How should companies self-certify under the EU-US Data Privacy Framework (DPF)

If you are a US-based company serving or targeting customers in Europe, or processing GDPR-regulated data, and you are not DPF certified, this article is for you.

The Data Privacy Framework (DPF) self-certification is becoming a necessary badge of compliance for US-based companies with European customers or those undertaking data processing activities. Some companies may find that potential clients will not work with them, until they’ve become DPF self-certified. Even if you haven’t encountered this, it’s a good idea to get a DPF certification to reduce any barriers to attaining future clients, and ensure you operate compliantly. There are also several other benefits to holding a DPF certification, which we shall explore in this article.

Dive in to discover the steps that go into the DPF certification process, and learn more about why, when, and how you should self-certify under the EU-US Data Privacy Framework.

This guide is brought to you by privacy specialist Anna Naumchuk, who is part of the Legal Nodes privacy team. Legal Nodes is a legal platform for tech companies operating globally. We help startups establish and maintain legal structures in 20+ countries, including assisting with their privacy compliance obligations across the globe. We've helped many tech companies, like SpatialChat, to solve their privacy needs.

Disclaimer: none of this information should be considered as legal, tax, or investment advice.

What is the Data Privacy Framework?

The Data Privacy Framework (DPF) is essentially a data transfer mechanism that enables companies to securely transfer data between different points. Think of it like a bridge between two companies that is dedicated to ensuring the safe and legal transfer of personal data.

A data transfer framework was initially agreed upon in 2022 by the EU and the US. However, it was only in July 2023 that they agreed upon and adopted a new adequacy decision for EU-US data flows. The DPF enables and ensures the legality of the personal data transfers from the EU or the EEA (European Economic Area), the United Kingdom, and Switzerland (hereinafter, we shall collectively refer to these countries as Europe). Under this new decision, participating US-based companies can now use the DPF mechanism. This move aims to make the US a safe and trusted country for personal data flows between itself and Europe.

What does joining the DPF mean for US-based companies?

Joining the DPF Program provides US companies with certainty and regulatory compliance with the requirements of GDPR. It gives the customers of DPF certified US companies confidence and helps build their trust that their data is being handled legally and compliantly. In addition, it eases some administrative burdens on US companies as the DPF requires much less paperwork to demonstrate compliance. To sum up: the DPF is both a trust signal for customers and a convenient way for companies to both demonstrate compliance and operate compliantly. 

At the time of writing this article, there were already 2,713 active participants in the DPF program according to the DPF List. This number is constantly growing.

To participate in the DPF Program, a US-based organization is required to self-certify to the International Trade Administration within the US Department of Commerce and publicly commit itself to comply with the DPF Principles.

There are certain steps that must be taken to obtain DPF certification, which we examine closely below.

In order to maintain the administration and oversight of the DPF Program, participating organizations must pay annual fees. The fees are calculated using a tiered system that takes into account the annual revenue of the company.

For more information on the background and perspectives associated with DPF, read Legal Nodes’ article “EU-US Data Privacy Framework receives final approval from the European Commission”.

Why should US-based companies certify under the EU-US DPF?

The benefits of the EU-US DPF self-certification for US-based companies with clients in the EU are undeniable:

• Certainty: DPF certification allows for the unobstructed flow of personal data to the USA.
• Regulatory compliance: implementation of the DPF program will help a US-based company meet their obligations under the GDPR.
• Customer trust: if a US-based company is not certified, it may lose potential or even existing customers. Equally, a certified company is more likely to land deals with big customers compared to its uncertified competitors.
• Customers’ privacy: by certifying under the DPF program, a US-based company signals to its customers that their privacy is a top priority.
• Less paperwork: the DPF does not rely on the other popular transfer method, the Standard Contractual Clauses (SCCs). As a result, DPF certified companies do not need to conduct a Transfer Impact Assessment or sign SCCs.
• Ease of demonstrating compliance: DPF-certified companies are publicly available in the register for review by potential clients. 

