How does an organization self-certify that it adheres to the Safe Harbor Principles?
Safe Harbor benefits are assured from the date on which an organization self-certifies to the Department of Commerce (or its designee) its adherence to the Principles in accordance with the guidance set forth below.
To self-certify for the Safe Harbor, organizations can provide to the Department of Commerce (or its designee) a letter – signed by a corporate officer on behalf of the organization that is joining the Safe Harbor – that contains at least the following information:
Name of the organization, mailing address, e-mail address, telephone and fax numbers;
Description of the activities of the organization with respect to personal information received from Switzerland; and
Where the organization wishes its Safe Harbor benefits to cover human resources information transferred from Switzerland for use in the context of the employment relationship, it may do so where there is a statutory body with jurisdiction to hear claims against the organization arising out of human resources information that is listed in the annex to the Principles. In addition, the organization must indicate this in its letter and declare its commitment to cooperate with the Commissioner or authorities concerned in conformity with the FAQ 9: Human Resources and the FAQ 5: The Role of the Commissioner as applicable and that it will comply with the advice given by such authorities.
The undertaking to adhere to the Safe Harbor Principles is not time-limited in respect of data received during the period in which the organization enjoys the benefits of the Safe Harbor. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Safe Harbor for any reason.
An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of Commerce (or its designee) of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will: (1) continue to be bound by the Safe Harbor Principles by the operation of law governing the takeover or merger or (2) elect to self-certify its adherence to the Safe Harbor Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Safe Harbor Principles. Where neither (1) nor (2) apply, any data that has been acquired under the Safe Harbor must be promptly deleted.
An organization does not need to subject all personal information to the Safe Harbor Principles, but it must subject to the Safe Harbor Principles all personal data received from Switzerland after it joins the Safe Harbor.
Any misrepresentation to the general public concerning an organization’s adherence to the Safe Harbor Principles may be actionable by the Federal Trade Commission or other relevant government body. Misrepresentations to the Department of Commerce (or its designee) may be actionable under the False Statements Act (18 U.S.C. § 1001).