If you stop paying or do not renew your Data Privacy Framework registration you will receive a lapse notice. That notice will be titled with an email “Removal from Data Privacy Framework List: Lapse. If you’d like help renewing your Data Privacy Framework registration please reach out to us for help with the EU-US DPF.
This is Removal from Data Privacy Framework List: Lapse
As of (This will be the date of lapse) your organization(s), is publicly listed with the designation “INACTIVE-LAPSE” on the Data Privacy Framework List.
You are receiving this message because your organization has failed to complete its annual re-certification to the U.S. Department of Commerce’s International Trade Administration (ITA) regarding participation in the EU-U.S. Data Privacy Framework . As a result, the ITA has removed your organization from the Data Privacy Framework List with regard to EU-U.S. Data Privacy Framework and your organization may no longer receive personal data in reliance on EU-U.S. Data Privacy Framework.
LAPSE-RELATED OBLIGATIONS
Your organization must:
- Continue to apply the DPF Principles to the personal data it received under the EU-U.S. Data Privacy Framework and affirm to the ITA on an annual basis its commitment to do so, for as long as it stores, uses or discloses such data; otherwise, your organization must return or delete the data or provide “adequate” protection for the information by another authorized means;
- Cease making any explicit or implicit claims, whether on its website or in other materials (e.g., any privacy policy or marketing materials), that it participates in or complies with the EU-U.S. Data Privacy Framework and may receive personal data pursuant to the EU-U.S. Data Privacy Framework; and
- Complete and submit to the ITA the appropriate questionnaire(s) in which it verifies what it will do and/or has done (as applicable) with the personal data that it received in reliance on its participation in the relevant part(s) of the DPF program.
- Your organization must verify whether it intends to re-certify or instead intends to withdraw.
- If your organization intends to re-certify, it must further verify to the ITA that during the lapse of its certification status it applied the DPF Principles to personal data received in reliance on its participation in the relevant part(s) of the DPF program and clarify what steps it will take to address the outstanding issues that have delayed its re-certification.
- If your organization intends to withdraw, it must further verify to the ITA what it will do and/or has done (as applicable) with the relevant personal data that it received in reliance on its participation in the relevant part(s) of the DPF program (i.e., (a) retain such data, continue to apply the DPF Principles to such data, and affirm to the ITA on an annual basis its commitment to apply the DPF Principles to such data; (b) retain such data and provide “adequate” protection for such data by another authorized means; or (c) return or delete all such data by a specified date) and who within your organization will serve as an ongoing point of contact for DPF-related questions.
- Your organization must therefore complete and submit the “Failure to Re-certify Questionnaire” to the ITA. A copy of that questionnaire is available on the DPF program website at: How to Re-certify under the Data Privacy Framework (DPF) Program. The questionnaire is an electronically fillable form; therefore, responses must be made and saved directly within the form rather than handwritten and scanned. The completed questionnaire must be sent to dpf.program@trade.gov as an e-mail attachment.
DATA PRIVACY FRAMEWORK PROGRAM ENFORCEMENT
Organizations that misrepresent their participation in or compliance with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, including where they represent that they are participating in said part(s) of the DPF program after having been removed from the Data Privacy Framework List with regard to said part(s) of the DPF program, may be subject to enforcement action by the Federal Trade Commission, the U.S. Department of Transportation or other relevant government body. Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive acts in or affecting commerce (15 U.S.C. § 45). Section 41712 of the Transportation Code prohibits ticket agents and air carriers from engaging in unfair or deceptive practices and unfair methods of competition in air transportation or the sale of air transportation (49 U.S.C. § 41712). Misrepresentations to the U.S. Department of Commerce may be actionable under the False Statements Act (18 U.S.C. § 1001).
DATA PRIVACY FRAMEWORK TEAM CONTACT INFORMATION
If your organization has any questions concerning the DPF program, please contact the DPF team online by submitting a new case via the assistance page (Data Privacy Framework assistance) or by sending an e-mail message to dpf.program@trade.gov. Please ensure that your organization’s name appears in the subject line of such e-mail messages and reply whenever possible to relevant, preexisting e-mail chains rather than starting new e-mail chains. Your organization may leave a voicemail message at 202-482-1512; however, written communication is preferred.
Thank you for your cooperation.
Sincerely,
Data Privacy Framework (DPF) Team
International Trade Administration
U.S. Department of Commerce
