Introduction

If your company transfers personal data from the EU to the US, the EU-US Data Privacy Framework (DPF) may be your key to lawful, simplified data flows. But how do you actually become certified?

In this guide, we’ll walk you through how to self-certify under the DPF, what documents you’ll need, and how to stay compliant year after year.

What Is DPF Self-Certification?

The DPF is a data transfer mechanism approved by the European Commission in July 2023, replacing the invalidated Privacy Shield. U.S. companies can voluntarily self-certify to the Department of Commerce to demonstrate adequate protection of EU personal data.

Self-certification is:

• Voluntary, but once certified, legally binding

• Available only to US-based entities subject to the jurisdiction of the FTC or DoT

• Publicly listed on the DPF List

Who Can Self-Certify?

You’re eligible to self-certify if:

• You are based in the United States

• Your business is subject to FTC or DoT enforcement (most companies qualify)

• You handle EU personal data, directly or via a processor role

SaaS providers, HR platforms, marketing tools, and cloud service companies are common candidates.

Step-by-Step: How to Self-Certify Under the DPF

Step 1: Assess Eligibility

• Confirm that you're under FTC/DoT jurisdiction

• Map all personal data from the EU/EEA you process or receive

Step 2: Update Your Privacy Policy

Your privacy notice must:

• Refer to your DPF certification status

• Include a description of your DPF rights and commitments

• List a designated independent recourse mechanism (IRM) (e.g., BBB National Programs or TRUSTe)

• Explain data access, choice, and onward transfer policies

• Provide a contact for complaints

Step 3: Choose a Dispute Resolution Provider

You must register with a recognized IRM to handle EU data subject complaints at no cost to them.

Example providers:

• BBB National Programs

• TRUSTe

• JAMS

Some offer annual subscriptions bundled with support services.

Step 4: Prepare Internal Compliance Documents

Keep records of:

• Data processing activities

• Access rights handling

• Onward transfer agreements

• Data retention and security policies

These will be useful in case of regulatory inquiry or an EU controller DPA request.

Step 5: Submit the Application

Go to the Data Privacy Framework website and:

• Complete the online self-certification form

• Upload required documentation

• Pay the annual fee (tiered based on company size/revenue)

📌 The Department of Commerce usually processes applications within 30 days.

Annual Re-Certification: Stay Compliant

Your certification is valid for one year. To renew:

• Reassess your data practices

• Update your privacy policy if needed

• Pay the renewal fee

• Confirm continued compliance with DPF principles

Failure to re-certify or uphold commitments may lead to FTC enforcement and removal from the DPF list.

Common Mistakes to Avoid

• ❌ Using outdated Privacy Shield language

• ❌ Forgetting to include dispute resolution info in your privacy notice

• ❌ Certifying but not updating internal data handling practices

• ❌ Missing your re-certification deadline

Bonus: Get Expert Help with Your Certification

Not sure how to structure your privacy notice or complete your application?

👉 Contact us to get personalized help with your DPF certification, privacy policy update, and compliance documentation.