Upwork has removed its Data Privacy Framework (DPF) certification notice from its Privacy Policy, which previously explained how Upwork handled data transfers from the EU, UK, and Switzerland to the US under a formal US Department of Commerce program. The policy no longer states that Upwork is self-certified under the DPF or that it follows DPF Principles for EU, Swiss, and UK residents' data. This means consumers in those regions have less visibility into the specific legal mechanism Upwork uses to protect their personal data when it crosses borders.
EU, UK, and Swiss users of Upwork previously had explicit protections under the Data Privacy Framework governing how their personal data was transferred to the US, including recourse mechanisms and clear accountability rules. Those commitments have been removed from the policy as of May 1, 2026, leaving it unclear what legal basis Upwork now relies on for cross-border data transfers. You can contact Upwork directly to request information about the data transfer mechanisms currently in use for your personal data.
Upwork no longer publicly commits to following the rules that were supposed to protect your data when it moved from Europe or Switzerland to the US.
Businesses that use Upwork and had their data transfer compliance based on Upwork's DPF certification now have no stated replacement mechanism to rely on.
+ 1 more obligation changes. Full breakdown available with Watcher.
Unlock — $9.99/mo →EU, UK, and Swiss users of Upwork have lost their explicit Data Privacy Framework protections — a formal legal commitment about how their personal data is handled when sent to the US — with no named replacement mechanism disclosed. This creates uncertainty about whether their data is legally protected under GDPR during cross-border transfers.
Upwork removed all language confirming its EU-U.S., UK Extension, and Swiss-U.S. DPF self-certification, eliminating the previously stated legal basis for transatlantic data transfers.
The clause stating DPF Principles govern in any conflict with Upwork's privacy policy has been removed, weakening data subject protections.
Upwork's stated accountability for onward transfers to third-party agents under DPF rules has been removed with no replacement.
ConductAtlas Policy Archive Entity: Upwork | Document: Upwork Terms of Service | Record: CA-C-000751 Captured: 2026-05-01 06:08:04 UTC URL: https://conductatlas.com/change/2026-05-01-upwork-upwork-terms-of-service-751/ Accessed: May 2, 2026
Unlock the full analysis
14-day free trial available.
Upwork has removed all Data Privacy Framework (DPF) certification language from its Privacy Policy effective May 1, 2026, including its EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF commitments. This touches GDPR Chapter V (international transfers), UK GDPR Chapter V, and Swiss nFADP transfer requirements. If your organization relies on Upwork as a data processor and your DPA or transfer impact assessment referenced Upwork's DPF certification as the transfer mechanism, that mechanism is no longer publicly affirmed. Action is required: verify with Upwork what transfer mechanism (SCCs, BCRs, adequacy decision) now applies and update your DPA and records of processing accordingly.
1. GDPR Art. 44–49 (Chapter V) — Cross-border data transfer requirements. Removal of DPF certification language means the previously stated transfer mechanism is no longer confirmed. Organizations must identify the replacement mechanism.
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000751.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Unlock full diff — Watcher $9.99/moUpwork removed its entire Data Privacy Framework (DPF) compliance section from its privacy policy on May 1, 2026. Previously, the …
We monitor 200+ platforms and archive every change — verified and timestamped.