>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Home / Frameworks / US Data Privacy Framework

US Data Privacy Framework v2023

Official SCF Download

US-EU Data Privacy Framework

Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.

SCF Official Site License Terms
214 All

I Overview (1 principles)

IOverview and Scope

III Supplemental Principles (173 principles)

IIISupplemental Principles
III.1Sensitive Data
III.1.aExceptions to Opt-In for Sensitive Data
III.1.a.iVital Interests
III.1.a.iiLegal Claims or Defenses
III.1.a.iiiMedical Care or Diagnosis
III.1.a.ivNon-Profit Body Legitimate Activities
III.1.a.vEmployment Law Obligations
III.1.a.viManifestly Public Data
III.2Journalistic Exceptions
III.2.aFirst Amendment Protections
III.2.bJournalistic Material Exemption
III.3Secondary Liability
III.3.aISP and Carrier Liability Exemption
III.4Due Diligence and Audit Exception
III.4.aAuditor and Investment Banker Activities
III.4.bAudit and Merger Due Diligence
III.5Role of the Data Protection Authorities
III.5.aDPA Cooperation Framework
III.5.bDPA Cooperation Declaration
III.5.b.iElection to Cooperate with DPAs
III.5.b.iiDPA Investigation Cooperation
III.5.b.iiiCompliance with DPA Advice
III.5.cOperation of DPA Panels
III.5.c.iDPA Panel Advice Delivery
III.5.c.i.1EU-Level Informal DPA Panel
III.5.c.i.2DPA Panel Complaint Advisory Role
III.5.c.i.3DPA Panel Complaint Handling Process
III.5.c.i.4Due Process and Timeframes
III.5.c.i.5Public Disclosure of Results
III.5.c.i.6DPA Panel Liability Limitation
III.5.c.iiEnforcement of DPA Panel Advice
III.5.dHuman Resources Data and DPA Cooperation
III.5.eAnnual DPA Cooperation Fee
III.6Self-Certification
III.6.aData Privacy Framework List and Certification Status
III.6.bSelf-Certification Submission Requirements
III.6.b.iOrganization Name and Covered Entities
III.6.b.iiDescription of Data Activities
III.6.b.iiiPrivacy Policy Description
III.6.b.iii.1Privacy Policy Availability
III.6.b.iii.2Privacy Policy Effective Date
III.6.b.ivComplaint Contact Office
III.6.b.iv.1Contact Person Details
III.6.b.iv.2U.S. Mailing Address
III.6.b.vStatutory Body Jurisdiction
III.6.b.viPrivacy Program Membership
III.6.b.viiVerification Method
III.6.b.viiiIndependent Recourse Mechanism
III.6.cHuman Resources Information Coverage
III.6.dData Privacy Framework List Maintenance
III.6.eImmediate Application and Transition
III.6.fContinued Application and Withdrawal
III.6.gChange in Corporate Status
III.6.hPost-Withdrawal Obligations
III.7Verification
III.7.aVerification Requirement
III.7.bSelf-Assessment or Outside Review
III.7.cSelf-Assessment Requirements
III.7.dOutside Compliance Review Requirements
III.7.eRecord Retention and Cooperation
III.8Access
III.8.aAccess Principle in Practice
III.8.a.iFundamental Right of Access
III.8.a.i.1Confirmation of Data Processing
III.8.a.i.2Communication of Personal Data
III.8.a.i.3Correction, Amendment, or Deletion
III.8.a.iiiGood Faith Efforts to Provide Access
III.8.bBurden or Expense of Providing Access
III.8.b.iProportionality of Access Restrictions
III.8.b.iiSensitivity-Based Access Obligations
III.8.cConfidential Commercial Information
III.8.c.iCommercial Information Access Limitations
III.8.c.iiRedaction of Commercial Information
III.8.dOrganization of Data Bases
III.8.d.iDisclosure vs. Direct Database Access
III.8.d.iiScope of Access Obligation
III.8.eWhen Access May be Restricted
III.8.e.iGrounds for Access Restriction
III.8.e.i.1Law Enforcement Interference
III.8.e.i.2Third-Party Rights Violation
III.8.e.i.3Professional Privilege or Obligation
III.8.e.i.4Employee Investigation or Succession
III.8.e.i.5Monitoring and Regulatory Functions
III.8.e.iiBurden of Demonstrating Exception
III.8.fRight to Obtain Confirmation and Fees
