[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article_59848":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":13,"featured":4,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":47,"imageUrl":48,"imageThumbUrls":49,"id":57},false,"## The EU–U.S. Data Privacy Framework : new FAQs\r\n\r\nThe [**EU‑U.S. Data Privacy Framework**](https://www.dastra.eu/fr/guide/revoir-le-webinaire-ue-us-data-privacy-framework-quelles-incidences/54632) (DPF) is a mechanism for transferring data between the European Union (EU) (and more broadly the European Economic Area (EEA)) and the United States, designed to enable **transfers of personal data to U.S. companies while ensuring an adequate level of protection** in line with the General Data Protection Regulation (GDPR).\r\n\r\nIt is based on a [data privacy framework](https://www.dataprivacyframework.gov/program-articles/How-to-Join-the-Data-Privacy-Framework-\\(DPF\\)-Program-\\(part%E2%80%931\\)) for U.S. companies: those that join the program commit to complying with a set of **data protection obligations and principles** similar to those expected in Europe.\r\n\r\nThanks to the European Commission’s adequacy decision, personal data can flow freely to these U.S. companies without requiring additional safeguards (contractual clauses, authorisations, etc.).\r\n\r\n## Presentation of the two FAQs\r\n\r\nOn **15 January 2026**, the EDPB published **two FAQ documents (Frequently Asked Questions)** on the Data Privacy Framework:\r\n\r\n- a [FAQ for European businesses](https://www.edpb.europa.eu/system/files/2026-01/edpb_dpf_faq-for-businesses_v2_en.pdf) that transfer or plan to transfer personal data to U.S. companies certified under the DPF,\r\n- and a [FAQ for European individuals](https://www.edpb.europa.eu/system/files/2026-01/edpb_dpf_faq-for-individuals_v2_en.pdf), to explain their rights and the mechanisms for exercising those rights under the DPF.\r\n\r\n> The **European Data Protection Board** (EDPB) is the independent European body responsible for ensuring the **consistent application of the GDPR** across the EU/EEA. It brings together the data protection authorities of each Member State and the **European Data Protection Supervisor (EDPS)**, and publishes guidance, guidelines and practical tools to facilitate compliance with European data protection law.\r\n\r\nThese FAQs play an educational and operational role: they do not change the DPF’s legal framework itself, but **clarify its practical implementation**, by answering frequent questions that European data controllers, their compliance teams, and data subjects (citizens, customers, employees, etc.) may have.\r\n\r\n## For European businesses\r\n\r\nEuropean companies that transfer data to U.S. DPF‑certified companies must comply with GDPR obligations according to their role:\r\n\r\n- **Data controllers**: determine the purposes and legal bases for transfers, inform data subjects, and document certification checks.\r\n\r\n- **Data processors**: ensure that transfers comply with the controller’s instructions and that U.S. partners honour DPF commitments.\r\n\r\nBefore any transfer, companies must:\r\n\r\n1. Verify that the U.S. partner is **indeed certified** and that its certification covers the type of data being transferred (to self‑certify under the DPF, a U.S. company must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation (DoT));\r\n2. Document this verification in their **records of processing activities**;\r\n3. Continue to comply with **other GDPR obligations**, such as security and the protection of data subject rights.\r\n\r\n## For European individuals\r\n\r\nThe second FAQ is a guide for **data subjects in the EEA** who want to understand their **rights and remedies** when their data are transferred to the United States under the DPF.\r\n\r\nThe FAQ details the **rights Europeans retain** even after their data are transferred to U.S. entities, notably:\r\n\r\n- Right to be [**informed**](https://www.dastra.eu/fr/guide/droit-a-linformation/52273) about the transfer and its purpose,\r\n\r\n- Right of [**access**](https://www.dastra.eu/fr/guide/droit-dacces/52264) to their data,\r\n\r\n- Right to [**rectification or erasure**](https://www.dastra.eu/fr/guide/droit-de-rectification/52274) in case of incorrect or non‑compliant processing.\r\n\r\n## Secure your data transfers with DASTRA\r\n\r\nCompanies should adopt a **proactive approach** and can **anticipate** by taking these concrete measures.