Introduction: The EU-US Data Privacy Framework
The EU-US Data Privacy Framework (EU-US DPF) is a self-certification mechanism administered by the US Department of Commerce that enables organisations established in the United States to lawfully receive personal data transferred from the European Union, the European Economic Area (EEA), the United Kingdom (via the UK Extension) and Switzerland (via the Swiss-US DPF). It was operationalised on 10 July 2023, when the European Commission adopted its adequacy decision under Article 45 of the General Data Protection Regulation (GDPR), confirming that the United States ensures an adequate level of protection for personal data transferred to certified US organisations.
The EU-US DPF is the successor to the invalidated EU-US Privacy Shield (struck down by the Court of Justice of the European Union in the Schrems II judgment, Case C-311/18, on 16 July 2020) and, before that, the Safe Harbour arrangement (invalidated in Schrems I, Case C-362/14, on 6 October 2015). The current Framework was strengthened by US Executive Order 14086 of 7 October 2022 ('Enhancing Safeguards for United States Signals Intelligence Activities') and the associated regulations creating the Data Protection Review Court (DPRC), which together were designed to address the CJEU's concerns regarding US government access to personal data and the availability of redress for EU data subjects.
This guide provides an auditor-grade deep-dive into the Framework: its principles, scope of applicability, the seven Principles and sixteen Supplemental Principles, the self-certification lifecycle, the recourse and enforcement architecture, and a master assessment checklist enabling a CISO, Data Protection Officer (DPO) or independent assessor to verify readiness and ongoing compliance. It is written for both the assessor validating conformity and the implementer building and operating a DPF-compliant transfer programme.
What is the EU-US Data Privacy Framework
The EU-US DPF is not a statute; it is a voluntary certification programme underpinned by binding commitments. When a US organisation self-certifies, its published commitment to adhere to the DPF Principles becomes enforceable under US law by the Federal Trade Commission (FTC) under Section 5 of the FTC Act (which prohibits unfair or deceptive acts or practices) or, for certain sectors, by the US Department of Transportation (DOT). This enforceability is the legal foundation on which the European Commission's adequacy finding rests.
The Framework comprises three interlocking programmes administered under a single self-certification: the core EU-US DPF (covering EU/EEA transfers), the UK Extension to the EU-US DPF (covering UK and Gibraltar transfers, effective 12 October 2023 following the UK adequacy regulations), and the Swiss-US DPF (covering Switzerland, recognised as adequate by the Swiss Federal Council effective 15 September 2024). An organisation may self-certify to one, two or all three depending on the data flows it needs to legitimise.
Certification legitimises transfers as a stand-alone transfer mechanism under Chapter V of the GDPR, meaning a certified importer does not additionally require Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for the covered data flows, and does not need to conduct a Transfer Impact Assessment (TIA) for those flows because the adequacy decision already establishes the adequacy of protection.
The Framework rests on seven Principles (the substantive privacy obligations), sixteen Supplemental Principles (which interpret and add detail to the seven), an independent recourse mechanism for individuals, and an escalation ladder culminating in binding arbitration before the DPF Panel and, for national-security complaints, redress through the Civil Liberties Protection Officer of the Office of the Director of National Intelligence and the Data Protection Review Court.
Who must comply: scope of applicability
The Framework is voluntary, but any US organisation that wishes to rely on it as a lawful transfer mechanism must meet eligibility conditions and adhere fully. The following table summarises applicability.
| Category | Applicability to EU-US DPF |
|---|---|
| US organisation subject to FTC jurisdiction | Eligible to self-certify; commitments enforced by the FTC under Section 5 of the FTC Act. |
| US air carrier or ticket agent | Eligible to self-certify; commitments enforced by the US Department of Transportation. |
| Banks, insurance and telecommunications common carriers | Generally NOT eligible, as they fall outside FTC/DOT jurisdiction; must use alternative transfer mechanisms (SCCs, BCRs). |
| EU/EEA/UK/Swiss data exporter | Relies on the importer's certification; should verify active certification on the DPF List before transferring. |
| US organisation acting as a processor (agent) | May self-certify to receive personal data as an agent; must act only on documented instructions of the controller and pass onward-transfer obligations down the chain. |
| Human-resources (HR) data importer | May extend certification to HR data received from the EU in the context of the employment relationship; special Supplemental Principle applies and EU Data Protection Authorities become the mandatory recourse body. |
| Organisation not self-certified | Cannot rely on the DPF; must use SCCs, BCRs, derogations under Article 49 GDPR, or another valid mechanism. |
Two threshold conditions must be satisfied before self-certification: (1) the organisation must be subject to the investigatory and enforcement powers of the FTC or DOT; and (2) it must publicly declare its commitment to the Principles, publicly disclose its privacy policy in conformity with them, and fully implement the Principles. Certification is not effective until the Department of Commerce places the organisation on the active Data Privacy Framework List.
