+44 (0) 121 582 0192 [email protected]



In an age where data privacy concerns are paramount, organisations worldwide have taken significant strides to ensure the safety and security of personal information. One crucial aspect of this effort is the implementation of Data Privacy Frameworks (DPF). But how can you verify an organisation’s commitment to these frameworks? In this article, we’ll be able to guide you through the process while unlocking secrets of the EU-US data Privacy Framework Commitments.


Step 1: Confirm DPF Participation

The first step in verifying an organisation’s data privacy commitments is to determine whether they are a participant in a Data Privacy Framework. To do this, follow these simple steps:

  1. Go to the Data Privacy Framework List, typically found on the organisation’s website or through a search engine query.
  2. You can search alphabetically or use the search bar to enter the organisation’s name.
  3. If the organisation is a participant, it should appear in the search results.


Step 2: Check the Covered Information

Once you’ve identified the organisation’s participation in a DPF, the next step is to ensure that their DPF commitments cover the information to be transferred. Follow these steps to do so:

  1. Click on the organisation’s name within the Data Privacy Framework List. This will usually take you to a detailed page about their DPF program.
  2. Within the organisation’s DPF program record, look for the “Other Covered U.S. Entities and U.S. Subsidiaries” section. This will give you insight into the scope of the DPF.
  3. Additionally, check the “Participation” section of the record to see if the specific data you are concerned about falls under their DPF commitments.


Step 3: Review the Privacy Policy

Understanding the privacy policy that applies to the covered information is crucial in assessing an organisation’s data privacy commitment. Here’s how to do it:

  1. Within the organisation’s DPF program record, navigate to the “Privacy Policy” section.
  2. Click on the link provided to access the relevant privacy policy or policies. Organisations typically have separate policies for HR data and non-HR data.
  3. Please review the privacy policy thoroughly to ensure it matches your expectations and the DPF commitments.


Step 4: Seek Clarification

If you have any questions or concerns about an organisation’s data privacy commitments, please don’t hesitate to ask for clarification. Follow these steps to get in touch:

  1. Within the organisation’s DPF program record, go to the “Dispute Resolution” section. This section should contain contact information for the organisation’s data privacy team.
  2. You can use the contact information provided to contact the organisation directly with your questions.
  3. You can also contact the DPF team within the U.S. Department of Commerce’s International Trade Administration (ITA) if necessary. You can do this by visiting their website and submitting an inquiry via the “Outreach and Education” tab.


Understanding Obligatory Contracts for Onward Transfers

In some cases, organisations may need to enter into contracts for onward transfers of personal data. Here’s a brief overview of these obligations:


Data Processing Contracts

  • When personal data is transferred from the EU to the United States for processing, a contract is required, irrespective of the processor’s participation in the EU-U.S. DPF.
  • Data controllers in the EU must always enter into a contract for processing, whether the processor participates in the DPF or not. This contract ensures that the processor acts on the controller’s instructions, provides necessary data protection measures, and assists in responding to individuals’ data privacy rights.
  • Contracts with participating organisations for mere processing do not require prior authorisation due to the protection provided by these organisations.


Transfers within a Controlled Group

  • When personal information is transferred between two controllers within a controlled group of corporations or entities, a contract may only sometimes be necessary. Alternative instruments like EU Binding Corporate Rules can be used to ensure the continuity of data protection.
  • However, participating organisations remain responsible for compliance with DPF principles in such transfers.


Transfers between Controllers

  • For transfers between controllers, the recipient controller does not need to be a participating organisation or have an independent recourse mechanism.
  • The participating organisation must enter into a contract with the recipient third-party controller that provides the same level of protection as available under the DPF.

In conclusion, verifying an organisation’s data privacy commitments involves a systematic approach that includes confirming their participation in a Data Privacy Framework, checking the covered information, reviewing the privacy policy, and seeking clarification if needed. Understanding obligatory contracts for onward transfers adds another insight into an organisation’s commitment to data privacy, ensuring that personal information remains secure in today’s digital landscape.

Check out our article on the UK-US Data Bridge