EU PSD2 — Payment Services Directive (Directive (EU) 2015/2366)

Why it Matters

The EU-US Data Privacy Framework enables organizations to lawfullytransfer personal data while addressing complex regulatory andprivacy requirements.

Key benefits include:

• Support cross-border data transfers

Facilitatecompliant movement of personal data between the EU and US whilereducing operational barriers.

• Enhance regulatory alignment

Demonstrateadherence to GDPR and European data protection standards, improvingtrust with regulators and customers.

• Strengthen data protection practices

Institute robustprocedures and controls for protecting EU-origin personal data withinUS-based organizations.

• Increase audit readiness

Maintaindocumentation and safeguards required for external reviews,investigations, or compliance audits.

• Promote accountability and transparency

Require clearprivacy policies and defined dispute resolution mechanisms, fosteringresponsible data management across the organization.

How it Works

The EU-US Data Privacy Framework (DPF) is structured around a set ofprivacy principles derived from the EU’s General Data ProtectionRegulation (GDPR) and aligned with U.S. regulatory requirements.These core principles—notice, choice, accountability for onwardtransfer, security, data integrity, access, and recourse—serve asthe foundation for data protection obligations and cross-border datatransfers. The framework provides a lifecycle approach to personaldata management, with specific requirements for security safeguardsand governance processes to ensure compliance throughout anorganization’s operations.

In practice, organizations implementing the DPF self-certify theircommitment to the framework’s principles and maintain activeoversight to ensure ongoing adherence. Typical activities includeestablishing governance programs around privacy, performing riskassessments for data transfers, deploying technical andorganizational security controls, and managing processes for datasubject access and redress. Organizations also conduct regularreviews and compliance assessments to verify that data handlingpractices align with DPF requirements and support regulatorycompliance across global operations.

Using SmartSuite, organizations operationalize the EU-US Data PrivacyFramework by leveraging capabilities such as centralized controllibraries for DPF principles, risk registers for privacy riskmanagement, and policy governance modules. The platform supportsevidence collection for compliance, facilitates monitoring, andprovides dashboards for tracking data protection activities. Auditreadiness, remediation workflows, and comprehensive reporting enableorganizations to meet documentation, monitoring, and regulatorycompliance obligations efficiently.

Key Elements

• Privacy Principle Categories

Organizesrequirements into core domains including notice, choice,accountability, security, integrity, access, and recourse.

• Self-Certification Mechanism

Specifies anannual process for organizations to attest public compliance withframework principles.

• Independent Recourse Processes

Establishesstructured avenues for individuals to seek resolution of data privacycomplaints.

• Onward Transfer Accountability

Describesnecessary controls for managing data sharing with third parties underthe framework.

• Security and Safeguards Domain

Definesexpectations for protecting personal data using appropriate technicaland organizational measures.

• Oversight and Enforcement Structure

Outlinesgovernment and independent oversight methods used to ensurecompliance and address violations.

Framework Scope

The EU-US Data Privacy Framework (DPF) applies to entitiestransferring personal data from the EU to the US, including serviceproviders, multinational organizations, and compliance teams.Governing personal data processing systems and cross-bordertransfers, the DPF is typically implemented when meeting regulatoryobligations, managing privacy risks, or supporting certification andinternational data protection programs.

Framework Objectives

The EU-US Data Privacy Framework (DPF) aims to enable secure andcompliant transatlantic data transfers while upholding strong dataprotection standards.

Safeguard personal data in cross-border transfers between the EU andUS

Strengthen privacy governance and accountability for participatingorganizations

Support compliance with EU data protection laws and regulatoryexpectations

Enhance security controls to reduce cybersecurity and privacy-relatedrisks

Promote effective risk management in international data processingoperations

Improve operational resilience and audit readiness through documentedprivacy practices The EU‑US Data Privacy Framework (DPF)complements mechanisms such as EU Standard Contractual Clauses,Binding Corporate Rules and the Swiss‑U.S. Data PrivacyFramework by enabling lawful transatlantic personal data transfersunder U.S. safeguards. Organizations implement DPF for regulatorycompliance, certification/self‑certification, contractualtransfer needs, and to demonstrate governance and operational privacycontrols.

Framework in Context

The EU‑US DataPrivacy Framework (DPF) complements mechanisms such as EU StandardContractual Clauses, Binding Corporate Rules and the Swiss‑U.S.Data Privacy Framework by enabling lawful transatlantic personal datatransfers under U.S. safeguards. Organizations implement DPF forregulatory compliance, certification/self‑certification,contractual transfer needs, and to demonstrate governance andoperational privacy controls.

Common Framework Mappings

Organizations map the EU‑US Data Privacy Framework to otherdata protection and transfer mechanisms to ensure consistentcross‑border compliance, streamline controls, and meet diverseregulatory and contractual obligations.

Mapped frameworks include:

APEC Cross-Border Privacy Rules (CBPR) System

Binding Corporate Rules (BCRs)

California Consumer Privacy Act (CCPA) / California Privacy RightsAct (CPRA)

EU Standard Contractual Clauses (SCCs)

General Data Protection Regulation (GDPR)

ISO/IEC 27701

Swiss‑U.S. Data Privacy Framework

UK International Data Transfer Agreement (IDTA)

‍