Privacy Policy Requirements

After your self-certification is approved, your Data Privacy Framework Program notice must be accurate, comprehensive, prominently displayed, completely implemented, and accessible.  

As the Principles require, “This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.” Section II(1)(b). 

The following is a brief overview of each key privacy policy element, as required by the Notice Principle. 

1. Legal name and subsidiaries. State your organization’s legal name and, where applicable, list any U.S. subsidiaries or affiliates also adhering to the Principles. If you do intend to cover an affiliate or subsidiary under the same account, that entity must abide by the same privacy policy as the primary company and must share a single point of contact for complaints. After approval, this common corporate privacy policy must be posted on the primary company’s website and all covered subsidiary websites. Otherwise, the subsidiary or affiliate will need to submit a separate application. NOTE: All subsidiaries and affiliates that you wish to be covered by BBB National Programs must be listed in your Participation Agreement. 
2. Affirmation statement. State your organization’s adherence to the Principles with respect to personal data received from the EU, UK, and/or Switzerland. The affirmation statement must also include a link to the Department of Commerce Data Privacy Framework Program list. See sample language in step 2. 
3. Types of data. Describe, either in your Notice or within the rest of your privacy policy, the types of personal data your company is collecting and processing under this program (e.g., name, email address, biometric information, location information, etc.). 
4. Purposes of processing. Describe the purposes for which each type of personal data is being collected and used (e.g., sales, marketing, order fulfillment, research).  
5. Individual rights. Inform individuals whose personal data you are processing of their right to access, correct, or delete their personal data.  
6. Choice. Describe the choices and means your organization offers individuals for limiting use and disclosure of their personal data.  
7. Third-party sharing and purposes of sharing.  Either describe the types of third parties (e.g., business partners, advertisers, vendors) or identify by name specific third parties to which your organization discloses personal information. Also, state the purposes for which you disclose personal information with each third party.  
8. Government access. Disclose that your organization may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.  
9. Onward transfer. Note your company’s potential liability in cases of onward transfers of relevant data to third parties.  
10. Complaint contact. List a point of contact (a dedicated email address is best) within your organization for privacy inquiries and complaints. Where applicable, identify any “relevant establishment” of your organization in the EU, UK, or Switzerland (such as a parent company, affiliate, or branch office) that can handle inquiries and complaints on your behalf. 
11. Independent Recourse Mechanism. Identify BBB National Programs, your designated IRM for handling privacy complaints from EU, UK, and/or Swiss individuals, and include a working link to our complaint portal. 
12. Last-resort arbitration. Note the possibility, under certain limited conditions, for individuals to invoke binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms. 
13. Enforcement. State that your organization is subject to the investigatory and enforcement powers of, as applicable, the Federal Trade Commission, the Department of Transportation, or another U.S.-authorized statutory body. 

Include an affirmative commitment to adhere to the Data Privacy Framework Principles and the Supplemental Principles. Included below for your reference are concise examples of complaint "affirmation statements.” 

IF YOUR ORGANIZATION’S SELF-CERTIFICATION ONLY COVERS THE EU-U.S. DPF:

[INSERT your organization name] complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. [INSERT your organization name] has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

[INSERT your organization name] complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. [INSERT your organization name] has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. [INSERT your organization name] has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

[INSERT your organization name] complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. [INSERT your organization name] has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. [INSERT your organization name] has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

[INSERT your organization name] complies with the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. [INSERT your organization name] has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

IF YOUR ORGANIZATION’S SELF-CERTIFICATION ONLY COVERS THE EU-U.S. DPF: 

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), [INSERT your organization name] commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF. EU individuals with inquiries or complaints should first contact [INSERT your organization name and contact information here]. 

[INSERT your organization name] has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf  

IF YOUR ORGANIZATION’S SELF-CERTIFICATION ONLY COVERS THE EU-U.S. DPF AND THE UK EXTENSION TO THE EU-U.S. DPF

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, [INSERT your organization name] commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF. EU and UK individuals with inquiries or complaints should first contact [INSERT your organization name and contact information here]. 

[INSERT your organization name] has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf  

IF YOUR ORGANIZATION’S SELF-CERTIFICATION COVERS THE EU-U.S. DPF, THE UK EXTENSION, AND THE SWISS-U.S. DPF 

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), [INSERT your organization name] commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact [INSERT your organization name and contact information here]. 

[INSERT your organization name] has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf  

IF YOUR ORGANIZATION’S SELF-CERTIFICATION ONLY COVERS THE EU-U.S. DPF AND THE SWISS-U.S. DPF

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), [INSERT your organization name] commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF and the Swiss-U.S. DPF. EU and Swiss individuals with inquiries or complaints should first contact [INSERT your organization name and contact information here]. 

[INSERT your organization name] has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf  

IF YOUR ORGANIZATION’S SELF-CERTIFICATION ONLY COVERS THE SWISS-U.S. DPF 

In compliance with the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), [INSERT your organization name] commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the Swiss-U.S. DPF. Swiss individuals with inquiries or complaints should first contact [INSERT your organization name and contact information here]. 

[INSERT your organization name] has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf 

HR Data. Does your company process human resources (HR) data in the U.S. for your employees based in the EU, the UK, or Switzerland? Most participants use the Data Privacy Framework Program only for transfers of commercial Personal Data collected from consumers or others outside their organizations. However, some companies also wish to cover the internal HR Data of their EU, UK, or Swiss employees. If your organization also intends to cover HR Data under your certification, please ask us for our guidance.

GDPR. Many BBB National Programs participants are complying with the EU General Data Protection Regulation (GDPR)—or similar data protection laws—with respect to personal data collected in participating countries, while relying on the Data Privacy Framework Program as an authorized international transfer mechanism to enable them to receive this data in the United States. To avoid confusion about the complaint process, it is important to distinguish the obligations and data subject rights under the Data Privacy Framework Program from those under GDPR and similar laws. If your organization is addressing both in the same privacy notice, please carefully review our supplemental document.