Knowledge Center / EU-US DPF
US Dept of Commerce / EC · EU / US

EU-US Data Privacy Framework

Transatlantic mechanism for lawful personal-data transfers.

Introduction: The EU-US Data Privacy Framework

The EU-US Data Privacy Framework (EU-US DPF) is a self-certification mechanism administered by the US Department of Commerce that enables organisations established in the United States to lawfully receive personal data transferred from the European Union, the European Economic Area (EEA), the United Kingdom (via the UK Extension) and Switzerland (via the Swiss-US DPF). It was operationalised on 10 July 2023, when the European Commission adopted its adequacy decision under Article 45 of the General Data Protection Regulation (GDPR), confirming that the United States ensures an adequate level of protection for personal data transferred to certified US organisations.

The EU-US DPF is the successor to the invalidated EU-US Privacy Shield (struck down by the Court of Justice of the European Union in the Schrems II judgment, Case C-311/18, on 16 July 2020) and, before that, the Safe Harbour arrangement (invalidated in Schrems I, Case C-362/14, on 6 October 2015). The current Framework was strengthened by US Executive Order 14086 of 7 October 2022 ('Enhancing Safeguards for United States Signals Intelligence Activities') and the associated regulations creating the Data Protection Review Court (DPRC), which together were designed to address the CJEU's concerns regarding US government access to personal data and the availability of redress for EU data subjects.

This guide provides an auditor-grade deep-dive into the Framework: its principles, scope of applicability, the seven Principles and sixteen Supplemental Principles, the self-certification lifecycle, the recourse and enforcement architecture, and a master assessment checklist enabling a CISO, Data Protection Officer (DPO) or independent assessor to verify readiness and ongoing compliance. It is written for both the assessor validating conformity and the implementer building and operating a DPF-compliant transfer programme.

Copyright and source note
The EU-US Data Privacy Framework Principles are issued by the US Department of Commerce and published on dataprivacyframework.gov; the adequacy decision is issued by the European Commission. This guide is original explanatory and assessment material prepared by CyberSigma. It paraphrases obligations and does not reproduce the verbatim text of the official Principles, the adequacy decision, Executive Order 14086 or GDPR. Organisations must always rely on the authoritative primary texts and, where required, seek qualified legal advice.

What is the EU-US Data Privacy Framework

The EU-US DPF is not a statute; it is a voluntary certification programme underpinned by binding commitments. When a US organisation self-certifies, its published commitment to adhere to the DPF Principles becomes enforceable under US law by the Federal Trade Commission (FTC) under Section 5 of the FTC Act (which prohibits unfair or deceptive acts or practices) or, for certain sectors, by the US Department of Transportation (DOT). This enforceability is the legal foundation on which the European Commission's adequacy finding rests.

The Framework comprises three interlocking programmes administered under a single self-certification: the core EU-US DPF (covering EU/EEA transfers), the UK Extension to the EU-US DPF (covering UK and Gibraltar transfers, effective 12 October 2023 following the UK adequacy regulations), and the Swiss-US DPF (covering Switzerland, recognised as adequate by the Swiss Federal Council effective 15 September 2024). An organisation may self-certify to one, two or all three depending on the data flows it needs to legitimise.

Certification legitimises transfers as a stand-alone transfer mechanism under Chapter V of the GDPR, meaning a certified importer does not additionally require Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for the covered data flows, and does not need to conduct a Transfer Impact Assessment (TIA) for those flows because the adequacy decision already establishes the adequacy of protection.

The Framework rests on seven Principles (the substantive privacy obligations), sixteen Supplemental Principles (which interpret and add detail to the seven), an independent recourse mechanism for individuals, and an escalation ladder culminating in binding arbitration before the DPF Panel and, for national-security complaints, redress through the Civil Liberties Protection Officer of the Office of the Director of National Intelligence and the Data Protection Review Court.

