Upwork removed its entire Data Privacy Framework (DPF) compliance section from its privacy policy on May 1, 2026. Previously, the policy explicitly stated that Upwork was self-certified under the U.S.-EU, U.S.-UK, and U.S.-Swiss Data Privacy Frameworks and detailed the protections those certifications provided. Now, those commitments and certifications are gone, which may reduce the formal cross-border data transfer protections that EU, UK, and Swiss users previously relied upon.
Upwork has removed explicit commitments to the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks, which previously guaranteed that your personal data transferred from Europe or Switzerland would be handled under specific enforceable principles. Without these commitments in the policy, EU, UK, and Swiss users lose the formal assurance that Upwork adheres to DPF standards and the associated redress mechanisms. You can contact Upwork directly to request copies of the data transfer mechanism documents they currently use to transfer your data to third parties, as the updated policy explicitly notes this right.
EU, UK, and Swiss users no longer have a stated policy commitment from Upwork that their data is protected under the EU-U.S. or Swiss-U.S. Data Privacy Framework rules.
Businesses that relied on Upwork's DPF certification to legally transfer EU/UK/Swiss user data to the U.S. no longer have that basis and must find a replacement legal mechanism.
+ 1 more obligation changes. Full breakdown available with Watcher.
Unlock — $9.99/mo →EU, UK, and Swiss users previously had explicit, enforceable guarantees that their personal data transferred to the U.S. would be handled under Data Privacy Framework rules — those guarantees are now absent from the policy. Without a stated replacement transfer mechanism, there is a legal question about whether Upwork's cross-border data transfers remain lawful under GDPR.
This is the 2nd significant Cross Border Transfer Change change Upwork has made since ConductAtlas began monitoring.
Across all monitored documents, Upwork has made 2 significant changes.
2 of Upwork's significant changes have been classified as negative for consumers.
Upwork removed all language confirming self-certification under the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks, eliminating this as a stated legal basis for cross-border data transfers.
The provision stating DPF Principles govern over conflicting policy terms has been deleted, removing a key enforcement protection for EU/UK/Swiss users.
Upwork's stated responsibility for third-party agent non-compliance under the DPF has been removed, potentially reducing accountability for sub-processor mishandling of European data.
ConductAtlas Policy Archive Entity: Upwork | Document: Upwork Privacy Policy | Record: CA-C-000752 Captured: 2026-05-01 06:08:11 UTC URL: https://conductatlas.com/change/2026-05-01-upwork-upwork-privacy-policy-752/ Accessed: May 2, 2026
Unlock the full analysis
14-day free trial available.
Upwork removed all Data Privacy Framework (DPF) certification language from its privacy policy effective April 30, 2026 (captured May 1, 2026). This deletion removes explicit reliance on the EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF as the legal mechanism for cross-border personal data transfers. Any organization that listed Upwork's DPF certification as the transfer basis in its own records of processing activities or vendor assessments must now identify an alternative lawful transfer mechanism (e.g., SCCs under Art. 46 GDPR). The policy no longer states that DPF Principles govern in case of conflict, eliminating a previously enforceable protection. Action is required for any controller relying on Upwork's DPF status.
1. GDPR Chapter V (cross-border transfers) — Art. 44-49: Removal of DPF reliance requires identification of an alternative transfer mechanism. Art. 46(2)(c) SCCs or Art. 47 BCRs must now be confirmed or established. Art. 13(1)(f) and Art. 14(1)(f): Controllers using Upwork must update their own privacy notices to reflect the changed transfer basis.
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000752.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Unlock full diff — Watcher $9.99/moUpwork has removed its Data Privacy Framework (DPF) certification notice from its Privacy Policy, which previously explained how Upwork handled …
We monitor 200+ platforms and archive every change — verified and timestamped.