+44 (0) 121 582 0192 [email protected]


The introduction of the EU-US Data Privacy Framework (DPF) marks a significant shift in the landscape of international data transfers. This new framework, administered by the US Department of Commerce, ensures that US companies comply with stringent data privacy standards when handling data from the European Union, the United Kingdom, and Switzerland. Understanding the certification process is crucial for new applicants and companies transitioning from the old EU-US Privacy Shield. Here’s a comprehensive guide to help US companies Understanding The EU-US Data Privacy Framework Certification process.


For New Applicants


1. Understanding the DPF Principles

Organisations must commit to adhering to the DPF Principles for data transfers. This involves understanding the legal and ethical implications of data handling according to these principles. This requires specific text additions to your privacy notice/policy

2. Self-Certification and Annual Recertification

Companies must initially self-certify and then annually recertify their adherence to the DPF Principles to the International Trade Administration (ITA). This process involves a thorough internal review of data handling practices.

3. Compliance Obligations

Compliance with the DPF is not a one-time event but an ongoing obligation. Companies must ensure that their data handling practices align with the DPF Principles.


For Companies Previously Under the EU-US Privacy Shield


1. Updating Privacy Policies

Organisations must update their privacy policies to reflect their commitment to the “EU-US Data Privacy Framework Principles” and the “Swiss-US Data Privacy Principles.” This update must be more than nominal; it requires a substantive review and modification of the policy.

2. Deadline for Policy Updates

The updated privacy policies must be in place within three months of the effective date of the DPF Principles, i.e., by October 10, 2023.

3. Uploading Revised Policies

Revised privacy policies can be uploaded through the DPF website. However, there is no automatic review by the Department of Commerce, emphasising the importance of accuracy in self-assessment.

4. Enforcement and Compliance

The Federal Trade Commission (FTC) and other regulatory bodies will actively enforce compliance with the DPF. Companies must ensure their policies are updated and fully compliant to avoid investigations and fines.

5. Additional Rights for Data Subjects

The DPF grants data subjects additional options to enforce their rights or lodge complaints, further emphasising the need for companies to be diligent in their compliance efforts.


Information Required for the Application

1. Organisation Information

Provide the legal name and other essential details of the organisation.

2. Contact for Complaints

Designate a contact person for handling complaints and inquiries.

3. Corporate Officer

Identify the person responsible for completing the self-certification.

4. Company Entities and Subsidiaries

List all entities and subsidiaries involved in the data handling process.

5. Data Activities Description

Describe how your organisation handles personal data.

6. Independent Recourse Mechanisms

Detail the mechanisms in place for independent recourse in case of disputes.

7. Privacy Policy

New applicants must upload a draft privacy policy for assessment, while reapplicants should amend their existing policy to comply with the DPF.

8. Privacy Program Membership

List any privacy programs the organisation is a member of.

9. Verification Method

Choose between self-certification or an outside compliance review.

10. Organisational Details

Provide annual turnover.

11: Employee Numbers.

Provide the number of employees of organisation and all entities and subsideries


Entering into  Data Processing Contracts between EU/UK/CH – US companies that include DPF references without being certified can Invalidate those contract terms and could result in large fines and penalties.



The EU-US Data Privacy Framework presents both a challenge and an opportunity for US companies dealing with transatlantic data transfers. By understanding and adhering to the DPF Principles, companies can not only avoid legal pitfalls but also demonstrate their commitment to protecting consumer data. Whether you are a new applicant or transitioning from the Privacy Shield, it is essential to approach this process with diligence and a thorough understanding of the requirements.


In Need of urgent help?

Contact Formiti Data International for a fixed price fast turnaround Privacy Policy/Notice DPF compliant update or any further assistance. Click Here