For many European organizations, transferring personal data to the United States has long been one of the most legally sensitive aspects of GDPR compliance. The invalidation of previous legal framework created uncertainty and forced companies to rely heavily on Standard Contractual Clauses (“SCC”) and complex transfer assessments. The EU-U.S. Data Privacy Framework (“DPF”) reshapes this landscape, but it does not eliminate the need for careful legal and operational checks under the GDPR. This article analyses the updated DPF FAQs, originally adopted in 2024 and most recently revised on 15 January 2026, which clarify how EU and EEA organizations can lawfully rely on the DPF in a way that is both operationally practical and fully aligned with GDPR requirements. The legal nature of the DPF and criteria to have in order to be eligible to the DPF The DPF is a self-certification mechanism for U.S.-based organizations. Companies that have self-certified under the DPF commit to comply with a detailed set of privacy principles, rules and obligations governing the processing of personal data received from the EEA. On 10 July 2023, the European Commission adopted an adequacy decision under Article 45 of the GDPR, recognizing that transfers to U.S. organizations actively certified under the DPF do not require additional safeguards, such as SCCs, for those specific data flows. To be eligible to self-certify to the DPF, a company in the U.S. must be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”) or of the U.S. Department of Transportation (“DoT”). However, other U.S. statutory bodies may be included in the future. As a result, certain entities such as, for example, non-profit organizations, banks, insurance companies and telecommunication service providers (with regard to common carrier activities) which do not fall under the jurisdiction of the FTC or DoT, cannot self-certify under the DPF. Responsibilities of the EEA exporter Before transferring personal data to a U.S. company under the DPF, an EEA data exporter must ensure that the U.S. company has an active self-certification (which must be renewed annually) and that this certification applies to the data being transferred. The DPF List on the U.S. Department of Commerce website allows EEA exporters to check whether a company’s self-certification is active and applicable. Since self-certifications must be renewed annually, it also lists companies removed from the program (“inactive participants”) and the reasons for removal. It follows that EEA exporters cannot rely on the DPF for transfers of personal data to companies that do not hold an active self-certification, while companies that have been removed from the DPF List must continue to apply the DPF Principles to any personal data received while they were participants, for as long as they retain such data. For transfers to U.S. companies that are not (or no longer) DPF-certified, other transfer mechanisms under Articles 46-49 GDPR, such as Binding Corporate Rules or SCCs, remain available. Particular attention shall be given to group of undertakings: in case of transfers to companies in the U.S. that are subsidiaries of a DPF-certified parent company, EEA data exporters must check if the certification of the parent company also covers the subsidiary company concerned. HR Data: additional compliance considerations It is important to note that the DPF applies to all types of personal data transferred from the EEA to the U.S., including data processed for commercial or health purposes, as well as human resources data collected in the context of an employment relationship (“HR Data”), provided that the U.S. recipient company is self-certified under the DPF to process those categories of data. However, transfer of HR Data (such as employee records, payroll information, etc.) require additional care. The DPF allows such transfer only where the U.S. organization’s certification explicitly covers HR Data or where the organization has committed, in its privacy policy, to cooperate with and comply with the advice of EU supervisory authorities in relation to that data Transfers to a company in the U.S. acting as a controller Before transferring personal data to a U.S. controller, an EEA data exporter must ensure that the transfer aligns with all applicable GDPR provisions. It is important indeed, that personal data are shared with a U.S. entity if a lawful basis for processing exists under Article 6 of the GDPR. Depending on the context, this may be contractual obligation, legal obligation, or legitimate interests, but it must be properly documented and assessed. Beyond this, compliance with the full spectrum of GDPR obligations – including purpose limitation, proportionality, data accuracy, and transparency toward data subjects – is required. Transparency obligations remain central. Under Articles 13 and 14 GDPR, data subjects must be informed about the identity of the U.S. recipient and the fact that their personal data is transferred on the basis of an adequacy decision under the DPF. This transparency requirement underscores the GDPR’s emphasis on accountability and the protection of fundamental data subject rights in cross-border transfers. Transfers to a company in the U.S. acting as a processor Where the U.S. organization processes personal data on behalf of the EEA exporter, whether or not the fact that the processor is self-certified under the DPF, the parties are obliged to conclude a data processing agreement (“DPA”) under Article 28 GDPR. The DPA must define the subject matter and duration of the processing, its nature and purpose, as well as the type of personal data processed and the categories of data subjects to whom personal data refers. It must also impose specific obligations on the processor, including processing only on documented instructions, ensuring confidentiality of personnel, implementing appropriate technical and organizational measures under Article 32 GDPR, and assisting the controller with data subject rights and security obligations. The processor must also commit to deleting or returning personal data at the end of the service and to making available all information necessary to demonstrate compliance, including through audits. Where the processor engages a sub-processor, it must flow down the same data protection obligations and remain fully liable to the controller for the sub-processor’s performance. These contractual safeguards operate alongside the DPF commitments and are a core element of GDPR accountability. A Practical Compliance Perspective Operationally, the DPF addresses a specific legal obstacle, without modifying the broader framework established by the GDPR. In other words, it streamlines the analysis of international data transfers but does not diminish an organization’s obligations with respect to the lawfulness of processing, fairness and transparency towards data subjects, data security, and overall accountability. Organizations that integrate DPF verification into corporate processes – including procurement, vendor management, human resources, and privacy governance – will be best positioned to leverage the framework while remaining fully GDPR-compliant. In nutshell, the DPF facilitates more efficient transatlantic data flows, but only if exporters continue to apply the GDPR with the same degree of diligence and rigor as before. Absent such a comprehensive approach, reliance on the DPF alone does not guarantee full compliance, nor does it eliminate the need for thorough operational and legal assessments.