Structure of the EU-US DPF
The substantive obligations are organised into seven Principles, elaborated by sixteen Supplemental Principles. The following tables set out both.
The seven core Principles
| # | Principle | Core obligation |
|---|---|---|
| 1 | Notice | Inform individuals about the types of personal data collected, purposes of processing, the organisation's participation in the DPF, third parties to which data is disclosed, individuals' rights, and how to contact the organisation and lodge complaints, including reference to the independent recourse and DPF Panel arbitration. |
| 2 | Choice | Offer individuals the opportunity to opt out where data is to be disclosed to a third party (other than an agent) or used for a materially different purpose; obtain affirmative express consent (opt in) for sensitive data. |
| 3 | Accountability for Onward Transfer | Enter into a contract with third-party controllers and agents ensuring the same level of protection; remain liable for onward-transfer breaches unless proven not responsible. |
| 4 | Security | Take reasonable and appropriate measures to protect personal data from loss, misuse, unauthorised access, disclosure, alteration and destruction, considering the risks and nature of the data. |
| 5 | Data Integrity and Purpose Limitation | Limit personal data to what is relevant for the purposes of processing; keep data accurate, complete and current; retain data only for as long as it serves the processing purpose. |
| 6 | Access | Provide individuals with access to their personal data and the ability to correct, amend or delete inaccurate or unlawfully processed data, subject to defined exceptions and proportionality. |
| 7 | Recourse, Enforcement and Liability | Provide robust independent recourse mechanisms, follow-up procedures to verify adherence, and remedies for non-compliance; cooperate with the Department of Commerce and, for HR data, with DPAs. |
The sixteen Supplemental Principles
| # | Supplemental Principle | Purpose |
|---|---|---|
| 1 | Sensitive Data | Clarifies when opt-in consent is required and exceptions. |
| 2 | Journalistic Exceptions | Balances free-press interests against privacy obligations. |
| 3 | Secondary Liability | Addresses liability of internet service providers and carriers acting as mere conduits. |
| 4 | Performing Due Diligence and Conducting Audits | Guidance for auditors and due-diligence contexts. |
| 5 | The Role of the Data Protection Authorities | How DPAs interact with the Framework and the informal panel. |
| 6 | Self-Certification | The mechanics and content of self-certification submissions. |
| 7 | Verification | Requirement to verify, via self-assessment or outside review, that representations are accurate. |
| 8 | Access | Detailed rules, exceptions and burden considerations for the Access Principle. |
| 9 | Human Resources Data | Special regime for employee data, including mandatory DPA cooperation. |
| 10 | Obligatory Contracts for Onward Transfers | Contractual content required for onward transfers to controllers and agents. |
| 11 | Dispute Resolution and Enforcement | Structure of the recourse mechanisms and consequences of non-compliance. |
| 12 | Choice - Timing of Opt Out | When and how opt-out choices must be offered, including direct-marketing. |
| 13 | Travel Information | Special considerations for passenger and travel data. |
| 14 | Pharmaceutical and Medical Products | Guidance for clinical trials, safety monitoring and blinded/coded data. |
| 15 | Public Record and Publicly Available Information | Treatment of data drawn from public records. |
| 16 | Access Requests by Public Authorities | Transparency and handling of government access requests, reflecting EO 14086 safeguards. |
Master assessment checklist
This is the operative section for assessors and implementers. It enumerates every Principle, the key Supplemental Principles, the certification lifecycle and the redress architecture. Each subsection provides what to verify and the typical evidence an assessor should request. No control area is omitted.