Who must comply: scope of applicability

The Framework is voluntary, but any US organisation that wishes to rely on it as a lawful transfer mechanism must meet eligibility conditions and adhere fully. The following table summarises applicability.

CategoryApplicability to EU-US DPF
US organisation subject to FTC jurisdictionEligible to self-certify; commitments enforced by the FTC under Section 5 of the FTC Act.
US air carrier or ticket agentEligible to self-certify; commitments enforced by the US Department of Transportation.
Banks, insurance and telecommunications common carriersGenerally NOT eligible, as they fall outside FTC/DOT jurisdiction; must use alternative transfer mechanisms (SCCs, BCRs).
EU/EEA/UK/Swiss data exporterRelies on the importer's certification; should verify active certification on the DPF List before transferring.
US organisation acting as a processor (agent)May self-certify to receive personal data as an agent; must act only on documented instructions of the controller and pass onward-transfer obligations down the chain.
Human-resources (HR) data importerMay extend certification to HR data received from the EU in the context of the employment relationship; special Supplemental Principle applies and EU Data Protection Authorities become the mandatory recourse body.
Organisation not self-certifiedCannot rely on the DPF; must use SCCs, BCRs, derogations under Article 49 GDPR, or another valid mechanism.

Two threshold conditions must be satisfied before self-certification: (1) the organisation must be subject to the investigatory and enforcement powers of the FTC or DOT; and (2) it must publicly declare its commitment to the Principles, publicly disclose its privacy policy in conformity with them, and fully implement the Principles. Certification is not effective until the Department of Commerce places the organisation on the active Data Privacy Framework List.

Structure of the EU-US DPF

The substantive obligations are organised into seven Principles, elaborated by sixteen Supplemental Principles. The following tables set out both.

The seven core Principles

#PrincipleCore obligation
1NoticeInform individuals about the types of personal data collected, purposes of processing, the organisation's participation in the DPF, third parties to which data is disclosed, individuals' rights, and how to contact the organisation and lodge complaints, including reference to the independent recourse and DPF Panel arbitration.
2ChoiceOffer individuals the opportunity to opt out where data is to be disclosed to a third party (other than an agent) or used for a materially different purpose; obtain affirmative express consent (opt in) for sensitive data.
3Accountability for Onward TransferEnter into a contract with third-party controllers and agents ensuring the same level of protection; remain liable for onward-transfer breaches unless proven not responsible.
4SecurityTake reasonable and appropriate measures to protect personal data from loss, misuse, unauthorised access, disclosure, alteration and destruction, considering the risks and nature of the data.
5Data Integrity and Purpose LimitationLimit personal data to what is relevant for the purposes of processing; keep data accurate, complete and current; retain data only for as long as it serves the processing purpose.
6AccessProvide individuals with access to their personal data and the ability to correct, amend or delete inaccurate or unlawfully processed data, subject to defined exceptions and proportionality.
7Recourse, Enforcement and LiabilityProvide robust independent recourse mechanisms, follow-up procedures to verify adherence, and remedies for non-compliance; cooperate with the Department of Commerce and, for HR data, with DPAs.

The sixteen Supplemental Principles

#Supplemental PrinciplePurpose
1Sensitive DataClarifies when opt-in consent is required and exceptions.
2Journalistic ExceptionsBalances free-press interests against privacy obligations.
3Secondary LiabilityAddresses liability of internet service providers and carriers acting as mere conduits.
4Performing Due Diligence and Conducting AuditsGuidance for auditors and due-diligence contexts.
5The Role of the Data Protection AuthoritiesHow DPAs interact with the Framework and the informal panel.
6Self-CertificationThe mechanics and content of self-certification submissions.
7VerificationRequirement to verify, via self-assessment or outside review, that representations are accurate.
8AccessDetailed rules, exceptions and burden considerations for the Access Principle.
9Human Resources DataSpecial regime for employee data, including mandatory DPA cooperation.
10Obligatory Contracts for Onward TransfersContractual content required for onward transfers to controllers and agents.
11Dispute Resolution and EnforcementStructure of the recourse mechanisms and consequences of non-compliance.
12Choice - Timing of Opt OutWhen and how opt-out choices must be offered, including direct-marketing.
13Travel InformationSpecial considerations for passenger and travel data.
14Pharmaceutical and Medical ProductsGuidance for clinical trials, safety monitoring and blinded/coded data.
15Public Record and Publicly Available InformationTreatment of data drawn from public records.
16Access Requests by Public AuthoritiesTransparency and handling of government access requests, reflecting EO 14086 safeguards.

