Skip to Main Content
Main Menu
Regulation

Data Privacy Framework (DPF)

The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF was developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK and Swiss law.

Who is eligible to participate in the DPF Program?

To be eligible to participate in the DPF, an organization must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT).

The FTC’s jurisdiction covers acts or practices in or affecting commerce by any “person, partnership, or corporation.” The FTC does not have jurisdiction over most depository institutions (banks, federal credit unions, and savings & loan institutions), telecommunications, interstate transportation, common carrier activities, air carriers, labor associations, most non-profit organizations, and most packer and stockyard activities.

Key obligations under the Data Privacy Framework

Purpose limitation & choice

Personal data should be processed lawfully and fairly. It should be collected for a specified purpose and should not be processed in a way that is incompatible with the purpose for which it was originally collected or authorized by the individual.

Provide data subjects with a mechanism to exercise choice in relation to the use or disclosure of their personal information.

Policies & notices

Data subjects should be informed of the main features of the processing of their personal data. Provide clear and conspicuous notice(s) about the practices and policies that govern the personal information.

The Privacy Notice must inform individuals of the organization’s participation in the EU-U.S. DPF and, as applicable the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and provide a link to, or the web address for, the Data Privacy Framework List.

Data subject rights & requests

Data subjects should have certain rights which can be enforced against the controller or processor, in particular the right of access to data, the right to object to the processing and the right to have data rectified and erased.

Sub-processing

In the case of sub-processing, a processor must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the DPF Principles and take steps to ensure its proper implementation.

Accountability for onward transfers

To transfer personal data to a third party acting as a controller, the organizations must execute a contract requiring them to apply the same level of protection, use the data for specified purposes, and notify if they cannot meet their obligations under the DPF.

To transfer personal data to a third party acting as an agent, the organization must transfer such data only for limited and specified purposes. Contracts must be in place with processors requiring them to provide the same level of privacy protections, ensure that the agent effectively processes the personal data transferred in a manner consistent with the organization’s obligations under the DPF, notify the controller if it can no longer meet its requirements, upon notice of unauthorized processing, the processor must take reasonable and appropriate steps to stop and remediate the unauthorized processing.

Webinar

Everything you need to know about EU-US DPF but are afraid to ask

FAQs

  • What is the Data Privacy Framework?

    The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework was developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union/European Economic Area, the United Kingdom, and Switzerland that are consistent with EU, UK, and Swiss law.

  • When did the DPF come into effect?

    Organizations participating in the EU-U.S. DPF may receive personal data from the EU/EEA in reliance on the US-U.S. DPF effective July 10, 2023.

    Organizations participating in the UK Extension to the EU-U.S. DPF may receive personal data from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF effective October 12, 2023.

    The effective date of the Swiss-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 17, 2023.

  • Is participation in the Data Privacy Framework Program voluntary?

    It is entirely voluntary for any U.S.-based organizations to join the Data Privacy Framework (DPF) program. The DPF Principles apply immediately upon certification. Participating organizations are required to recertify their adherence to the DPF Principles on an annual basis.

  • Are participating organizations required to choose an independent dispute resolution mechanism?

    Under the DPF, participating organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. The independent dispute resolution mechanism is responsible to investigate and expeditiously resolve each individual’s complaints and disputes.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top