III.8.f.iRight to Confirmation and Data Communication
III.8.f.iiJustified Fee Circumstances
III.8.f.iiiAccess Despite Cost
III.8.gRepetitious or Vexatious Requests
III.8.g.iReasonable Access Request Limits
III.8.hFraudulent Requests for Access
III.8.h.iIdentity Verification for Access
III.8.iTimeframe for Responses
III.8.i.iReasonable Response Timeframe
III.9Human Resources Data
III.9.aCoverage by the EU-U.S. DPF
III.9.a.iEmployment Data Transfer Benefits
III.9.a.iiAggregate and Anonymized Data Exception
III.9.bApplication of the Notice and Choice Principles
III.9.b.iNon-Employment Use Requires Choice
III.9.b.iiMember State Transfer Conditions
III.9.b.iiiAccommodating Employee Privacy Preferences
III.9.b.ivEmployment Decision Exception
III.9.cApplication of the Access Principle
III.9.c.iEmployee Access to HR Data
III.9.dEnforcement
III.9.d.iDPA Jurisdiction for Employee Complaints
III.9.d.iiCommitment to DPA Cooperation for HR Data
III.9.eApplication of the Accountability for Onward Transfer Principle
III.9.e.iOccasional Employment Operational Transfers
III.10Obligatory Contracts for Onward Transfers
III.10.aData Processing Contracts
III.10.a.iProcessing-Only Transfer Contract Requirement
III.10.a.iiEU Controller Contract Obligations
III.10.a.ii.1Act Only on Controller Instructions
III.10.a.ii.2Technical and Organizational Measures
III.10.a.ii.3Assist Controller with Individual Rights
III.10.a.iiiNo Prior Authorization for Participating Processors
III.10.bTransfers within a Controlled Group
III.10.b.iIntra-Group Transfer Instruments
III.10.cTransfers between Controllers
III.10.c.iController-to-Controller Transfer Requirements
III.11Dispute Resolution and Enforcement
III.11.aIndependent Recourse Mechanism Options
III.11.bAdditional Enforcement Mechanisms
III.11.cDepartment Information Requests
III.11.dRecourse Mechanisms
III.11.d.iComplaint Handling and Dispute Resolution Requirements
III.11.d.iiPublic Website Requirements for Recourse Mechanisms
III.11.d.iiiAnnual Reporting Requirements
III.11.d.ivBinding Arbitration for Residual Claims
III.11.eRemedies and Sanctions
III.11.e.iRemedy and Sanction Requirements
III.11.fFTC Action
III.11.f.iFTC Priority Review of Referrals
III.11.gPersistent Failure to Comply
III.11.g.iRemoval from Data Privacy Framework List
III.11.g.iiDefinition of Persistent Failure
III.11.g.iiiList Removal Process
III.11.g.ivRequalification Information Disclosure
III.12Choice - Timing of Opt Out
III.12.aDirect Marketing Opt-Out
III.12.bImpracticable Prior Opt-Out
III.13Travel Information
III.13.aTravel Data Transfer Under the DPF
III.14Pharmaceutical and Medical Products
III.14.aApplication of EU/Member State Laws or the Principles
III.14.a.iPre-Transfer and Post-Transfer Law Application
III.14.bFuture Scientific Research
III.14.b.iReuse of Research Data
III.14.b.iiUnanticipated Research Uses
III.14.cWithdrawal from a Clinical Trial
III.14.c.iData Retention After Withdrawal
III.14.dTransfers for Regulatory and Supervision Purposes
III.14.d.iRegulatory Data Transfers
III.14.eBlinded Studies
III.14.e.iAccess Restrictions During Blinded Studies
III.14.e.iiPost-Trial Access
III.14.fProduct Safety and Efficacy Monitoring
III.14.f.iProduct Safety Monitoring Exemption
III.14.gKey-coded Data
III.14.g.iKey-coded Research Data
III.15Public Record and Publicly Available Information
III.15.aPrinciples Applicable to Public Data
III.15.bPublic Record Information Exceptions
III.15.cIntentional Public Disclosure Prohibition
III.15.dAccess to Public Record Information
III.15.eAccess to Publicly Available Information
III.16Access Requests by Public Authorities
III.16.aVoluntary Transparency Reports
III.16.bTransparency in Periodic Joint Review
III.16.cLawful Disclosure Without Notice