Master assessment checklist

This is the operative section for assessors and implementers. It enumerates every Principle, the key Supplemental Principles, the certification lifecycle and the redress architecture. Each subsection provides what to verify and the typical evidence an assessor should request. No control area is omitted.

P1 - Notice

What to verifyTypical evidence
Privacy policy discloses participation in the EU-US DPF (and UK/Swiss extensions as applicable) and provides a link to the DPF List and Principles.Public privacy notice; screenshots; URL of DPF List entry.
Notice states the types of personal data collected and the purposes of processing.Data inventory / RoPA; published notice.
Notice identifies third parties or categories of third parties to which data is disclosed and the purpose.Vendor/sub-processor register; notice text.
Notice explains individuals' right to access and the choices offered to limit use and disclosure.Rights section of notice; DSAR procedure.
Notice names the independent recourse mechanism and references the DPF Panel binding arbitration option at no cost to the individual.IRM contract/registration; notice text.
Notice states the organisation is subject to FTC (or DOT) investigatory and enforcement powers and may be liable for onward transfers.Notice text; enforcement-authority declaration.
Notice is provided in clear and conspicuous language at or before first use/disclosure.Timing evidence; consent-capture flows.

P2 - Choice

What to verifyTypical evidence
Individuals are offered a readily available, affordable opt-out before data is disclosed to a non-agent third party or used for a materially different purpose.Opt-out mechanism; preference centre; workflow logs.
Affirmative express (opt-in) consent is obtained before processing sensitive data or disclosing it to a third party for a new purpose.Consent records; sensitive-data handling procedure.
Direct-marketing opt-out is honoured promptly and free of charge (Supplemental Principle 12).Suppression lists; marketing platform configuration.
Where data is later treated as sensitive by the receiving organisation, sensitive-data treatment is applied.Data-classification policy; reclassification logs.

P3 - Accountability for Onward Transfer

What to verifyTypical evidence
Written contracts exist with third-party controllers requiring processing only for limited, specified purposes consistent with individual consent, and providing the same level of protection as the Principles.Executed data-transfer agreements; contract register.
Contracts with agents (processors) limit processing to the organisation's instructions and require notification and remediation if the agent cannot meet its obligations.Processor agreements; sub-processor list.
The organisation retains responsibility and remains liable for onward-transfer breaches unless it proves it was not responsible for the harmful event.Liability clauses; incident allocation records.
Onward transfers of HR data and sensitive data are subject to appropriate additional safeguards.HR-data transfer contracts; safeguard documentation.
A summary or copy of privacy provisions in onward-transfer contracts can be provided to the Department of Commerce on request.Contract-provision summaries; DoC correspondence.

P4 - Security

What to verifyTypical evidence
Reasonable and appropriate technical and organisational measures protect data against loss, misuse and unauthorised access, calibrated to the risks and data sensitivity.Information security policy; ISO 27001 / SOC 2 report; risk assessment.
Access controls, encryption in transit and at rest, and logging/monitoring are implemented commensurate with risk.Encryption standards; IAM configuration; SIEM logs.
An incident-response and breach-notification process is documented and tested.IR plan; tabletop exercise records; breach register.
Third-party and cloud sub-processor security is assessed and contractually mandated.Vendor risk assessments; DPAs.

