation in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF in its published privacy policy or other public documents until the DPF team notifies your organization that it may do so.

Note regarding privacy policies applicable to personal data other than human resources data: An organization that covers personal data other than human resources data under its self-certification is required to make available to the general public the relevant privacy policy that covers such data. If your organization has a public website, provide the relevant web address where the DPF-consistent privacy policy is (or, in the case of first-time certifiers, will be) available. If your organization does not have a public website, provide information regarding where the DPF-consistent privacy policy is (or, in the case of first-time certifiers, will be) available for viewing by the general public and provide a copy of that privacy policy to the ITA by uploading such a copy to its self-certification submission (n.b., an uploaded copy of the policy would be made available on the DPF program website if your organization is placed on the Data Privacy Framework List).

Note regarding privacy policies applicable to human resources data: Although an organization that covers human resources data under its self-certification is not required to make available to the general public the relevant privacy policy that exclusively covers human resources data, it must provide information regarding where the DPF-consistent human resources privacy policy is (or, in the case of first-time certifiers, will be) available for viewing by affected employees and provide a copy of that privacy policy to the ITA by uploading such a copy to its self-certification submission (n.b., an uploaded copy of the policy would not be made available on the DPF program website even if your organization is placed on the Data Privacy Framework List).

New Policy

Submit Payment and Application

Before submitting the application and applicable processing fee, please click here to review information regarding the additional self-certification requirements that your organization must fulfill before the U.S. Department of Commerce can finalize the self-certification submission.

Application Processing Fee: 

The U.S. Department of Commerce’s International Trade Administration (ITA) has implemented a cost recovery program to support the operation of the DPF program, which requires U.S. organizations to pay an annual fee to the ITA in order to participate in the DPF program. The cost recovery program will support the administration and supervision of the DPF program and support the provision of DPF-related services, including education and outreach. The fee a given organization is charged is based on the organization's annual revenue.

By clicking the Pay button on this page you will be redirected to the Pay.gov payment site where you will submit your payment information. Once you have submitted your payment information you will be redirected back to this site, so that you can complete your payment and submit your organization's self-certification application for review.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified	0000-00-00
File Created	0000-00-00