How to obtain DPF certification

In this section, we will explore the DPF certification process, and look at the initial costs and the ongoing annual recertification requirements.

What does the DPF certification process look like?

In short, to obtain DPF certification, a company has to adapt its privacy practices to the requirements of the DPF Program, pay the required fees, apply online, and commit itself to comply with the DPF Principles.

To help get a better picture of this journey, this table provides step-by-step instructions on the DPF certification process:

Stage 1. Preparing and submitting the DPF self-certification

Time estimate: 2-3 weeks

1. Develop a DPF-compliant Privacy Notice
2. Engage an independent recourse mechanism (IRM) provider
3. Verify your DPF compliance through self-assessment or outside compliance review
4. Designate a person responsible for DPF compliance
5. Pay self-certification fees
6. Submit the DPF self-certification via the DPF website

Stage 2. Awaiting approval

Time estimate: 2-3 weeks

1. The DPF team will consider your DPF self-certification and make a decision
2. If approved, the DPF team will send you an email and list your company in the DPF List

Stage 3. Post-certification

Time estimate: 1-2 days

1. Make changes to your company’s public documents regarding the DPF certification
2. Communicate with your company’s business clients and users about the DPF certification

Overall, the DPF certification process takes approximately 4-6 weeks to complete.

How much does a DPF certification cost?

There is no set amount for DPF certification, as some of the costs are dependent on a company’s unique circumstances. 

The exact cost of obligatory annual payments depends on: 

• the chosen DPF frameworks, that is, whether a company wants to be certified under EU-US DPF (including the UK Extension, if applicable), Swiss-US DPF, or both of them; and
• the company’s annual revenue.

The obligatory annual payments are as follows*: 

• Arbitration fee
• IRM provider fee
• EU DPA panel fee (an alternative to IRM provider fee) – $50 (fixed fee)
• DPF certification processing fee 

*All obligatory annual payments are to be paid again when recertifying in 1 year.

Example costs for DPF certification

To give you an idea of what costs may look like, here’s an example:

The final amount of $5,000 excludes legal and consultancy fees which can vary greatly. If you would like an estimation for the cost of self-certifying your company, contact us by booking a call.

What is the annual DPF recertification process and how much does it cost?

DPF certification is valid for 1 year. If a company wants to extend its DPF certification for another year (and continue to be listed on the DPF List), it has to recertify under the DPF Program and demonstrate its ongoing compliance with the DPF Principles.

This recertification process is the same procedure as the initial DPF self-certification, only it happens a lot quicker. The obligatory annual fees are determined following the same schedule as the initial DPF certification fees.

Is the DPF self-certification worth it?

Certification under the DPF is a great solution for the US-based companies that want to lawfully transfer personal data from Europe. The DPF certification encompasses various benefits, such as GDPR compliance, boosting customers’ trust and enabling a less burdensome process for data transfer compliance. 

At first glance the DPF certification might seem a little complex, however don’t be put off by this. With the right support and proper planning, the DPF certification process can be straightforward and pitfall-free. Companies that are ready to invest in robust compliance measures need to devote only a little time to enjoy the great benefits that the DPF certification can bring.

Discover quick and efficient DPF self-certification support from Legal Nodes

At Legal Nodes, we’re well-positioned to support tech companies with their self-certification. We can help you gather all the necessary documents and prepare to submit via the DPF certification website. 

To start your DPF certification journey, just follow these steps:

• Book a call with a Legal Nodes expert 
• Discuss your company’s needs (whether you need the EU-US DPF (including the UK Extension), or the Swiss-US DPF, or both of them)
• Undergo the DPF certification process (as described above)
• Make all the required annual payments
• Get certified under the DPF Program

We’ve already helped tech companies to secure new clients with their new DPF certification. Get started by booking a call with a friendly privacy expert today.