P1 - Notice
| What to verify | Typical evidence |
|---|---|
| Privacy policy discloses participation in the EU-US DPF (and UK/Swiss extensions as applicable) and provides a link to the DPF List and Principles. | Public privacy notice; screenshots; URL of DPF List entry. |
| Notice states the types of personal data collected and the purposes of processing. | Data inventory / RoPA; published notice. |
| Notice identifies third parties or categories of third parties to which data is disclosed and the purpose. | Vendor/sub-processor register; notice text. |
| Notice explains individuals' right to access and the choices offered to limit use and disclosure. | Rights section of notice; DSAR procedure. |
| Notice names the independent recourse mechanism and references the DPF Panel binding arbitration option at no cost to the individual. | IRM contract/registration; notice text. |
| Notice states the organisation is subject to FTC (or DOT) investigatory and enforcement powers and may be liable for onward transfers. | Notice text; enforcement-authority declaration. |
| Notice is provided in clear and conspicuous language at or before first use/disclosure. | Timing evidence; consent-capture flows. |
P2 - Choice
| What to verify | Typical evidence |
|---|---|
| Individuals are offered a readily available, affordable opt-out before data is disclosed to a non-agent third party or used for a materially different purpose. | Opt-out mechanism; preference centre; workflow logs. |
| Affirmative express (opt-in) consent is obtained before processing sensitive data or disclosing it to a third party for a new purpose. | Consent records; sensitive-data handling procedure. |
| Direct-marketing opt-out is honoured promptly and free of charge (Supplemental Principle 12). | Suppression lists; marketing platform configuration. |
| Where data is later treated as sensitive by the receiving organisation, sensitive-data treatment is applied. | Data-classification policy; reclassification logs. |
P3 - Accountability for Onward Transfer
| What to verify | Typical evidence |
|---|---|
| Written contracts exist with third-party controllers requiring processing only for limited, specified purposes consistent with individual consent, and providing the same level of protection as the Principles. | Executed data-transfer agreements; contract register. |
| Contracts with agents (processors) limit processing to the organisation's instructions and require notification and remediation if the agent cannot meet its obligations. | Processor agreements; sub-processor list. |
| The organisation retains responsibility and remains liable for onward-transfer breaches unless it proves it was not responsible for the harmful event. | Liability clauses; incident allocation records. |
| Onward transfers of HR data and sensitive data are subject to appropriate additional safeguards. | HR-data transfer contracts; safeguard documentation. |
| A summary or copy of privacy provisions in onward-transfer contracts can be provided to the Department of Commerce on request. | Contract-provision summaries; DoC correspondence. |
P4 - Security
| What to verify | Typical evidence |
|---|---|
| Reasonable and appropriate technical and organisational measures protect data against loss, misuse and unauthorised access, calibrated to the risks and data sensitivity. | Information security policy; ISO 27001 / SOC 2 report; risk assessment. |
| Access controls, encryption in transit and at rest, and logging/monitoring are implemented commensurate with risk. | Encryption standards; IAM configuration; SIEM logs. |
| An incident-response and breach-notification process is documented and tested. | IR plan; tabletop exercise records; breach register. |
| Third-party and cloud sub-processor security is assessed and contractually mandated. | Vendor risk assessments; DPAs. |
P5 - Data Integrity and Purpose Limitation
| What to verify | Typical evidence |
|---|---|
| Personal data is limited to what is relevant for the purposes of processing and is not processed in a way incompatible with those purposes. | RoPA; purpose-mapping documentation. |
| Reasonable steps ensure data is accurate, complete and current for its intended use. | Data-quality procedures; correction logs. |
| Retention is limited to the period the data serves a processing purpose (with exceptions for public-interest, journalism, scientific/historical research or statistics under safeguards). | Retention schedule; deletion/anonymisation evidence. |
| Data retained beyond active use is anonymised or its identifying elements removed where feasible. | Anonymisation methodology; destruction certificates. |
P6 - Access
| What to verify | Typical evidence |
|---|---|
| Individuals can obtain confirmation of, and access to, their personal data held by the organisation, without excessive expense or delay. | DSAR procedure; access-request log with response times. |
| Individuals can correct, amend or delete inaccurate data or data processed in violation of the Principles. | Rectification/erasure workflow; audit trail. |
| Exceptions to access (e.g. disproportionate burden, risk to others' rights, confidential commercial information, legal privilege) are applied narrowly and documented (Supplemental Principle 8). | Exception-decision records; legal review notes. |
| Identity of the requester is verified proportionately before disclosure. | Identity-verification procedure. |
P7 - Recourse, Enforcement and Liability
| What to verify | Typical evidence |