P5 - Data Integrity and Purpose Limitation

What to verifyTypical evidence
Personal data is limited to what is relevant for the purposes of processing and is not processed in a way incompatible with those purposes.RoPA; purpose-mapping documentation.
Reasonable steps ensure data is accurate, complete and current for its intended use.Data-quality procedures; correction logs.
Retention is limited to the period the data serves a processing purpose (with exceptions for public-interest, journalism, scientific/historical research or statistics under safeguards).Retention schedule; deletion/anonymisation evidence.
Data retained beyond active use is anonymised or its identifying elements removed where feasible.Anonymisation methodology; destruction certificates.

P6 - Access

What to verifyTypical evidence
Individuals can obtain confirmation of, and access to, their personal data held by the organisation, without excessive expense or delay.DSAR procedure; access-request log with response times.
Individuals can correct, amend or delete inaccurate data or data processed in violation of the Principles.Rectification/erasure workflow; audit trail.
Exceptions to access (e.g. disproportionate burden, risk to others' rights, confidential commercial information, legal privilege) are applied narrowly and documented (Supplemental Principle 8).Exception-decision records; legal review notes.
Identity of the requester is verified proportionately before disclosure.Identity-verification procedure.

P7 - Recourse, Enforcement and Liability

What to verifyTypical evidence
A readily available independent recourse mechanism (IRM) investigates and resolves complaints and disputes at no cost to the individual.IRM registration (e.g. DPA panel, private ADR provider); complaint-handling logs.
Follow-up procedures verify that attestations and assertions about privacy practices are true and implemented (verification, Supplemental Principle 7).Annual self-assessment or outside-compliance-review report.
Individuals can escalate unresolved complaints to binding DPF Panel arbitration at no cost, with the ability to seek non-monetary equitable relief.Arbitration commitment; escrow-fund contribution evidence.
Sanctions for non-compliance are sufficiently rigorous (e.g. publicity, deletion of data, suspension from the DPF List).IRM sanction policy; enforcement records.
For HR data, the organisation commits to cooperate with EU DPAs and comply with their advice (Supplemental Principle 9).DPA cooperation commitment; DPA correspondence.

Self-certification lifecycle (Supplemental Principle 6)

What to verifyTypical evidence
Initial self-certification submitted to the Department of Commerce with all required corporate, contact, IRM and privacy-policy details, and a processing fee paid.DPF portal submission; fee receipt; DPF List entry.
The organisation appears on the active Data Privacy Framework List before it relies on the Framework.DPF List screenshot showing 'Active' status.
Certification is re-affirmed (recertified) annually, and the anniversary date is tracked.Recertification confirmation; calendar/tickler system.
The privacy policy conforms to the Principles and is publicly available and consistent with the DPF List entry.Published policy; version history.
Scope of covered data (e.g. whether HR data is included, and whether the entity acts as controller and/or agent) is accurately declared.Self-certification record; scope statement.

Withdrawal, continuation and government-access safeguards

What to verifyTypical evidence
If the organisation withdraws or its certification lapses, it either returns/deletes the personal data or continues to apply the Principles to previously received data and annually affirms this to the Department of Commerce.Withdrawal notice; continuation attestation; deletion certificates.
The organisation responds to lawful public-authority access requests with transparency consistent with EO 14086 proportionality and necessity expectations, and reflects this in its notice (Supplemental Principle 16).Government-request handling procedure; transparency reporting.
Individuals in the EU are informed of the redress avenues for national-security concerns (CLPO of ODNI and the Data Protection Review Court).Notice text referencing EO 14086 redress mechanism.
Records demonstrate cooperation with the Department of Commerce reviews and prompt response to compliance inquiries.DoC correspondence; inquiry-response log.

Scoping and materiality/tiering

Because the Framework is a certification rather than a graduated standard, scoping focuses on which data flows and data categories are brought within the certification. Materiality is driven by the nature of the data and the role the organisation plays.

