EU-U.S. Data Privacy Framework Updated: What It Means for Medical Device Manufacturers

On 15 January 2026, the European Data Protection Board (EDPB) adopted Version 2.0 of the EU-U.S. Data Privacy Framework (DPF) FAQ for European Individuals. While the document targets individual rights, it has key implications for medical device manufacturers, particularly those relying on U.S.-based service providers or conducting transatlantic data transfers.

What is the Data Privacy Framework?

The DPF is a self-certification mechanism for U.S. companies. The European Commission considers that data transfers to certified U.S. companies offer an adequate level of protection — so no additional safeguards (like SCCs) are required.

This matters for EU manufacturers working with:

• U.S.-based cloud providers (e.g. for digital health platforms)

• CROs managing clinical investigations in the U.S.

• Post-market surveillance tools hosted in the U.S.

• Remote monitoring platforms transferring patient data

If your partner is DPF-certified, transfers can continue lawfully — but only within the scope they’re certified for, such as HR data or health data. You can verify certification on the official list.

What Rights Do Data Subjects Have?

The updated FAQ outlines that individuals can:

• Access, correct, or delete their transferred personal data

• Lodge complaints via national DPAs if issues arise

• Expect a response from companies within 45 days

For manufacturers, this reinforces the need for robust vendor management and contractual clarity when involving U.S.-based processors — particularly for clinical or patient data.

What Happens If There’s a Complaint?

If a complaint relates to:

• HR data or companies that chose EU DPAs as their dispute mechanism → an informal panel of EU DPAs may issue binding advice to the U.S. company.

• Other data types → cases may be referred to U.S. authorities such as the FTC or Department of Commerce.

This means that complaints could affect your data flows if your vendors are not managing privacy obligations properly.

What Should Manufacturers Do?

We recommend:

• Check whether your U.S. service providers are DPF-certified, and if their certification covers the data types you process.

• Review and update your Article 30 Records of Processing Activities to reflect DPF reliance.

• Monitor your processors’ recertification status — it's annual.

• Consider data subject request protocols, especially if clinical or health-related data are involved.

Read the official FAQ (Version 2.0, 2026).