The EU–U.S. Data Privacy Framework : new FAQs

The EU‑U.S. Data Privacy Framework (DPF) is a mechanism for transferring data between the European Union (EU) (and more broadly the European Economic Area (EEA)) and the United States, designed to enable transfers of personal data to U.S. companies while ensuring an adequate level of protection in line with the General Data Protection Regulation (GDPR).

It is based on a data privacy framework for U.S. companies: those that join the program commit to complying with a set of data protection obligations and principles similar to those expected in Europe.

Thanks to the European Commission’s adequacy decision, personal data can flow freely to these U.S. companies without requiring additional safeguards (contractual clauses, authorisations, etc.).

Presentation of the two FAQs

On 15 January 2026, the EDPB published two FAQ documents (Frequently Asked Questions) on the Data Privacy Framework:

• a FAQ for European businesses that transfer or plan to transfer personal data to U.S. companies certified under the DPF,
• and a FAQ for European individuals, to explain their rights and the mechanisms for exercising those rights under the DPF.

The European Data Protection Board (EDPB) is the independent European body responsible for ensuring the consistent application of the GDPR across the EU/EEA. It brings together the data protection authorities of each Member State and the European Data Protection Supervisor (EDPS), and publishes guidance, guidelines and practical tools to facilitate compliance with European data protection law.

These FAQs play an educational and operational role: they do not change the DPF’s legal framework itself, but clarify its practical implementation, by answering frequent questions that European data controllers, their compliance teams, and data subjects (citizens, customers, employees, etc.) may have.

For European businesses

European companies that transfer data to U.S. DPF‑certified companies must comply with GDPR obligations according to their role:

• Data controllers: determine the purposes and legal bases for transfers, inform data subjects, and document certification checks.

• Data processors: ensure that transfers comply with the controller’s instructions and that U.S. partners honour DPF commitments.

Before any transfer, companies must:

1. Verify that the U.S. partner is indeed certified and that its certification covers the type of data being transferred (to self‑certify under the DPF, a U.S. company must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation (DoT));
2. Document this verification in their records of processing activities;
3. Continue to comply with other GDPR obligations, such as security and the protection of data subject rights.

For European individuals

The second FAQ is a guide for data subjects in the EEA who want to understand their rights and remedies when their data are transferred to the United States under the DPF.

The FAQ details the rights Europeans retain even after their data are transferred to U.S. entities, notably:

• Right to be informed about the transfer and its purpose,

• Right of access to their data,

• Right to rectification or erasure in case of incorrect or non‑compliant processing.

Secure your data transfers with DASTRA

Companies should adopt a proactive approach and can anticipate by taking these concrete measures.

For your international transfers, with DASTRA you can:

1. Map all transatlantic data flows (which processing activities, which actors, which data);

2. Assess critical transfers and identify European or sovereign alternatives;

3. Prepare a fallback plan towards the Standard Contractual Clauses;

4. Estimate the costs of a possible repatriation of data to European solutions;

5. Carry out a financial and contractual impact assessment;

6. Document all compliance mechanisms (legal basis, supplementary measures, updated records, etc.);

7. Closely monitor regulatory developments.