|---|---|
| A readily available independent recourse mechanism (IRM) investigates and resolves complaints and disputes at no cost to the individual. | IRM registration (e.g. DPA panel, private ADR provider); complaint-handling logs. |
| Follow-up procedures verify that attestations and assertions about privacy practices are true and implemented (verification, Supplemental Principle 7). | Annual self-assessment or outside-compliance-review report. |
| Individuals can escalate unresolved complaints to binding DPF Panel arbitration at no cost, with the ability to seek non-monetary equitable relief. | Arbitration commitment; escrow-fund contribution evidence. |
| Sanctions for non-compliance are sufficiently rigorous (e.g. publicity, deletion of data, suspension from the DPF List). | IRM sanction policy; enforcement records. |
| For HR data, the organisation commits to cooperate with EU DPAs and comply with their advice (Supplemental Principle 9). | DPA cooperation commitment; DPA correspondence. |
Self-certification lifecycle (Supplemental Principle 6)
| What to verify | Typical evidence |
|---|---|
| Initial self-certification submitted to the Department of Commerce with all required corporate, contact, IRM and privacy-policy details, and a processing fee paid. | DPF portal submission; fee receipt; DPF List entry. |
| The organisation appears on the active Data Privacy Framework List before it relies on the Framework. | DPF List screenshot showing 'Active' status. |
| Certification is re-affirmed (recertified) annually, and the anniversary date is tracked. | Recertification confirmation; calendar/tickler system. |
| The privacy policy conforms to the Principles and is publicly available and consistent with the DPF List entry. | Published policy; version history. |
| Scope of covered data (e.g. whether HR data is included, and whether the entity acts as controller and/or agent) is accurately declared. | Self-certification record; scope statement. |
Withdrawal, continuation and government-access safeguards
| What to verify | Typical evidence |
|---|---|
| If the organisation withdraws or its certification lapses, it either returns/deletes the personal data or continues to apply the Principles to previously received data and annually affirms this to the Department of Commerce. | Withdrawal notice; continuation attestation; deletion certificates. |
| The organisation responds to lawful public-authority access requests with transparency consistent with EO 14086 proportionality and necessity expectations, and reflects this in its notice (Supplemental Principle 16). | Government-request handling procedure; transparency reporting. |
| Individuals in the EU are informed of the redress avenues for national-security concerns (CLPO of ODNI and the Data Protection Review Court). | Notice text referencing EO 14086 redress mechanism. |
| Records demonstrate cooperation with the Department of Commerce reviews and prompt response to compliance inquiries. | DoC correspondence; inquiry-response log. |
Scoping and materiality/tiering
Because the Framework is a certification rather than a graduated standard, scoping focuses on which data flows and data categories are brought within the certification. Materiality is driven by the nature of the data and the role the organisation plays.
- Determine the covered data categories: general commercial data, sensitive data (health, racial/ethnic origin, political opinions, religious/philosophical beliefs, trade-union membership, sex life, criminal records), and separately whether HR data received from the EU is included.
- Determine the organisation's role for each flow: controller, agent (processor), or both - this drives Choice, onward-transfer and access obligations.
- Map all EU/EEA/UK/Swiss source jurisdictions to confirm which of the three sub-programmes (EU, UK Extension, Swiss) must be certified.
- Identify high-materiality flows: sensitive data, HR data, large-volume consumer data, and data disclosed to onward third parties - these attract the most rigorous evidence expectations.
- Exclude flows that cannot rely on the DPF (e.g. transfers to entities outside FTC/DOT jurisdiction) and assign alternative mechanisms (SCCs, BCRs, Article 49 derogations).
Implementation approach
Phase 1 - Assess and scope
Activities: confirm FTC/DOT jurisdiction; inventory EU/UK/Swiss data flows and categories; map controller/agent roles; perform a gap assessment against the seven Principles and relevant Supplemental Principles. Deliverables: data-flow map, Record of Processing Activities, eligibility determination, gap-assessment report and remediation plan.
Phase 2 - Remediate and build controls
Activities: draft a DPF-conformant privacy notice; implement Choice/opt-out and sensitive-data opt-in mechanisms; update onward-transfer contracts to the same-protection standard; harden security controls; establish DSAR/access, rectification and deletion workflows; select and contract an independent recourse mechanism (IRM) and commit to DPF Panel arbitration. Deliverables: published privacy policy, contract templates, IRM engagement letter, updated security documentation, rights-handling procedures.
Phase 3 - Self-certify
Activities: register on dataprivacyframework.gov, complete the self-certification submission, pay fees, and obtain active listing on the DPF List. Deliverables: DPF List active entry, certification record, IRM registration confirmation, arbitration-fund contribution evidence.
