Olender Feldman LLP Practice intelligence · current as of Jun 21, 2026

PracticeGDPR

EDPB FAQ on Data Privacy Framework \u2014 Verification and Onward-Transfer Flow-Down Obligations (January 2026)

Shift eu Jan 15, 2026 guidance

What the law is now

EU personal data may flow to a DPF-certified U.S. organization without an additional Chapter V safeguard, provided the certification is active, covers the data type in question, and covers the specific entity receiving the data. Once data lawfully reaches the certified U.S. importer, onward transfers to third parties are governed by the DPF's Accountability for Onward Transfer Principle: the importer remains accountable down the chain and must contract for the same level of protection, with SCCs or BCRs required only where the downstream recipient is not itself DPF-certified or falls outside certified scope. Article 28 processing terms, Article 32 security obligations, and records requirements continue to apply regardless of DPF participation.

What just shifted

What this adds: The EDPB's January 2026 FAQ tightened certification verification requirements and confirmed that onward-transfer flow-down obligations apply under the DPF Principles — meaning the certified importer cannot treat certification as the end of its compliance analysis. The FAQ also addressed HR data (treated distinctly under DPF) and positioned SCCs and BCRs as the route for recipients that are not, or are no longer, certified. [UNVERIFIED — pending retrieval of FAQ primary text to confirm exact scope of each point.]

What this puts in question: Whether existing data processing agreements and privacy notices accurately reflect the flow-down obligation — specifically, whether sub-processor terms require the same level of DPF protection or an independent transfer mechanism where the sub-processor is not itself certified.

What clients should weigh

·Have you confirmed that each sub-processor or vendor receiving EU-origin data is either independently DPF-certified (for the relevant data type and entity) or covered by SCCs — and is that confirmation documented?
·Do your data processing agreements and privacy notices reflect the flow-down obligation under the DPF Principles, or do they describe DPF as covering downstream flows without specifying the mechanism?
·If you receive EU HR data, have you verified that your DPF certification expressly covers HR data — certification for commercial data does not automatically extend to HR data.
·This guidance addresses the transfer-mechanism and flow-down question. It does not change the legal basis for the primary EEA-to-US transfer under the DPF adequacy decision, and it does not affect Article 28, Article 32, or records obligations, which apply regardless.

Watch for

· EDPB FAQ primary text — confirm permalink and exact scope of each point [UNVERIFIED]

· UK adequacy bridge for DPF

· New SCC module for AI processor relationships

Ready to use

To-be-edited before sending to a client.

Client alert
Blog post
LinkedIn

This corpus reflects one attorney's personal review. It is not a comprehensive survey. Verify scope and currency before relying on it for any matter.