- The EU-U.S. Privacy Shield provides for oversight and enforcement mechanisms in order to verify and ensure that U.S. self-certified companies comply with the Principles and that any failure to comply is addressed. These mechanisms are set out in the Principles (Annex II) and the commitments undertaken by the Department of Commerce (Annex I), the FTC (Annex IV) and the Department of Transportation (Annex V).
- To ensure the proper application of the EU-U.S. Privacy Shield, interested parties, such as data subjects, data exporters and the national Data Protection Authorities (DPAs), must be able to identify those organisations adhering to the Principles. To this end, the Department of Commerce has undertaken to maintain and make available to the public a list of organisations that have self-certified their adherence to the Principles and fall within the jurisdiction of at least one of the enforcement authorities referred to in Annexes I and II to this decision (‘Privacy Shield List’). The Department of Commerce will update the list on the basis of an organisation’s annual re-certification submissions and whenever an organisation withdraws or is removed from the EU-U.S. Privacy Shield. It will also maintain and make available to the public an authoritative record of organisations that have been removed from the list, in each case identifying the reason for such removal. Finally, it will provide a link to the list of Privacy Shield-related FTC enforcement cases maintained on the FTC website.
- Organisations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List and must return or delete the personal data received under the EU-U.S. Privacy Shield. In other cases of removal, such as voluntary withdrawal from participation or failure to recertify, the organisation may retain such data if it affirms to the Department of Commerce on an annual basis its commitment to continue to apply the Principles or provides adequate protection for the personal data by another authorised means (e.g. by using a contract that fully reflects the requirements of the relevant standard contractual clauses approved by the Commission). In this case, an organisation has to identify a contact point within the organisation for all Privacy Shield-related questions.
- The Department of Commerce will monitor organisations that are no longer members of the EU-U.S. Privacy Shield, either because they have voluntarily withdrawn or because their certification has lapsed, to verify whether they will return, delete or retain the personal data received previously under the framework. If they retain these data, organisations are obliged to continue to apply the Principles to them. In cases where the Department of Commerce has removed organisations from the framework due to a persistent failure to comply with the Principles, it will ensure that those organisations return or delete the personal data they had received under the framework.
- On an ongoing basis, the Department of Commerce will conduct ex officio compliance reviews of self-certified organisations, including through sending detailed questionnaires. It will also systematically carry out reviews whenever it has received a specific (non-frivolous) complaint, when an organisation does not provide satisfactory responses to its enquiries, or when there is credible evidence suggesting that an organisation may not be complying with the Principles. Where appropriate, the Department of Commerce will also consult with DPAs about such compliance reviews.
 Information about the management of the Privacy Shield List can be found in Annex I and Annex II (Sec. I.3, Sec. I.4, III.6.d, and Sec. III.11.g).
 See e.g. Annex II, Sec. I.3, Sec. III.6.f. and Sec. III.11.g.i.
 See Annex I, section on ‘Search for and Address False Claims of Participation’.
 See Annex II, Sec. III.6.h. and Sec. III.11.f.
 See Annex I.