  • Determine the covered data categories: general commercial data, sensitive data (health, racial/ethnic origin, political opinions, religious/philosophical beliefs, trade-union membership, sex life, criminal records), and separately whether HR data received from the EU is included.
  • Determine the organisation's role for each flow: controller, agent (processor), or both - this drives Choice, onward-transfer and access obligations.
  • Map all EU/EEA/UK/Swiss source jurisdictions to confirm which of the three sub-programmes (EU, UK Extension, Swiss) must be certified.
  • Identify high-materiality flows: sensitive data, HR data, large-volume consumer data, and data disclosed to onward third parties - these attract the most rigorous evidence expectations.
  • Exclude flows that cannot rely on the DPF (e.g. transfers to entities outside FTC/DOT jurisdiction) and assign alternative mechanisms (SCCs, BCRs, Article 49 derogations).

Implementation approach

Phase 1 - Assess and scope

Activities: confirm FTC/DOT jurisdiction; inventory EU/UK/Swiss data flows and categories; map controller/agent roles; perform a gap assessment against the seven Principles and relevant Supplemental Principles. Deliverables: data-flow map, Record of Processing Activities, eligibility determination, gap-assessment report and remediation plan.

Phase 2 - Remediate and build controls

Activities: draft a DPF-conformant privacy notice; implement Choice/opt-out and sensitive-data opt-in mechanisms; update onward-transfer contracts to the same-protection standard; harden security controls; establish DSAR/access, rectification and deletion workflows; select and contract an independent recourse mechanism (IRM) and commit to DPF Panel arbitration. Deliverables: published privacy policy, contract templates, IRM engagement letter, updated security documentation, rights-handling procedures.

Phase 3 - Self-certify

Activities: register on dataprivacyframework.gov, complete the self-certification submission, pay fees, and obtain active listing on the DPF List. Deliverables: DPF List active entry, certification record, IRM registration confirmation, arbitration-fund contribution evidence.

Phase 4 - Operate and verify

Activities: run complaint handling; conduct the annual verification (self-assessment or outside compliance review); track recertification anniversary; monitor onward-transfer partners; maintain government-access transparency. Deliverables: verification report, complaint log, recertification confirmation, vendor-oversight records.

Phase 5 - Monitor and improve

Activities: monitor regulatory developments (EO 14086 implementation, periodic joint reviews by the European Commission and Department of Commerce, any litigation challenging the adequacy decision); update controls; run internal audits. Deliverables: regulatory-watch log, internal-audit findings, continuous-improvement plan and board reporting.

Maturity / capability model

While the DPF does not define tiers, CyberSigma applies a five-level maturity model to help organisations benchmark and improve their transfer-compliance programme.

LevelNameCharacteristics
1InitialNo formal DPF programme; transfers rely on ad-hoc or expired mechanisms; privacy notice does not reference the DPF.
2DevelopingGap assessment done; privacy notice drafted; some controls exist but not yet self-certified; IRM not engaged.
3DefinedSelf-certified and active on the DPF List; core Principles implemented; IRM engaged; DSAR and onward-transfer processes documented.
4ManagedAnnual verification performed and evidenced; metrics tracked; onward-transfer partners audited; recertification reliably on time.
5OptimisedIntegrated with wider privacy programme (GDPR, ISO 27701); automated evidence collection; proactive regulatory watch; independent assurance and board oversight.