Phase 4 - Operate and verify
Activities: run complaint handling; conduct the annual verification (self-assessment or outside compliance review); track recertification anniversary; monitor onward-transfer partners; maintain government-access transparency. Deliverables: verification report, complaint log, recertification confirmation, vendor-oversight records.
Phase 5 - Monitor and improve
Activities: monitor regulatory developments (EO 14086 implementation, periodic joint reviews by the European Commission and Department of Commerce, any litigation challenging the adequacy decision); update controls; run internal audits. Deliverables: regulatory-watch log, internal-audit findings, continuous-improvement plan and board reporting.
Maturity / capability model
While the DPF does not define tiers, CyberSigma applies a five-level maturity model to help organisations benchmark and improve their transfer-compliance programme.
| Level | Name | Characteristics |
|---|---|---|
| 1 | Initial | No formal DPF programme; transfers rely on ad-hoc or expired mechanisms; privacy notice does not reference the DPF. |
| 2 | Developing | Gap assessment done; privacy notice drafted; some controls exist but not yet self-certified; IRM not engaged. |
| 3 | Defined | Self-certified and active on the DPF List; core Principles implemented; IRM engaged; DSAR and onward-transfer processes documented. |
| 4 | Managed | Annual verification performed and evidenced; metrics tracked; onward-transfer partners audited; recertification reliably on time. |
| 5 | Optimised | Integrated with wider privacy programme (GDPR, ISO 27701); automated evidence collection; proactive regulatory watch; independent assurance and board oversight. |
Assessment and audit approach
- Confirm active status and scope on the Data Privacy Framework List, including UK and Swiss extensions and whether HR data is covered.
- Review the published privacy policy against all Notice-Principle disclosure elements and check consistency with the DPF List entry.
- Trace representative data flows end to end, verifying Choice, sensitive-data opt-in, onward-transfer contracts and security controls.
- Test the individual-rights mechanisms: submit or sample access, correction, deletion and opt-out requests and measure response times and outcomes.
- Examine the independent recourse mechanism engagement, complaint volumes, resolutions and arbitration commitment/escrow contribution.
- Inspect the annual verification (self-assessment statement signed by a corporate officer, or an outside-compliance-review report) for completeness and accuracy.
- Assess onward-transfer governance: contract coverage, sub-processor list, and liability allocation.
- Review government-access request handling and EO 14086 transparency, and confirm notice references the CLPO/DPRC redress route.
- Verify recertification timeliness and continuity/withdrawal handling for legacy data.
- Report findings with severity ratings and a remediation roadmap mapped to the seven Principles.
Evidence request list
Assessors should request evidence across the following categories.
- Certification: DPF List entry (active), self-certification submission record, fee receipts, recertification confirmations.
- Governance: privacy policy (current and version history), data-protection roles, DPO/privacy-officer appointment.
- Data mapping: Record of Processing Activities, EU/UK/Swiss data-flow diagrams, data-category and sensitivity classification.
- Notice and choice: published notices, consent-capture flows, opt-out/opt-in mechanisms, marketing suppression lists.
- Onward transfers: executed controller and agent contracts, sub-processor register, contract-provision summaries.
- Security: information security policy, ISO 27001 / SOC 2 / ISO 27701 reports, risk assessments, encryption and IAM configuration, incident-response plan and breach register.
- Individual rights: DSAR/access/correction/deletion procedures and logs with response-time metrics.
- Recourse: IRM engagement letter and registration, complaint-handling logs, arbitration commitment and escrow-fund contribution.
- Verification: annual self-assessment attestation or outside-compliance-review report.
- Government access and transparency: request-handling procedure, transparency reports, EO 14086 redress notice text.
- Change management: regulatory-watch log, internal-audit reports, remediation tracker.
Roles and responsibilities
| Role | Responsibility |
|---|---|
| Board / Executive sponsor | Approves the transfer-compliance strategy, funds the programme and receives assurance reporting. |
| Chief Privacy Officer / DPO | Owns DPF conformity, the privacy notice and individual-rights handling; primary liaison with the Department of Commerce and DPAs. |
| CISO / Information Security | Implements and evidences the Security Principle; manages incident response and vendor security assessment. |
| Legal / Compliance | Drafts onward-transfer contracts, manages self-certification and recertification, monitors regulatory and litigation developments. |
| Data / IT owners | Maintain the RoPA, enforce retention and data-quality, and operate access/deletion workflows. |
| Independent Recourse Mechanism (external) | Investigates individual complaints, applies sanctions and provides an escalation path to arbitration. |
| Internal Audit / Independent assessor | Performs the annual verification or reviews the self-assessment and reports findings to the board. |
| Onward-transfer partners | Adhere to contractual same-protection obligations and notify of any inability to comply. |
KPIs and metrics to track
- Certification status: days remaining to recertification anniversary; recertification completed on time (yes/no).
