/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2026-01-26-16-17-23-003-697793934c0e8273b244fb3f.jpg)
The European Data Protection Board (EDPB) published updated FAQs for businesses on the EU-U.S. Data Privacy Framework (DPF). The FAQs offer practical guidance for privacy and legal teams evaluating or relying on the DPF for transatlantic data transfers. The FAQs clarify eligibility and certification considerations, scope of coverage for controllers and processors, requirements around vendor due diligence and onward transfers, and the interplay between the DPF and other transfer tools such as SCCs and BCRs. They also address operational topics, such as handling HR data, documenting reliance in records of processing, and aligning internal policies and contracts, to help organizations operationalize compliance and demonstrate accountability.
For European businesses, the key takeaway is that the DPF can be a workable transfer mechanism when used thoughtfully and documented rigorously, including confirming U.S. counterpart certification status, ensuring onward transfer safeguards flow down through the vendor chain, and aligning internal governance with the DPF Principles.
The FAQs further emphasize that the DPF sits alongside, not above, alternative transfer tools:
For the transfer of personal data to companies in the U.S. that are not (or no longer) self-certified under the DPF, other grounds for transfer in Chapter V of the GDPR may be used, such as Binding Corporate Rules or Standard Contractual Clauses.
The EDPB also published updated FAQs for individuals on the DPF.
Earlier this month, the UK Information Commissioner's Office also issued updated guidance on international data transfers, including guidance on the UK Extension to the DPF.