EDPB - EU-US Data Privacy Framework FAQ for European businesses

Table of contents

• Q1. What is the EU-U.S. Data privacy Framework?
• Q2. Which U.S. companies are eligible to the EU-U.S. Data privacy Framework?
• Q3. What to do before transferring personal data to a company in the U.S. which is, or claims to be certified under the EU-U.S. Data privacy Framework?
• Q4. Where can I find guidance regarding the certification of U.S. subsidiary companies of European businesses?

Q1. WHAT IS THE EU-U.S. DATA privacy FRAMEWORK?

The EU-U.S. Data privacy Framework (“DPF”) is a self-certification mechanism for companies in the
U.S. Companies that have self-certified under the DPF must comply with its principles, rules and
obligations related to the processing of personal data of EEA individuals. For more information about
these commitments, see the Data privacy Framework Principles.2
The European Commission considered that transfers of personal data from the EEA to companies
certified under the DPF enjoy an adequate level of protection.3 As a result, personal data can be
transferred freely to U.S. certified companies, without the need to put in place further safeguards or
obtain an authorisation. Here are some relevant links for more information:
- The European Commission’s Questions and Answers: Data privacy Framework4
- The Data privacy Framework website as administrated by the U.S. Department of Commerce5
- The European Commission’s decision on the adequate level of protection of personal data
under the EU-U.S. Data privacy Framework6
The DPF applies to any type of personal data transferred from the EEA to the U.S., including personal
data processed for commercial or health purposes, and human resources data collected in the context
of an employment relationship (hereafter: “HR Data”), as long as the recipient company in the U.S. is
self-certified under the DPF to process those types of data

Q3. WHAT TO DO BEFORE TRANSFERRING PERSONAL DATA TO A
COMPANY IN THE U.S. WHICH IS, OR CLAIMS TO BE CERTIFIED
UNDER THE EU-U.S. DATA privacy FRAMEWORK?

Before transferring personal data to a company in the U.S. which claims to be self-certified under the
DPF, a data exporter in the EEA must ascertain that the company in the U.S. holds an active self-
certification (certifications must be renewed annually) and that this certification covers the data in
question (in particular if it covers HR Data, respectively, non-HR Data).9

To verify whether or not a self-certification is active and applicable, data exporters in the EEA need to
check if the company in the U.S. is on the Data privacy Framework List,10 published on the U.S.
Department of Commerce’s website. This list also includes a register of companies that have been
removed from the List (“inactive participants”), stating the reasons for their removal. An EEA data
exporter cannot rely on the DPF for transfers of personal data to such companies. Please note that
companies that have been removed from the Data privacy Framework List must continue to apply the
Data privacy Framework Principles to personal data received while participating in the DPF for as long
as they retain these data.

For the transfer of personal data to companies in the U.S. that are not (or no longer) self-certified
under the DPF, other grounds for transfer in Chapter V of the GDPR may be used, such as Binding
Corporate Rules or Standard Contractual Clauses.

The fact that the recipient in the U.S. is self-certified under the DPF will enable data exporters in the
EEA to comply with Chapter V of the GDPR, but all other requirements in the GDPR and any other
national data protection law remain applicable