\r\n\r\nFor your [international transfers](https://doc.dastra.eu/features/editer-le-registre/remplir-le-questionnaire/destinataires/transferts-de-donnees-hors-ue), with DASTRA you can:\r\n\r\n1. [Map](https://doc.dastra.eu/features/cartography) all transatlantic data flows (which processing activities, which actors, which data);\r\n\r\n2. Assess [critical transfers](https://doc.dastra.eu/features/editer-le-registre/la-visualisation-des-donnees/visualiser-la-carte-des-transferts) and identify European or sovereign alternatives;\r\n\r\n3. Prepare a fallback plan towards the **Standard Contractual Clauses**;\r\n\r\n4. Estimate the costs of a possible repatriation of data to European solutions;\r\n\r\n5. Carry out a [financial and contractual impact assessment](https://doc.dastra.eu/rappels-utiles/rgpd-en-bref/analyse-dimpact#exemples-de-traitements-concernes);\r\n\r\n6. Document all compliance mechanisms (legal basis, supplementary measures, updated records, etc.);\r\n\r\n7. Closely monitor [regulatory developments](https://www.dastra.eu/fr/articles).\r\n\r\n{% button href='https://www.dastra.eu/fr/contacts/demo' text='Speak with a Dastra expert' target='\\_blank' role='button' class='btn btn-primary' %}","\u003Ch2 id=\"the-euu.s.data-privacy-framework-new-faqs\">The EU–U.S. Data Privacy Framework : new FAQs\u003C/h2>\r\n\u003Cp>The \u003Ca href=\"https://www.dastra.eu/fr/guide/revoir-le-webinaire-ue-us-data-privacy-framework-quelles-incidences/54632\">\u003Cstrong>EU‑U.S. Data Privacy Framework\u003C/strong>\u003C/a> (DPF) is a mechanism for transferring data between the European Union (EU) (and more broadly the European Economic Area (EEA)) and the United States, designed to enable \u003Cstrong>transfers of personal data to U.S. companies while ensuring an adequate level of protection\u003C/strong> in line with the General Data Protection Regulation (GDPR).\u003C/p>\r\n\u003Cp>It is based on a \u003Ca href=\"https://www.dataprivacyframework.gov/program-articles/How-to-Join-the-Data-Privacy-Framework-(DPF)-Program-(part%E2%80%931)\" rel=\"nofollow\">data privacy framework\u003C/a> for U.S. companies: those that join the program commit to complying with a set of \u003Cstrong>data protection obligations and principles\u003C/strong> similar to those expected in Europe.\u003C/p>\r\n\u003Cp>Thanks to the European Commission’s adequacy decision, personal data can flow freely to these U.S. companies without requiring additional safeguards (contractual clauses, authorisations, etc.).\u003C/p>\r\n\u003Ch2 id=\"presentation-of-the-two-faqs\">Presentation of the two FAQs\u003C/h2>\r\n\u003Cp>On \u003Cstrong>15 January 2026\u003C/strong>, the EDPB published \u003Cstrong>two FAQ documents (Frequently Asked Questions)\u003C/strong> on the Data Privacy Framework:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>a \u003Ca href=\"https://www.edpb.europa.eu/system/files/2026-01/edpb_dpf_faq-for-businesses_v2_en.pdf\" rel=\"nofollow\">FAQ for European businesses\u003C/a> that transfer or plan to transfer personal data to U.S. companies certified under the DPF,\u003C/li>\r\n\u003Cli>and a \u003Ca href=\"https://www.edpb.europa.eu/system/files/2026-01/edpb_dpf_faq-for-individuals_v2_en.pdf\" rel=\"nofollow\">FAQ for European individuals\u003C/a>, to explain their rights and the mechanisms for exercising those rights under the DPF.\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>The \u003Cstrong>European Data Protection Board\u003C/strong> (EDPB) is the independent European body responsible for ensuring the \u003Cstrong>consistent application of the GDPR\u003C/strong> across the EU/EEA. It brings together the data protection authorities of each Member State and the \u003Cstrong>European Data Protection Supervisor (EDPS)\u003C/strong>, and publishes guidance, guidelines and practical tools to facilitate compliance with European data protection law.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>These FAQs play an educational and operational role: they do not change the DPF’s legal framework itself, but \u003Cstrong>clarify its practical implementation\u003C/strong>, by answering frequent questions that European data controllers, their compliance teams, and data subjects (citizens, customers, employees, etc.) may have.\u003C/p>\r\n\u003Ch2 id=\"for-european-businesses\">For European businesses\u003C/h2>\r\n\u003Cp>European companies that transfer data to U.S. DPF‑certified companies must comply with GDPR obligations according to their role:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Data controllers\u003C/strong>: determine the purposes and legal bases for transfers, inform data subjects, and document certification checks.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Data processors\u003C/strong>: ensure that transfers comply with the controller’s instructions and that U.S. partners honour DPF commitments.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Before any transfer, companies must:\u003C/p>\r\n\u003Col>\r\n\u003Cli>Verify that the U.S. partner is \u003Cstrong>indeed certified\u003C/strong> and that its certification covers the type of data being transferred (to self‑certify under the DPF, a U.S. company must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation (DoT));\u003C/li>\r\n\u003Cli>Document this verification in their \u003Cstrong>records of processing activities\u003C/strong>;\u003C/li>\r\n\u003Cli>Continue to comply with \u003Cstrong>other GDPR obligations\u003C/strong>, such as security and the protection of data subject rights.