European Union: European Data Protection Board published guidance on EU-US Data Privacy Framework for European businesses

On 15 January 2026, the European Data Protection Board adopted the updated version of its guide for European businesses regarding the EU-US Data Privacy Framework (DPF). The DPF operates as a self-certification mechanism for companies in the United States, and the European Commission has determined that transfers to certified companies enjoy an adequate level of protection for personal data transferred from the European Economic Area (EEA). The guide clarifies that only US businesses subject to the oversight of the Federal Trade Commission (FTC) or the Department of Transportation (DoT) may self-certify under the DPF. Before initiating transfers, EEA data exporters are obliged to verify the active status and scope of a recipient's certification through the Data Privacy Framework List maintained by the Department of Commerce. This verification includes checking if the certification covers specific data categories such as human resources (HR) data. The EEA exporter must also inform the US company when the data includes HR data. While the DPF assists with compliance under Chapter V of the General Data Protection Regulation (GDPR), exporters must continue to observe all other GDPR obligations, including legal bases for processing and transparency requirements. EEA exporters must verify whether certifications cover subsidiaries before transferring data. When transferring data to a processor, the parties must conclude a data processing agreement pursuant to Article 28 of the GDPR, regardless of self-certification status. The agreement requires the processor to follow documented instructions, implement security measures, and assist the controller in responding to data subject requests. Furthermore, US processors must ensure that any sub-processors provide an equivalent level of protection and remain liable for their performance.