What is the DPF?
The EU-US Data Privacy Framework (DPF) is the European Commission’s July 2023 adequacy decision (and the parallel UK Extension and Swiss-US Framework) that permits transfers of personal data from the EU/EEA to certified US organisations without additional SCCs or TIAs for those specific transfers. The DPF replaces the invalidated Privacy Shield (Schrems II) and rests on US Executive Order 14086 (signals intelligence safeguards) plus the Data Protection Review Court (DPRC) remedy mechanism.
How DPF works
- US organisation self-certifies to the US Department of Commerce.
- Annual recertification required to maintain status.
- Public list: the DPF list (dataprivacyframework.gov) is searchable; transferring exporters check before relying on the adequacy basis.
- Principles compliance: notice, choice, accountability for onward transfer, security, data integrity, access, recourse-enforcement-liability.
Limitations
- DPF only covers certified US organisations — non-certified vendors still need SCCs + TIA.
- Schrems III risk: NOYB has signalled legal challenges. Exporters often maintain SCCs as “fallback” alongside DPF reliance.
- Sensitive data: additional choice/consent obligations apply to special-category data.
Türk şirketleri için
Türk şirketleri DPF’ye katılamaz (sadece ABD tabanlı kuruluşlar için). Ancak Türk SaaS’ler ABD vendor seçiminde DPF sertifikalı sağlayıcılara öncelik vererek AB müşterilerinin uyum yükünü hafifletebilir. KVKK Kurulu DPF’yi doğrudan tanımaz; ABD’ye yapılan KVKK transferi için açık rıza veya yazılı taahhüt + Kurul izni standart koşulu uygular.
Do: verify DPF certification on the official list before relying on the adequacy basis; keep SCCs as fallback.
Don’t: assume “the vendor said they’re Privacy Shield certified” is current — Privacy Shield was invalidated in 2020.