\u003C/li>\r\n\u003C/ol>\r\n\u003Ch2 id=\"for-european-individuals\">For European individuals\u003C/h2>\r\n\u003Cp>The second FAQ is a guide for \u003Cstrong>data subjects in the EEA\u003C/strong> who want to understand their \u003Cstrong>rights and remedies\u003C/strong> when their data are transferred to the United States under the DPF.\u003C/p>\r\n\u003Cp>The FAQ details the \u003Cstrong>rights Europeans retain\u003C/strong> even after their data are transferred to U.S. entities, notably:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Right to be \u003Ca href=\"https://www.dastra.eu/fr/guide/droit-a-linformation/52273\">\u003Cstrong>informed\u003C/strong>\u003C/a> about the transfer and its purpose,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Right of \u003Ca href=\"https://www.dastra.eu/fr/guide/droit-dacces/52264\">\u003Cstrong>access\u003C/strong>\u003C/a> to their data,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Right to \u003Ca href=\"https://www.dastra.eu/fr/guide/droit-de-rectification/52274\">\u003Cstrong>rectification or erasure\u003C/strong>\u003C/a> in case of incorrect or non‑compliant processing.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch2 id=\"secure-your-data-transfers-with-dastra\">Secure your data transfers with DASTRA\u003C/h2>\r\n\u003Cp>Companies should adopt a \u003Cstrong>proactive approach\u003C/strong> and can \u003Cstrong>anticipate\u003C/strong> by taking these concrete measures.\u003C/p>\r\n\u003Cp>For your \u003Ca href=\"https://doc.dastra.eu/features/editer-le-registre/remplir-le-questionnaire/destinataires/transferts-de-donnees-hors-ue\">international transfers\u003C/a>, with DASTRA you can:\u003C/p>\r\n\u003Col>\r\n\u003Cli>\u003Cp>\u003Ca href=\"https://doc.dastra.eu/features/cartography\">Map\u003C/a> all transatlantic data flows (which processing activities, which actors, which data);\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Assess \u003Ca href=\"https://doc.dastra.eu/features/editer-le-registre/la-visualisation-des-donnees/visualiser-la-carte-des-transferts\">critical transfers\u003C/a> and identify European or sovereign alternatives;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Prepare a fallback plan towards the \u003Cstrong>Standard Contractual Clauses\u003C/strong>;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Estimate the costs of a possible repatriation of data to European solutions;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Carry out a \u003Ca href=\"https://doc.dastra.eu/rappels-utiles/rgpd-en-bref/analyse-dimpact#exemples-de-traitements-concernes\">financial and contractual impact assessment\u003C/a>;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Document all compliance mechanisms (legal basis, supplementary measures, updated records, etc.);\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Closely monitor \u003Ca href=\"https://www.dastra.eu/fr/articles\">regulatory developments\u003C/a>.\u003C/p>\r\n\u003C/li>\r\n\u003C/ol>\r\n\u003Cdiv class=\"content-btn-container\">\u003Ca>\u003C/a>\u003C/div>\r\n","New EDPB FAQs on the 2026 Data Privacy Framework","The EDPB has published two 2026 FAQs on the Data Privacy Framework to guide businesses and individuals in data transfers to the United States.",748,4,"The EDPB publishes new FAQs on the Data Privacy Framework.",0,null,"en","the-edpb-publishes-new-faqs-on-the-data-privacy-framework","Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":13,"blogUrl":13,"color":13,"userId":18,"creationDate":21},2986,"Maëva Vidal","https://static.dastra.eu/tenant-3/avatar/2986/maeva-min-min-min-150.png","2022-09-05T13:22:36","2026-02-06T13:59:00","2026-02-02T13:59:18.9470261","2026-03-12T16:39:05.5524502",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":31},2,"Blog","A list of curated articles provided by the community","article","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[],"https://static.dastra.eu/content/b981d117-d398-4d51-b3dc-6f3eaa88a290/visuel-article-14-original.jpg",[50,51,52,53,54,55,56],"https://static.dastra.eu/content/b981d117-d398-4d51-b3dc-6f3eaa88a290/visuel-article-14-1000.webp","https://static.dastra.eu/content/b981d117-d398-4d51-b3dc-6f3eaa88a290/visuel-article-14.webp","https://static.dastra.eu/content/b981d117-d398-4d51-b3dc-6f3eaa88a290/visuel-article-14-1500.webp","https://static.dastra.eu/content/b981d117-d398-4d51-b3dc-6f3eaa88a290/visuel-article-14-800.webp","https://static.dastra.eu/content/b981d117-d398-4d51-b3dc-6f3eaa88a290/visuel-article-14-600.webp","https://static.dastra.eu/content/b981d117-d398-4d51-b3dc-6f3eaa88a290/visuel-article-14-300.webp","https://static.dastra.eu/content/b981d117-d398-4d51-b3dc-6f3eaa88a290/visuel-article-14-100.webp",59848]