EU–US Data Privacy Framework ("DPF") – European Data Protection Board (FAQ v 2.0)

On the 15th January 2026, the European Data Protection Board ("EDPB") adopted the updated v 2.0 of the FAQ on the EU-US Data Privacy Framework ("DPF") for European businesses and individuals. The updated FAQ provides revised guidance on aspects concerning the DPF and transfers of data from the EU to DPF certified companies across the_Atlantic.

Listed below are some of the key takeaways:

1. What is the DPF? The DPF is a self‑certification mechanism for US companies so that they can demonstrate they operate under defined privacy standards and that they offer an adequate level of protection. Transfers of personal data form the EEA to companies certified under the DPF enjoy an adequate level of protection and can occur unobstructed.
2. Eligibility: Only companies in the US that are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission ("FTC") or of the U.S. Department of Transportation ("DoT") are eligible to self-certify under the DPF. Therefore, non-profit organisations, banks, insurance companies and telecommunication service providers which do not fall under the supervision of the FTC or DoT cannot self-certify. Aa such, in case where you intend to initiate a transfer of data form the EEA to any such entity you will need to consider implementing appropriate safeguarding mechanisms such as standard contractual clauses (SCCs).

• Active Certification: EU/EEA entities and data controllers that intend to transfer personal data in the US need to verify whether a US company is DPF‑certified via the official online list before engaging with them. It is important to note that companies that have been removed or no longer hold active certifications under the DPF must continue to apply the DPF principles to any personal data received during the time they held an active participation under the DPF and for as long as they retain this data.

1. Data Processing Agreements: When an EEA controller transfers personal data to a processor in the U.S. (for example, a business engages a cloud provider for data hosting in the US), he is required to execute a data processing agreement in line with Article 28 of the GDPR with the US processor, regardless if they are certified under the DPF. Therefore, certification under the DPF does not exempt controllers and processors from the requirement to execute data processing agreements.
2. Complaints: The FAQ clarifies that complaints regarding compliance with the DPF or the handling of your personal data under the framework can be raised either directly with the company or with the national Data Protection Authority (DPA) – for Cyprus, the Office of the Commissioner for Personal Data Protection.

This update enhances transparency and gives EU-based entities and individuals greater assurance in exercising their data protection rights when personal data is transferred between the EU and the United States. If you have concerns regarding international data transfers to the U.S., our Data Protection team is available to support you.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.