Assessment and audit approach

  1. Confirm active status and scope on the Data Privacy Framework List, including UK and Swiss extensions and whether HR data is covered.
  2. Review the published privacy policy against all Notice-Principle disclosure elements and check consistency with the DPF List entry.
  3. Trace representative data flows end to end, verifying Choice, sensitive-data opt-in, onward-transfer contracts and security controls.
  4. Test the individual-rights mechanisms: submit or sample access, correction, deletion and opt-out requests and measure response times and outcomes.
  5. Examine the independent recourse mechanism engagement, complaint volumes, resolutions and arbitration commitment/escrow contribution.
  6. Inspect the annual verification (self-assessment statement signed by a corporate officer, or an outside-compliance-review report) for completeness and accuracy.
  7. Assess onward-transfer governance: contract coverage, sub-processor list, and liability allocation.
  8. Review government-access request handling and EO 14086 transparency, and confirm notice references the CLPO/DPRC redress route.
  9. Verify recertification timeliness and continuity/withdrawal handling for legacy data.
  10. Report findings with severity ratings and a remediation roadmap mapped to the seven Principles.

Evidence request list

Assessors should request evidence across the following categories.

  • Certification: DPF List entry (active), self-certification submission record, fee receipts, recertification confirmations.
  • Governance: privacy policy (current and version history), data-protection roles, DPO/privacy-officer appointment.
  • Data mapping: Record of Processing Activities, EU/UK/Swiss data-flow diagrams, data-category and sensitivity classification.
  • Notice and choice: published notices, consent-capture flows, opt-out/opt-in mechanisms, marketing suppression lists.
  • Onward transfers: executed controller and agent contracts, sub-processor register, contract-provision summaries.
  • Security: information security policy, ISO 27001 / SOC 2 / ISO 27701 reports, risk assessments, encryption and IAM configuration, incident-response plan and breach register.
  • Individual rights: DSAR/access/correction/deletion procedures and logs with response-time metrics.
  • Recourse: IRM engagement letter and registration, complaint-handling logs, arbitration commitment and escrow-fund contribution.
  • Verification: annual self-assessment attestation or outside-compliance-review report.
  • Government access and transparency: request-handling procedure, transparency reports, EO 14086 redress notice text.
  • Change management: regulatory-watch log, internal-audit reports, remediation tracker.

Roles and responsibilities

RoleResponsibility
Board / Executive sponsorApproves the transfer-compliance strategy, funds the programme and receives assurance reporting.
Chief Privacy Officer / DPOOwns DPF conformity, the privacy notice and individual-rights handling; primary liaison with the Department of Commerce and DPAs.
CISO / Information SecurityImplements and evidences the Security Principle; manages incident response and vendor security assessment.
Legal / ComplianceDrafts onward-transfer contracts, manages self-certification and recertification, monitors regulatory and litigation developments.
Data / IT ownersMaintain the RoPA, enforce retention and data-quality, and operate access/deletion workflows.
Independent Recourse Mechanism (external)Investigates individual complaints, applies sanctions and provides an escalation path to arbitration.
Internal Audit / Independent assessorPerforms the annual verification or reviews the self-assessment and reports findings to the board.
Onward-transfer partnersAdhere to contractual same-protection obligations and notify of any inability to comply.

KPIs and metrics to track

  • Certification status: days remaining to recertification anniversary; recertification completed on time (yes/no).
  • Individual rights: number of access/correction/deletion requests and mean/percentile response time versus target.
  • Opt-out and consent: opt-out honour rate and time to suppression; proportion of sensitive-data processing with valid opt-in.
  • Complaints: volume received via the IRM, resolution rate, mean time to resolve and number escalated to arbitration.
  • Onward transfers: percentage of third-party recipients under a compliant same-protection contract.
  • Security: number of reportable incidents involving DPF-covered data and mean time to detect/respond.
  • Verification: annual verification completed and signed by a corporate officer (yes/no); open gap-remediation items.
  • Government access: number of public-authority requests received and disclosed in transparency reporting.
  • Training: percentage of relevant staff completing DPF/privacy awareness training.