- Individual rights: number of access/correction/deletion requests and mean/percentile response time versus target.
- Opt-out and consent: opt-out honour rate and time to suppression; proportion of sensitive-data processing with valid opt-in.
- Complaints: volume received via the IRM, resolution rate, mean time to resolve and number escalated to arbitration.
- Onward transfers: percentage of third-party recipients under a compliant same-protection contract.
- Security: number of reportable incidents involving DPF-covered data and mean time to detect/respond.
- Verification: annual verification completed and signed by a corporate officer (yes/no); open gap-remediation items.
- Government access: number of public-authority requests received and disclosed in transparency reporting.
- Training: percentage of relevant staff completing DPF/privacy awareness training.
Readiness checklist
- Confirmed the organisation is subject to FTC or DOT jurisdiction.
- Inventoried all EU/EEA/UK/Swiss data flows and data categories, including HR and sensitive data.
- Determined controller/agent roles for each flow.
- Published a privacy notice containing every required Notice-Principle disclosure.
- Implemented Choice opt-out and sensitive-data opt-in mechanisms.
- Executed same-protection onward-transfer contracts with all third-party controllers and agents.
- Implemented reasonable and appropriate security controls and a tested incident-response plan.
- Established access, correction and deletion workflows with defined response times.
- Engaged an independent recourse mechanism and committed to DPF Panel binding arbitration with escrow contribution.
- Included HR-data DPA cooperation commitment where HR data is covered.
- Completed self-certification and confirmed active status on the DPF List.
- Scheduled the annual verification and recertification with a tickler system.
- Documented government-access handling and EO 14086 redress notice.
- Assigned clear roles and board-level oversight.
Common gaps and findings
- Privacy notice fails to reference DPF participation, the DPF Panel arbitration option or FTC/DOT enforcement authority.
- Relying on the DPF before appearing as 'Active' on the DPF List, or continuing to claim participation after lapse or withdrawal.
- Missing or non-conforming annual verification - no self-assessment signed by a corporate officer and no outside compliance review.
- Onward-transfer contracts absent or lacking the same-protection standard and liability terms.
- Sensitive data processed without affirmative opt-in consent, or HR data covered without the required DPA cooperation commitment.
- Access/deletion requests handled slowly or refused without a documented, narrow exception.
- Recertification missed on the anniversary date, causing the certification to lapse.
- Assuming DPF certification removes all GDPR obligations - it legitimises transfer only; the EU exporter and the importer's own processing duties remain.
- No independent recourse mechanism engaged, or the IRM registration is inconsistent with the notice.
- No monitoring of adequacy-decision stability (periodic joint reviews, litigation risk), leaving no fallback transfer mechanism ready.
EU-US DPF mapped to other frameworks
| EU-US DPF element | Related requirement in other frameworks |
|---|---|
| Notice Principle | GDPR Articles 13-14 transparency; ISO 27701 privacy notice controls. |
| Choice Principle | GDPR Article 6 lawful basis and Article 21 right to object; sensitive data ties to GDPR Article 9. |
| Accountability for Onward Transfer | GDPR Chapter V transfers and Article 28 processor contracts; SCCs equivalent obligations. |
| Security Principle | GDPR Article 32; ISO/IEC 27001 Annex A; SOC 2 Security criteria; NIST CSF Protect function. |
| Data Integrity and Purpose Limitation | GDPR Articles 5(1)(b),(c),(d) and 5(1)(e) storage limitation; ISO 27701 minimisation controls. |
| Access Principle | GDPR Articles 15-17 (access, rectification, erasure). |
| Recourse, Enforcement and Liability | GDPR Articles 77-79 remedies; ISO 27701 complaint-handling; NIST Privacy Framework Govern function. |
| Self-certification and verification | ISO 27701 certification lifecycle; SOC 2 Type II periodic examination. |
| Government-access safeguards (EO 14086) | Addresses Schrems II CJEU concerns; complements TIA analysis under EDPB Recommendations 01/2020. |
How CyberSigma helps
Frequently asked questions
Need help with EU-US DPF?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
