The FAQ revolves around the four questions discussed below.
- What is the EU-U.S. Data Privacy Framework?
The EU-U.S. Data Privacy Framework (DPF) is a self-certification mechanism for companies in the U.S.
The European Commission concluded that the transfer of personal data from the European Economic Area (EEA) to companies certified under the Data Protection Framework (DPF) is subject to an adequate level of protection.
Consequently, the transfer of personal data to certified companies in the U.S. can be conducted with minimal restrictions.
The DPF is applicable to any category of personal data transferred from the EEA to the United States. This encompasses personal data processed for commercial or health purposes, and human resources data collected in the context of an employment relationship (hereafter referred to as 'HR Data'), on the condition that the recipient company in the U.S. is self-certified under the DPF to process such data.
- Which U.S. companies are eligible to the EU-U.S. Data Privacy Framework?
In order to be eligible for self-certification to the DPF, a US company must be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) or of the U.S. Department of Transportation (DoT). There is a possibility that other U.S. statutory bodies may be included in the future.
This signifies that non-profit organisations, insurance companies, banks and telecommunication service providers (with regard to common carrier activities) which do not fall under the jurisdiction of the FTC or the DoT are unable to self-certify under the DPF.
- What to do before transferring personal data to a company in the U.S. which is, or claims to be certified under the EU-U.S. Data Privacy Framework?
Prior to the transfer of personal data to a company in the U.S. under the DPF, the data exporter in the EEA is required to verify that the company in the U.S. possesses an active self-certification (certifications must be renewed annually). This certification must specify the categories of personal data received by the US-based company.
In the event of an EEA exporter intending to transfer HR data to a company in the US under the DPF, it is the exporter's responsibility to ensure that the company in the US is either: (a) in possession of an active certification that covers the aforementioned data as HR data, or (b) in possession of an active certification that encompasses the data as another type of personal data and has committed, in its privacy policy, to cooperate and comply with the advice of the EU data protection authorities with regard to such data. The EEA exporter must inform the company in the US of the fact that the transfer in question encompasses HR data.
In order to verify the validity of a self-certification and its scope, data exporters in the EEA are required to consult the Data Privacy Framework List, a document published on the U.S. Department of Commerce's website. The present list comprises a register of companies that currently hold an active self-certification under the DPF, as well as a register of companies that have been removed from the list on the grounds of being ‘inactive participants’. The reasons for the removal of the latter category of companies are also stated. It is evident that an EEA data exporter is unable to rely on the DPF for the transfer of personal data to companies that do not hold an active self-certification under the DPF.
It also is imperative that companies which have been removed from the Data Privacy Framework List continue to apply the Data Privacy Framework Principles to personal data received while participating in the DPF for as long as they retain it.
In the event of the transfer of personal data to companies based in the U.S. that are not (or no longer) self-certified under the DPF, other grounds for transfer in Chapter V of the GDPR may be utilised. Such grounds may include Binding Corporate Rules or Standard Contractual Clauses.
The fact that the recipient in the U.S. is self-certified under the DPF will enable data exporters in the EEA to comply with Chapter V of the GDPR. However, it should be noted that all other requirements in the GDPR and any other national data protection law also remain applicable.
For detailed information, please consult the FAQ, which provides coverage of the applicable situations when a transfer takes place to:
- US subsidiaries of companies certified under the EU-US DPF;
- A company in the U.S. acting as a controller;
- A company in the U.S. acting as a processor.
- Where can I find guidance regarding the certification of U.S. subsidiary companies of European businesses?
U.S. subsidiaries of EEA businesses can self-certify to the DPF if they fall under the jurisdiction of the FTC or the U.S. Department of Transportation (DoT).
More information on the eligibility requirements along with a guide to the self-certification process can be found here and here.