Data Privacy Framework (DPF)

EU-US adequacy decision since July 2023 — successor to the Privacy Shield

· Category: GDPR · Compliance-Kit
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

TL;DR

The EU-US Data Privacy Framework (DPF), in force since 10 July 2023 under Commission Decision (EU) 2023/1795, enables transfers of personal data to certified US companies without SCCs. It replaces the Privacy Shield, which was invalidated by Schrems II. Upheld by the General Court in judgment T-553/23 of September 2025 — a Schrems III action is pending before the CJEU.

What is the Data Privacy Framework (DPF)?

How the DPF works:

Current list of certified companies: dataprivacyframework.gov. As of April 2026: approximately 3,500 companies, including 95% of relevant cloud providers (Microsoft, Google, Amazon, Salesforce, etc.).

Practical example

Practical implications: - Microsoft 365 (Microsoft Inc. DPF-certified): data transfer possible without SCCs - Mailchimp (Intuit Inc. DPF-certified): simplified newsletter distribution - Zoom: DPF-certified, but with sectoral restrictions (public authorities and hospitals use alternative solutions)

Frequently asked questions

Do I still need SCCs if the DPF applies?
No, provided that the US company is DPF-certified. Common practice: a dual track (DPF + SCCs) for stability in case of a possible Schrems III ruling.
How do I verify DPF certification?
Through the list at dataprivacyframework.gov. Status 'Active' = currently certified. 'Inactive' = not certified or no longer certified.
What happens with Schrems III?
If the CJEU strikes down the DPF (the General Court upheld it in T-553/23, but an appeal is possible): SCCs plus a TIA become mandatory again. Strategy: keep SCCs available as a backup safeguard.

See also