Upwork removed detailed language about its compliance with the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework, which previously explained how it handles personal data from EU, UK, and Swiss residents. The updated policy now contains only a single sentence directing users to contact Upwork if they want to see data transfer mechanism documents. This change simplifies the privacy notice but removes specific commitments about how cross-border data transfers are governed.
The updated policy no longer explicitly commits to treating EU, UK, and Swiss residents' data according to Data Privacy Framework Principles or describes Upwork's certification status with the U.S. Department of Commerce. This removes transparency about the legal mechanism protecting cross-border data transfers for affected users. The policy retains a right to request data transfer documents by contacting Upwork, but no longer explains what frameworks or certifications apply.
The removal of Data Privacy Framework language eliminates transparent commitments about how Upwork handles personal data transfers from regulated jurisdictions. For individual users and enterprises, this creates ambiguity about the legal mechanism protecting cross-border transfers and may require verification of the current transfer arrangement.
→ If you are an EU, UK, or Swiss resident, contact Upwork to request copies of the data transfer mechanism documents to understand how your personal data is currently protected in cross-border transfers.
→ If your organization uses Upwork and processes personal data from EU, UK, or Swiss residents, request written confirmation from Upwork of the legal basis and mechanism for cross-border data transfers.
→ You will not receive transparent disclosure about the legal framework protecting your personal data in cross-border transfers.
→ Your organization may discover misalignment between its own privacy notices (which may cite Upwork's DPF reliance) and Upwork's current policy, creating compliance risk.
→ If you do not verify Upwork's current transfer mechanism, you may unknowingly rely on a framework that is no longer explicitly asserted.
Deleted explicit statements that Upwork certifies to U.S. Department of Commerce compliance with EU-U.S. DPF and Swiss-U.S. DPF Principles for cross-border personal data transfers.
Policy now directs users to contact Upwork to exercise legal rights to see data transfer mechanism documents, but no longer specifies which frameworks those documents reference.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Upwork no longer explicitly commits to treating EU, UK, and Swiss residents' data under Data Privacy Framework principles, which may affect how enterprises document their reliance on DPF for cross-border transfers involving Upwork.
Upwork removed substantive Data Privacy Framework (DPF) compliance language while retaining a narrow contact mechanism for requesting data transfer documents. This change affects how the company represents its cross-border data transfer compliance to EU, UK, and Swiss residents. Organizations with Upwork in their vendor stack may need to reassess how Upwork's updated privacy notice aligns with their own data processing agreements, standard contractual clauses (SCCs), or DPF reliance statements. The removal does not necessarily indicate that DPF compliance has changed operationally, but it eliminates explicit contractual assertions about certification and framework adherence that may be referenced in existing vendor contracts or privacy impact assessments.
GDPR (Chapter 5, Articles 44-49 on international data transfers); UK Data Protection Act 2018 (Part 2 on international transfers); Swiss Federal Data Protection Act (Chapter 6 on cross-border transfers); Data Privacy Framework regulations (U.S. Department of Commerce); potential FTC Act Section 5 unfair or deceptive practices implications if removal of DPF language affects accuracy of vendor representations to enterprise customers.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001512.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherUpwork removed detailed language about its compliance with the U.S. Data Privacy Framework (a legal mechanism for transferring personal data …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.