DPF
What is DPF?
DPFEU-US Data Privacy Framework, the July 2023 adequacy mechanism that replaces Privacy Shield for transatlantic transfers of personal data.
The EU-US Data Privacy Framework (DPF) is a transatlantic data-transfer mechanism that allows participating US companies to receive personal data from the EU without additional safeguards under GDPR Chapter V. It is based on Executive Order 14086 (October 2022) and was formally recognised by the European Commission's adequacy decision of 10 July 2023, replacing the EU-US Privacy Shield invalidated by Schrems II in 2020. Eligible US organisations self-certify their compliance with the DPF Principles to the US Department of Commerce and remain subject to enforcement by the FTC or DOT. A UK extension and a Swiss-US DPF complement the EU-US framework. EU data subjects can submit complaints to a redress mechanism that includes the Data Protection Review Court (DPRC).
● Examples
- 01
A US SaaS company self-certifying to the DPF to lawfully receive HR data from its European subsidiaries.
- 02
An EU controller relying on the adequacy decision to transfer marketing data to a DPF-certified US service provider.
● Frequently asked questions
What is DPF?
EU-US Data Privacy Framework, the July 2023 adequacy mechanism that replaces Privacy Shield for transatlantic transfers of personal data. It belongs to the Compliance & Frameworks category of cybersecurity.
What does DPF mean?
EU-US Data Privacy Framework, the July 2023 adequacy mechanism that replaces Privacy Shield for transatlantic transfers of personal data.
How does DPF work?
The EU-US Data Privacy Framework (DPF) is a transatlantic data-transfer mechanism that allows participating US companies to receive personal data from the EU without additional safeguards under GDPR Chapter V. It is based on Executive Order 14086 (October 2022) and was formally recognised by the European Commission's adequacy decision of 10 July 2023, replacing the EU-US Privacy Shield invalidated by Schrems II in 2020. Eligible US organisations self-certify their compliance with the DPF Principles to the US Department of Commerce and remain subject to enforcement by the FTC or DOT. A UK extension and a Swiss-US DPF complement the EU-US framework. EU data subjects can submit complaints to a redress mechanism that includes the Data Protection Review Court (DPRC).
How do you defend against DPF?
Defences for DPF typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DPF?
Common alternative names include: EU-US Data Privacy Framework, Trans-Atlantic Data Privacy Framework.
● Related terms
- compliance№ 974
SCC
Standard Contractual Clauses are EU Commission-approved model contracts that provide GDPR-compliant safeguards for transfers of personal data outside the EEA.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- compliance№ 356
DPA
A Data Processing Agreement is the binding contract required by GDPR Article 28 between a data controller and processor when personal data is processed on the controller's behalf.