Skip to main content

«Privacy Pact» is an online platform and service made accessible through the website to any users who agrees with the following Terms and Conditions. Users who would disagree with the present terms and conditions are requested not to use this website.

Privacy Pact enables legal entities (hereafter referred as the “Applicant” or “Applicants”) to publicly make a voluntary and legally binding commitment that they will respect and comply with the rules and principles contained in the European Regulation EU 2016/679 on the protection of personal data, also known as the «General Data Protection Regulation (GDPR) (hereafter referred as the «GDPR»), regardless of their geographic location. Privacy Pact offers the possibility for instance to companies located outside of the European Union to voluntarily and unilaterally commit to endorse and comply with the European data protection rules stated in the GDPR. 

Reservation and disclaimer to be acknowledged and accepted by all users
Privacy Pact provides Applicants with the opportunity to unilaterally commit and express their commitment to respect the GDPR through an online contractual instrument. However, all Parties, including Applicants, visitors and users of Privacy Pact, acknowledge and agree that:

  • Privacy Pact facilitates the publication of unilateral commitments by the Applicants, but it does not assess the effective compliance of Applicants with the GDPR. The GDPR compliance remains under the sole and exclusive responsibility of the respective Applicants.
  • Privacy Pact does not constitute a certification of compliance, such as defined in article 42 of the GDPR, and it cannot guarantee that Applicants are effectively complying with the referred legal obligations.
  • Privacy Pact and the entities in charge of its management are exonerated of and decline any responsibility whatsoever regarding the effective compliance, actions, measures and practices of the Applicants.
  • The entities in charge of managing the Privacy Pact service are exonerated of any responsibility and liability related to the information published on the website to the extent admissible by law. This service is provided on a best effort basis and relies on the assumption that Applicants provide information in good-faith and accordingly published.

Neither Privacy Pact, nor the entities linked to its management ARE RESPONSIBLE FOR ANY LITIGATION (or LITGATION SOLVING), between third parties and the Applicants. 

Commitment made by the Applicant
The Applicant freely and voluntarily commits to comply with the obligations arising out of the GDPR and Privacy Pact, including the present Terms and Conditions. The Applicant shall ensure that its practice and data processing already comply with the GDPR and its public commitment. 
The Applicant shall have established adequate measures and safeguards for ensuring its compliance with the GDPR when collecting, processing, transferring, storing and maintaining personal data.
The Applicant’s representatives and contact persons commit to act with the required authority and habilitation to act on behalf and commit the Applicant. 

Application Fees

The Pact is provided against a registration fee intended to support the administration and to further develop this service. The fees are not refundable.

The fees are established by the European Center for Certification and Privacy (ECCP) and published on the Privacy Pact website. The fees can change over time and are by default indicated in Euros, VAT not included. The regular registration fee is fixed to 590.- Euros per pact, but a discount rate is applied to small SMEs. The fees are currently set at:

  • 190.00 - Euros per year for companies with less than 50 employees AND less than 10 millions turnover;
  • 390.00 - Euros per year for companies with less than 250 employees AND less than 45 millions turnover;
  • 590.00 - Euros per year for companies with either more than 250 employees or more than 45 millions turnover. 

The Privacy Pact online service is provided for periods of one or several years that can be renewed manually or automatically. 
The initial period of service starts on the date of the initial purchase of the service by the Applicant. However, the official starting date of the commitment published on the website will be determined according to the signed Privacy Pact to be uploaded by the Applicant and to be validated by the Privacy Pact service before being published. 
Registrations that are not renewed, are automatically terminated and the registry is accordingly updated.

Non-complying Applicants and Contestation by Third Parties
Any privacy or data protection breach made by any of the Applicants shall be reported to the qualified Data Protection Authority. 
In case a commitment made by an Applicant would be contested by any third party, a request to cancel a registration can be applied only if grounded on decision of a qualified tribunal or a Data Protection Authority which identifies the registered Applicant as non-compliant with the GDPR rules and provisions. In principle, the contract with the entity can be receded and removed from the public list only if such a decision has been taken. Nevertheless, the entity in charge of managing the Privacy Pact registry reserves the right to temporarily or permanently withdraw an Applicant from the public registry. 

Suspension, Withdrawal and Termination
In case of withdrawal, termination, legal decision and/or Data Protection Authority non-compliance decision, or upon request by the ECCP the Applicant should remove without undue delay from its website/materials the iFramed Label issued by Privacy Flag upon signature of the Pact.

Contact, Legal and Data Protection Officer
A Data Protection Officer (DPO) and supervising expert is entrusted to handle privacy related questions on Privacy Pact and can be contacted at: 
For administrative issues, the Privacy Pact service can be contacted at:

The contract is governed by the law of Luxembourg and any legal dispute shall be addressed exclusively through the tribunal of Luxembourg.