Advisory: On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.” According to that decision, the U.S.-EU Safe Harbor Framework is not a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Please note that, pursuant to the Safe Harbor Frequently Asked Question on Self-Certification, the commitment to adhere to the Safe Harbor Principles is not time-limited, and a participating organization must continue to apply the Principles to data received under the Safe Harbor.

On July 12, U.S. Secretary of Commerce Penny Pritzker joined European Union Commissioner Věra Jourová to announce the approval of the EU-U.S. Privacy Shield Framework, which will replace the U.S.-EU Safe Harbor. Secretary Pritzker announced that the Department will start accepting certifications on August 1st.

As of August 1, the Department of Commerce will stop accepting new submissions for self-certification to the U.S.-EU Safe Harbor Framework. As of October 31, the Department will stop accepting U.S.-EU Safe Harbor re-certifications. The Department will maintain the U.S.-EU Safe Harbor List of participants.

Please note that this advisory does not apply to the U.S.-Swiss Safe Harbor Framework, which the Department will continue to administer.

For more information on the EU-U.S. Privacy Shield Framework, please visit https://www.privacyshield.gov
  • The organizations on this list have notified the Department of Commerce that they adhere to the U.S.-EU Safe Harbor Framework developed by the Department of Commerce in coordination with the European Commission. The U.S.-EU Safe Harbor Framework provides guidance for U.S. organizations on how to provide adequate protection for personal data from the EU as required by the European Union's Directive on Data Protection.
  • An organization's self-certification of compliance with the U.S.-EU Safe Harbor Framework and the appearance of the organization on this list pursuant to the self-certification, constitute an enforceable representation to the Department of Commerce and the public that it adheres to a privacy policy that complies with the U.S.-EU Safe Harbor Framework.
  • There are benefits to organizations that participate in the U.S.-EU Safe Harbor program, but participation in the U.S.-EU Safe Harbor Framework and self-certification to the list are voluntary. Once an entity elects to participate in the program, it is legally required to comply with the Safe Harbor Privacy Principles. An organization's absence from the list does not mean that it does not provide effective protection for personal data or that it does not qualify for the benefits of the U.S.-EU Safe Harbor program. In order to keep this list current, a notification will be effective for a period of twelve months; therefore, organizations must notify the Department of Commerce every twelve months to reaffirm their continued adherence to the U.S.-EU Safe Harbor Framework.
  • Organizations should notify the Department of Commerce if their representation to the Department is no longer valid. Failure by an organization to so notify the Department could constitute a misrepresentation.
  • An organization may withdraw from the list at any time by notifying the Department of Commerce. Withdrawal from the list terminates the organization's representation of adherence to the U.S.-EU Safe Harbor Framework, but this does not relieve the organization of its Safe Harbor obligations with respect to personal information received during the time that the organization was on the U.S.-EU Safe Harbor list.
  • If a relevant self-regulatory or government enforcement body finds that an organization has engaged in a persistent failure to comply with the U.S.-EU Safe Harbor Privacy Principles, then that organization is no longer entitled to the benefits of the U.S.-EU Safe Harbor program. In this case, the organization must promptly notify the Department of Commerce of such facts either by email or letter. Failure to do so may be actionable under the False Statements Act (18 U.S.C. 1001). That organization must also provide the Department of Commerce with a copy of the decision letter from the relevant self-regulatory or government enforcement body.
  • In maintaining the list, the Department of Commerce does not assess and makes no representations to the adequacy of any organization's privacy policy or its adherence to that policy. Furthermore, the Department of Commerce does not guarantee the accuracy of the list and assumes no liability for the erroneous inclusion, misidentification, omission, or deletion of any organization, or any other action related to the maintenance of the list.
Search by Organization Details         Show Details(...)
Organization Name:
Search Tip: Enter either (a) the exact Organization Name (e.g. The XYZ Corporation); or (b) the % symbol immediately before (i.e. no space) a word of consequence from the Organization Name (e.g. %XYZ)
Search Tip: Enter the Organization Contact name, Corporate Officer name or Zip Code
Search Tip: Enter a phrase or phrases enclosing each within quotation marks. Three types of phrase-based searches are possible: (1) a search for results containing a single phrase (e.g. “data protection authorities”); (2) a search for results containing all of the specified phrases (e.g. “data protection authorities” AND “DPAs”); and (3) a search for results containing any of the specified phrases (e.g. “data protection authorities” OR “DPAs”). This function is especially useful when searching for records that reference a particular Independent Recourse Mechanism or Verification Method.
Industry Sector:

Search Alphabetically for Organization Name         Show Details(...)


5469 Results
OrganizationU.S.-EU Certified ThroughPersonal Data
@legal discovery LLC04/27/2018All personal data/On-line/On-line
100 Spears, LLC d/b/a eWork05/15/2010On-line, off-line, human resource data
101 Distribution07/22/2010on-line, off-line
1010data Global Telecom Solutions LLC08/15/2016All personal information subject to the U.S.-EU and/or U.S.-Swiss Safe Harbor Privacy Principles (client data).
101domain, Inc06/25/2016Data collected directly on the Internet; Data collected manually via paper, phone, or tradeshows.
12 Forward Entertainment, LLC12/07/2014No
12 Interactive LLC07/06/2016user registration, personal information, user preferences, transactional data, online data
1992 International Ltd., dba, Sutton Associates06/19/2007all employment screening matters
1WorldSync, Inc.12/06/2016Personal information received about individual contacts of former, current and prospective customers.
2020 Research09/13/2016Market research data primarily dealing with consumer research.
23andMe, Inc.11/03/2016On-line data, offline data, manually processed data
247 Customer, Inc.10/13/2016Data collected through [24]7 predictive experience platform includes information collected through our services offered to our clients as a Software as a solution provider. The data collected can include Online, offline, chat data etc.
2Checkout.com, Inc.07/30/2017Personal Data of clients and their customers that is processed on-line, off-line and manually
2KDirect, Inc. (dba iPromote)01/30/2017iPromote collects data that is non-personally identifiable such as Internet protocol (IP) addresses, browser types, referring pages, operating system types, and date/time stamps. There are instances where a Web user may provide specific personal information in response to an ad containing a survey, purchase agreement, or registration questionnaire.
2sms10/13/2016online data, manually processed data.
2Wire, Inc. d/b/a Pace Americas06/03/2015The personal data transferred may include the IP address of the device. This information will be maintained primarily in an online database restricted to the use of Pace Americas and its corporate customers, and Pace Americas will maintain backups of this data offline. The data processed will not include any manually processed data or human resources data.
3 Story Software05/13/2017Off-line, on-line, manually processed data, human resources data.
3Cinteractive LLC09/15/2016Personal identifiable information, UID
3Cinteractive, LLC07/20/2016Personal identifiable information, UID
3D Systems Corporation11/08/2016Human Resources Data
3dna Corporation, Inc. dba NationBuilder04/16/2016Consumer data, digitally processed.
3Fitt, Inc.12/19/2016Customer/User data. There is no manually processed data.
3G SELLING LLC08/05/2015Client/Customer contact information such as name, email address, mailing address, phone number. Information about their business such as company name, company size, business type. May be online or data received offline.
3LZ International Corporation05/17/2011online
3M Company02/04/2017Employee personal data
411 Labs Inc06/29/2017Collaboration platform profile data, including: user number, user name, user phone (if completed), user address (if completed), email address.
41st Parameter04/27/2015Online
4Thought Marketing07/30/2017Organization, Client, Customer
5.11, Inc.10/23/2016The organization's employee data is manually entered into the HR/Payroll system initially then payroll becomes automatic; The types of customer personal information collected via e-commerce include: 1) Name; 2) Address ; 3) E-mail Address; 4) Phone Number; and 5) Credit/Debit Card Information.
500friends, Inc11/12/2015customer loyalty program data including email address, transaction history, loyalty program login credentials. We do not process or store payment information.