Helpful Hints Prior to Self-Certifying to the Safe Harbor
Prior to submitting your organization's self-certification form to the Department of Commerce, we recommend that you follow these helpful hints. These should be read in conjunction with the Safe Harbor Workbook and the complete set of Safe Harbor Documents. Following these helpful hints will help to ensure that your organization is meeting the requirements for self-certification, as set forth in FAQ 6:
Confirm That Your Organization is subject to the Jurisdiction of Either the U.S. Federal Trade Commission of the U.S. Department of Transportation: Any U.S. organization that is subject to the jurisdiction of the Federal Trade Commission (FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DoT) may participate in the Safe Harbor. The FTC and DoT have both stated in letters to the European Commission (located under Safe Harbor Documents Letters G & H) that they will take enforcement action against organizations that state that they are in compliance with the Safe Harbor, but then fail to live up to their statements. If you are uncertain as to whether your organization falls under the jurisdiction of either the FTC or DoT, be sure to contact those agencies for more information.
Develop a Safe Harbor Compliant Privacy Policy Statement: Remember to develop a Safe Harbor compliant privacy policy statement before submitting a self-certification form to the Department of Commerce.
 | Make Sure That Your Privacy Policy Statement Conforms to the Safe Harbor Principles: In order for a privacy policy to be compliant with the Safe Harbor, the privacy policy statement must conform to the seven Privacy Principles and any relevant points that are covered in the Frequently Asked Questions (FAQs) - both located in Safe Harbor Documents. In addition, the privacy policy statement should reflect your actual and anticipated information handling practices. It is also important to write a policy that is clear, concise and easy to understand. |
| Make Specific Reference to Your Organization's Safe Harbor Adherence in the Text of Your Organization's Privacy Policy: FAQ 6 requires all organizations that self-certify to state in their relevant published privacy policy statements that they adhere to the Safe Harbor Principles. |
| Provide an Accurate Privacy Policy Statement Location and Make Sure that Your Privacy Policy Statement is Available to the Public: At the time of self-certification, all organizations must provide an accurate and publicly available location for their applicable privacy statement. If your organization decides to post its privacy policy statement on an Internet or Intranet site, it must provide an accurate link to the statement on the organization's Safe Harbor self-certification form. In addition, the organization should verify that its privacy policy statement is effective prior to self-certification. |
Establish Your Organization's Independent Recourse Mechanism: Under the Safe Harbor's Enforcement Principle, organizations self-certifying to Safe Harbor must establish an independent recourse mechanism available to investigate unresolved complaints. (See FAQ 11 for more information regarding dispute resolution under Safe Harbor). The organization must ensure that its recourse mechanism is in place prior to self-certification.
| In most cases, organizations self-certifying to Safe Harbor may choose to utilize private sector dispute resolution programs. While programs vary, organizations like BBB OnLine, TRUSTe, AICPA WebTrust, the Direct Marketing Association, the Entertainment Software Rating Board, JAMS and the American Arbitration Association have developed programs that assist in compliance with the Safe Harbor's enforcement principle and FAQ 11. |
| Alternatively, organizations may choose to cooperate and comply with the European Data Protection Authorities (DPAs). In doing so, the organization must follow the procedures outlined in FAQ 5. If human resources data is being covered in the organization's self-certification, the organization must agree to cooperate and comply with the DPAs for purposes of handling unresolved complaints. Additional guidance for the handling of human resources data under the Safe Harbor is provided in FAQ 9. |
| Please note that organizations who choose to utilize the European Data Protection Authorities for dispute resolution will be required to pay an annual fee of US $50 in order to cover the operating costs of the Data Protection Authorities' panel. This fee is payable to the United States Council for International Business (c/o Mr. Paul Cronin, U.S. Council for International Business (USCIB); 1212 Avenue of the Americas; New York, NY 10036), which has agreed to act as trusted third party for this purpose. |
| Please see FAQ 5 for more details regarding the role of the Data Protection Authorities. Should you need further information on how to carry out the payment, please contact Mr. Paul Cronin, USCIB, at 212-354-4480, or pcronin@uscib.org. If, on the other hand, you require more information on how the cooperation/compliance with the EU DPAs works, the Secretariat of the Data Protection Panel ec-dppanel-secr@cec.eu.int . |
Ensure That Your Organization's Verification Mechanism is in Place: As discussed in FAQ 7, organizations self-certifying to Safe Harbor are required to have procedures in place for verifying compliance. To meet this requirement, an organization may use a self-assessment or an outside/third-party assessment program. For additional guidance on the Safe Harbor's verification requirement, please see FAQ 7.
Designate a Contact Point Within Your Organization Regarding Safe Harbor: Each organization is required to provide a contact point for the handling of questions, complaints, access requests, and any other issues arising under the Safe Harbor. This contact point can be either the corporate officer that is certifying the company's adherence to Safe Harbor, or another official within the organization, such as a Chief Privacy Officer.
We hope that these hints prove helpful as you work to achieve compliance with the Safe Harbor. Further questions on the Safe Harbor self-certification process or other questions concerning compliance with the European Union data protection requirements may be directed to:
Damon Greer,
U.S. Department of Commerce,
International Trade Administration,
(202) 482-5023,
Damon.Greer@mail.doc.gov