Self-Certifications under the Data Privacy Framework Program

The United States, the European Union (EU), the United Kingdom (UK), and Switzerland share a commitment to enhancing privacy protection, the rule of law, and a recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies, but take different approaches to doing so. Given those differences, the Department of Commerce (DOC) developed the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) in consultation with the European Commission, the UK Government, the Swiss Federal Administration, industry, and other stakeholders. These arrangements were respectively developed to provide U.S. organizations reliable mechanisms for personal data transfers to the United States from the European Union, the United Kingdom (and, as applicable, Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. The DOC is issuing the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles, including the respective sets of Supplemental Principles (collectively the Principles) and Annex I of the Principles, as well as the UK Extension to the EU-U.S. DPF under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. 1512). The International Trade Administration (ITA) will administer and supervise the Data Privacy Framework program, including maintaining and making publicly available the Data Privacy Framework List, an authoritative list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Principles pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. On the basis of the Principles, Executive Order 14086, 28 CFR part 201, and accompanying letters and materials, including ITA's commitments regarding the administration and supervision of the Data Privacy Framework program, it is the DOC's expectation that the European Commission, the UK Government, and the Swiss Federal Administration will respectively recognize the adequacy of the protection provided by the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF thereby enabling personal data transfers from each respective jurisdiction to U.S. organizations participating in the relevant part of the Data Privacy Framework program. It is the DOC’s present expectation that the effective date of the EU-U.S. DPF Principles would coincide with the entry into force of the European Commission’s anticipated recognition of adequacy, whereas the respective effective dates of the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF Principles would occur before the entry into force of the anticipated, respective recognitions of adequacy (i.e., to enable U.S. organizations from the earliest possible date to self-certify their compliance with multiple parts of the Data Privacy Framework program). Personal data cannot be received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF until they have respectively received such recognition (i.e., until such formal recognition enters into force). To initially self-certify or subsequently re-certify for the EU-U.S. DPF and, as applicable, UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, an organization must on each occasion provide to the DOC a submission that contains the relevant information specified in the Principles. The submission must be made via the DOC's Data Privacy Framework program website by an individual within the organization who is authorized to make representations on behalf of the organization and any of its covered U.S. entities regarding its adherence to the Principles. Such an organization must respond promptly to inquiries and other requests for information from the DOC.

The latest form for Self-Certifications under the Data Privacy Framework Program expires 2026-07-31 and can be found here.

Compliance Review Questionnaire

Federal Enterprise Architecture: International Affairs and Commerce - Global Trade

Review document collections for all forms, instructions, and supporting documents - including paper/printable forms.