Prior to submitting your organization's self-certification to the Department of Commerce, we recommend that you follow these helpful hints. These should be read in conjunction with the complete set of U.S.-Swiss Safe Harbor Framework Documents and the Safe Harbor Workbook . Following these helpful hints will help to ensure that your organization is meeting the requirements for self-certification, as set forth in FAQ 6.
Confirm that Your Organization is Subject to the Jurisdiction of the U.S. Federal Trade Commission or the U.S. Department of Transportation: Any U.S. organization that is subject to the jurisdiction of the Federal Trade Commission (FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DoT) may participate in the Safe Harbor. The FTC and DoT have both stated in letters to the Swiss Federal Data Protection and Information Commissioner (FDPIC) (located with the Framework documents under Letters G and H) that they will take enforcement action against organizations that state that they are in compliance with the Framework, but then fail to live up to their statements. If you are uncertain as to whether your organization falls under the jurisdiction of either the FTC or DoT, then please be sure to contact those agencies for more information.
Develop a Safe Harbor Compliant Privacy Policy Statement: Remember to develop a Safe Harbor compliant privacy policy before submitting your organization’s self-certification to the Department of Commerce.
Establish Your Organization's Independent Recourse Mechanism: Under the Framework’s Enforcement Principle, organizations self-certifying must establish an independent recourse mechanism available to investigate unresolved complaints. (See FAQ 11 for more information regarding dispute resolution under Safe Harbor). Each organization must ensure that its recourse mechanism is in place prior to self-certification. In addition, each organization should include in its privacy policy an appropriate reference to the independent recourse mechanism(s), as well as relevant contact information for said mechanism(s).
Ensure that Your Organization's Verification Mechanism is in Place: As discussed in FAQ 7, organizations self-certifying their compliance with the Framework are required to have procedures in place for verifying compliance. To meet this requirement, an organization may use either a self-assessment or an outside/third-party assessment program. For additional guidance on the Framework's verification requirement, please see FAQ 7.
Designate a Contact within Your Organization Regarding Safe Harbor: Each organization is required to provide a contact for the handling of questions, complaints, access requests, and any other issues arising under the Safe Harbor. This contact can be either the corporate officer that is certifying your organization's compliance with the Framework, or another official within your organization, such as a Chief Privacy Officer.
We hope that these hints prove helpful as your organization works to achieve compliance with the Framework. Further questions regarding the Safe Harbor self-certification process or compliance with the Swiss data protection requirements may be directed to:
Safe Harbor Team Inbox
E-mail: safe.harbor@trade.gov
David Ritchie
U.S. Department of Commerce
International Trade Administration
Telephone: (202) 482-4936
E-mail: david.ritchie@trade.gov
Christopher Hoff
U.S. Department of Commerce
International Trade Administration
Telephone: (202) 482-3120
E-mail: christopher.hoff@trade.gov
U.S. Department of Commerce
Safe Harbor Frameworks
1401 Constitution Avenue, N.W.
Room 20007
Washington, D. C. 20230