Many organizations use American (sub)processors for cloud hosting, HR software, marketing tooling, and security monitoring. As soon as personal data leaves the European Economic Area ("EEA")—or is physically accessible from a third country (for example, for remote support)—the regime of international transfers comes into play. Until 2023, data transfer to the "US" in many cases meant: Standard Contractual Clauses (SCCs), a Transfer Impact Assessment (TIA), and sometimes supplementary measures. Since July 10, 2023, there has been another adequacy route: the EU-US Data Privacy Framework (DPF). Below are the legal framework and practical safeguards for the DPO.¹

When is there a data transfer under the GDPR?

Chapter V of the General Data Protection Regulation ("GDPR") concerns "transfers of personal data to third countries or international organisations." The starting point is simple: an international transfer must not undermine the protection of data subjects. Therefore, the GDPR provides a layered set of tools. With an adequacy decision (Art. 45), the European Commission has decided that the third country or international organisation in question ensures an adequate level of protection.² Without an adequacy decision, transfers can be justified through "appropriate safeguards" (Art. 46), such as SCCs or Binding Corporate Rules. Finally, one could also rely on Art. 49, but this is only for exceptional cases as mentioned in paragraph 1 of this article.²

In practice, the discussion is rarely purely geographical ("is the server in the US?"). Remote access, central management tools, or incident response outside the EEA can also mean that personal data is "transferred" to a third country. The core question is therefore: where can the data go, who can access it, and under what transfer mechanism does that flow fall?

Schrems II: why SCCs often imply a TIA

In Schrems II, the Court of Justice declared the EU-US Privacy Shield invalid and emphasized that while SCCs can be valid, they are not automatically sufficient. The data exporter must first assess whether the law and practice of the third country undermine the effectiveness of SCC protection. If there is such a risk, supplementary measures must be considered; if it is not possible to achieve an "essentially equivalent" level of protection, the transfer must be suspended or terminated.³ This forms the legal basis for what organizations typically call a Transfer Impact Assessment "TIA": a documented, case-by-case assessment that accompanies transfers based on appropriate safeguards. The EDPB has elaborated on this approach in Recommendations 01/2020, including a roadmap and examples of supplementary measures.⁴

What is the EU-US Data Privacy Framework (DPF)?

The DPF is the successor to previous mechanisms for EU-US data transfers (Safe Harbor and Privacy Shield) that were struck down by judicial review. On July 10, 2023, the European Commission adopted an adequacy decision for transfers to American organizations listed on the Data Privacy Framework List.¹ The DPF operates through self-certification: organizations commit to DPF principles and are subject to oversight/enforcement (primarily via the Federal Trade Commission or the Department of Transportation).⁵ Of course, there are some objections to this, but we have to work with what we have. The EDPB has clarified that transfers to DPF-listed organizations from July 10, 2023, can be based on the adequacy decision, without Art. 46 transfer tools and without Schrems II "supplementary measures."⁶ Since then, the DPF has been reviewed several times by the European Commission, the EDPB (European Data Protection Board), and the EU courts.

DPF or SCCs: what does this mean for your data transfer?

The practical difference lies in the "article" you rely on. If your recipient genuinely falls under the DPF, the transfer is based on Art. 45 (adequacy). For that specific transfer, you do not need SCCs, and the SCC-TIA logic of Schrems II is not applicable.⁶ If the recipient is not (or no longer) covered by the DPF, you revert to Art. 46 instruments (SCCs/BCRs) and thus to the Schrems II assessment question.³

Note two nuances that often go wrong in practice. First: DPF is strictly "entity- and scope-based." You can only rely on it if the correct legal entity is actively certified AND the certification covers the relevant activities and data types; HR data is a classic point of attention here.⁵ Second: the EDPB points out that the adequacy decision applies to transfers "from the EU/EEA"; for scenarios where a party outside the EU only falls under Art. 3(2) GDPR, this is not automatically "included."⁵

Practical advice for the DPO: what to look for, what to record?

Start with the official source: the Data Privacy Framework List of the U.S. Department of Commerce.⁹ Find the vendor and verify (i) that the status is "active," (ii) the scope of the certification (including HR data where relevant), and (iii) whether the certification also covers the specific U.S. subsidiary with whom you contract or to whom the services are actually delivered.⁵ The EDPB-FAQ emphasizes that certifications are renewed periodically; therefore, include a DPF status check in both onboarding and renewal.⁵

Then document your choice, for example, in your record of processing activities and privacy statement(s). Furthermore, document in one paragraph that the transfer is based on Art. 45, so you can explain why you are not applying SCCs and a TIA for this flow.⁶ Finally, establish a safety net. In contracts and vendor processes, it is advisable to agree that in the event of a loss or change of DPF status, there will be a timely switch to SCCs, including the associated TIA (and supplementary measures where necessary).⁵

And look through the chain. If your DPF vendor makes onward transfers to parties outside the DPF (e.g., sub-processors in other third countries), a separate transfer mechanism may still be necessary for that part.⁵ The DPF does not automatically "solve" the entire chain; it is primarily a strong basis for initial transfers from the EU to the US, provided the recipient genuinely falls under the DPF.

Conclusion

DPF can significantly simplify your process: no SCCs and no TIA requirement for transfers falling under Art. 45.¹ However, it is not a "free pass": you must demonstrably verify that the recipient is actively certified and falls within the scope, document your choice, and build in a safety net in case the status changes or the chain extends beyond the DPF.⁵ If you embed this process, you, as DPO, can ensure both legal purity and practical applicability.

1. European Commission, Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 … on the adequate level of protection of personal data under the EU-US Data Privacy Framework (adequacy decision). (EUR-Lex) ↩ ^{2 3}

2. Regulation (EU) 2016/679 (GDPR), in particular Chapter V (Arts. 44–49) and Arts. 45/46. (EUR-Lex) ↩ ²

3. CJEU 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II), case C-311/18, ECLI:EU:C:2020:559. (curia) ↩ ²

4. EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Final, 18 June 2021). (edpb.europa.eu) ↩

5. EDPB, EU-U.S. Data Privacy Framework F.A.Q. for European businesses – version 2.0 (23 January 2026). (edpb.europa.eu) ↩ ^{2 3 4 5 6 7}

6. EDPB, Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023 (18 July 2023). (edpb.europa.eu) ↩ ↩² ↩³ ↩⁴

7. European Commission, Report on the first periodic review of the functioning of the adequacy decision on the EU-US Data Privacy Framework (9 October 2024), and EDPB, Report on the first review … (4 November 2024). (European Commission) ↩

8. EU General Court 3 September 2025, case T-553/23 (Latombe/Commission), press release + ruling. (curia) ↩

9. U.S. Department of Commerce, Data Privacy Framework List (official DPF list). (dataprivacyframework.gov) ↩