Our records indicate that the original EU-U.S. Data Privacy Framework self-certification for ***This Would Be Your Businesses Name**** was finalized on XX/XX/XXXX *(Date of last renewal). If your organization wishes to continue to participate in the EU-U.S. Data Privacy Framework, it must re-certify annually to the ITA that it continues to adhere to the DPF Principles with regard to personal data received in reliance on the relevant part(s) of the Data Privacy Framework (DPF) program; otherwise, it will be removed from the Data Privacy Framework List with regard to said part(s) of the DPF program and will no longer be entitled to receive personal data pursuant to said part(s) of the DPF program. Your organization must re-certify to or withdraw from the EU-U.S. Data Privacy Framework by XX/XX/XXXX (Date of Renewal).
- Please see the guidance provided on the DPF program website at How to Re certify under the Data Privacy Framework (DPF) Program for more information on how to re-certify under the DPF program.
- Please see the guidance provided on the website at Withdrawal under the Data Privacy Framework (DPF) Program for more information on withdrawal under the DPF program.
NOTIFICATION OF CHANGE IN CORPORATE STATUS
Your organization must notify the ITA in advance if there will be a change in your organization’s corporate status, such as a result of a merger, takeover, bankruptcy or dissolution. The notification should indicate whether your organization will:
- Continue to participate in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF through an existing self-certification (e.g., as a subsidiary of the acquiring entity that already participates in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF);
- Self-certify as a new participant in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF (e.g., where the new entity or surviving entity does not already have an existing self-certification through which it could participate); or
- Withdraw from the EU-U.S. DPF and/or, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF.
REMOVAL FROM THE DATA PRIVACY FRAMEWORK
The ITA will remove an organization from the Data Privacy Framework List with regard to the relevant part(s) of the DPF program if it voluntarily withdraws or if it fails to complete its annual re-certification to the ITA. Such an organization must:
- Continue to apply the DPF Principles to the personal information it received under the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and affirm to the ITA on an annual basis its commitment to do so, for as long as it stores, uses or discloses such data; otherwise, the organization must return or delete the data or provide “adequate” protection for the data by another authorized means;
- Cease making any explicit or implicit claims, whether on its website or in other materials (e.g., any privacy policy or marketing materials), that it participates in or complies with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and may receive personal data pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF; and
- Complete and submit to the ITA the appropriate questionnaire(s) in which it verifies what it will do and/or has done (as applicable) with the personal data that it received in reliance on its participation in the DPF program. (See Administration of the Data Privacy Framework (DPF) Program for more information about the questionnaires),
- The organization must verify whether it intends to re-certify or instead intends to withdraw.
- An organization that intends to re-certify must further verify to the ITA that during the lapse of its certification status it applied the DPF Principles to relevant personal data received in reliance on its participation in the relevant part(s)DPF program and clarify what steps it will take to address the outstanding issues that have delayed its re-certification.
- An organization that intends to withdraw must further verify to the ITA what it will do and/or has done (as applicable) with the relevant personal data that it received in reliance on its participation in the relevant part(s) of the DPF program (i.e., (a) retain such data, continue to apply the DPF Principles to such data, and affirm to the ITA on an annual basis its commitment to apply the DPF Principles to such data; (b) retain such data and provide “adequate” protection for such data by another authorized means; or (c) return or delete all such data by a specified date) and who within the organization will serve as an ongoing point of contact for DPF-related questions.
The ITA will also remove an organization from the Data Privacy Framework List with regard to the relevant part(s) of the DPF program if it has persistently failed to comply with the DPF Principles with regard to said part(s) of the DPF program. Such an organization must:
- Return or delete the personal information it received under the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF; and
- Cease making any explicit or implicit claims, whether on its website or in other materials (e.g., any privacy policy or marketing materials), that it participates in or complies with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and may receive personal data pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF.
DATA PRIVACY FRAMEWORK PROGRAM ENFORCEMENT
Organizations that misrepresent their participation in or compliance with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, including where they represent that they are participating in said part(s) of the DPF program after having been removed from the Data Privacy Framework List with regard to said part(s) of the DPF program, may be subject to enforcement action by the Federal Trade Commission, the U.S. Department of Transportation or other relevant government body. Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive acts in or affecting commerce (15 U.S.C. § 45). Section 41712 of the Transportation Code prohibits ticket agents and air carriers from engaging in unfair or deceptive practices and unfair methods of competition in air transportation or the sale of air transportation (49 U.S.C. § 41712). Misrepresentations to the U.S. Department of Commerce may be actionable under the False Statements Act (18 U.S.C. § 1001).
DATA PRIVACY FRAMEWORK TEAM CONTACT INFORMATION
If your organization has any questions concerning the DPF program, please contact the DPF team online by submitting a new case via the assistance page (Data Privacy Framework assistance) or by sending an e-mail message to dpf.program@trade.gov. Please ensure that your organization’s name appears in the subject line of such e-mail messages and reply whenever possible to relevant, preexisting e-mail chains rather than starting new e-mail chains. Your organization may leave a voicemail message at 202-482-1512; however, written communication is preferred.
Sincerely,
Data Privacy Framework (DPF) Team
International Trade Administration
U.S. Department of Commerce