Readiness checklist

  • Confirmed the organisation is subject to FTC or DOT jurisdiction.
  • Inventoried all EU/EEA/UK/Swiss data flows and data categories, including HR and sensitive data.
  • Determined controller/agent roles for each flow.
  • Published a privacy notice containing every required Notice-Principle disclosure.
  • Implemented Choice opt-out and sensitive-data opt-in mechanisms.
  • Executed same-protection onward-transfer contracts with all third-party controllers and agents.
  • Implemented reasonable and appropriate security controls and a tested incident-response plan.
  • Established access, correction and deletion workflows with defined response times.
  • Engaged an independent recourse mechanism and committed to DPF Panel binding arbitration with escrow contribution.
  • Included HR-data DPA cooperation commitment where HR data is covered.
  • Completed self-certification and confirmed active status on the DPF List.
  • Scheduled the annual verification and recertification with a tickler system.
  • Documented government-access handling and EO 14086 redress notice.
  • Assigned clear roles and board-level oversight.

Common gaps and findings

  • Privacy notice fails to reference DPF participation, the DPF Panel arbitration option or FTC/DOT enforcement authority.
  • Relying on the DPF before appearing as 'Active' on the DPF List, or continuing to claim participation after lapse or withdrawal.
  • Missing or non-conforming annual verification - no self-assessment signed by a corporate officer and no outside compliance review.
  • Onward-transfer contracts absent or lacking the same-protection standard and liability terms.
  • Sensitive data processed without affirmative opt-in consent, or HR data covered without the required DPA cooperation commitment.
  • Access/deletion requests handled slowly or refused without a documented, narrow exception.
  • Recertification missed on the anniversary date, causing the certification to lapse.
  • Assuming DPF certification removes all GDPR obligations - it legitimises transfer only; the EU exporter and the importer's own processing duties remain.
  • No independent recourse mechanism engaged, or the IRM registration is inconsistent with the notice.
  • No monitoring of adequacy-decision stability (periodic joint reviews, litigation risk), leaving no fallback transfer mechanism ready.

EU-US DPF mapped to other frameworks

EU-US DPF elementRelated requirement in other frameworks
Notice PrincipleGDPR Articles 13-14 transparency; ISO 27701 privacy notice controls.
Choice PrincipleGDPR Article 6 lawful basis and Article 21 right to object; sensitive data ties to GDPR Article 9.
Accountability for Onward TransferGDPR Chapter V transfers and Article 28 processor contracts; SCCs equivalent obligations.
Security PrincipleGDPR Article 32; ISO/IEC 27001 Annex A; SOC 2 Security criteria; NIST CSF Protect function.
Data Integrity and Purpose LimitationGDPR Articles 5(1)(b),(c),(d) and 5(1)(e) storage limitation; ISO 27701 minimisation controls.
Access PrincipleGDPR Articles 15-17 (access, rectification, erasure).
Recourse, Enforcement and LiabilityGDPR Articles 77-79 remedies; ISO 27701 complaint-handling; NIST Privacy Framework Govern function.
Self-certification and verificationISO 27701 certification lifecycle; SOC 2 Type II periodic examination.
Government-access safeguards (EO 14086)Addresses Schrems II CJEU concerns; complements TIA analysis under EDPB Recommendations 01/2020.

How CyberSigma helps

How CyberSigma helps
CyberSigma helps organisations achieve and sustain EU-US Data Privacy Framework conformity end to end: eligibility and scoping assessment, gap analysis against the seven Principles and sixteen Supplemental Principles, drafting DPF-conformant privacy notices and same-protection onward-transfer contracts, standing up individual-rights and independent-recourse mechanisms, and guiding self-certification and annual verification. As a CERT-In empanelled auditor with PCI QSA and ISO 27001/27701 expertise, we integrate your DPF programme with GDPR, ISO and SOC 2 controls so a single evidence base serves multiple obligations - and we keep watch on adequacy-decision developments so you always have a resilient, defensible transfer posture.

Frequently asked questions

Is the DPF a substitute for GDPR compliance?
No — it is a lawful transfer mechanism; the organisation must still meet GDPR obligations for the underlying processing.
CyberSigma resources

Need help with EU-US DPF?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.