D&B has obtained certifications under multiple international data transfer frameworks, including the current EU-U.S. Data Privacy Framework, meaning personal data can flow from the EU, UK, and Switzerland to D&B's U.S. operations under these recognized legal mechanisms.
This analysis describes what Dun & Bradstreet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These certifications are the legal basis on which D&B transfers personal data from the EU, UK, and Switzerland to the United States; if a certification lapses or is challenged, the lawfulness of those transfers could be called into question.
For EU, UK, and Swiss individuals whose data is processed by D&B, these certifications provide the legal mechanism for data being sent to or processed in the U.S. The EU-U.S. DPF replaced the invalidated Privacy Shield and is currently recognized under EU law, though its long-term legal stability has been subject to ongoing political and legal debate.
How other platforms handle this
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Dun & Bradstreet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Since 2016, we have upheld multilateral standards to provide assurance for how we manage our cross-border privacy and data protection obligations and to support our certifications under the following frameworks recognized by regulators: EU-U.S. Privacy Shield (2016), Swiss-U.S. Privacy Shield (2017), EU-U.S. Data Privacy Framework (2023), Swiss-U.S. Data Privacy Framework (2023), UK Extension to EU-U.S. Data Privacy Framework (2023), APEC Cross-Border Privacy Rules System (2023), TRUSTe Responsible AI Certification (2024), Global Cross Border Privacy Rules (CBPR) (2025)— Excerpt from Dun & Bradstreet's D&B Privacy Policy
REGULATORY LANDSCAPE: The EU-U.S. Data Privacy Framework is the primary legal mechanism for EU-to-U.S. personal data transfers and operates under the European Commission's adequacy decision. The Swiss-U.S. DPF operates under Swiss FADP requirements. The UK Extension to the EU-U.S. DPF is recognized under UK GDPR adequacy arrangements. APEC CBPR and Global CBPR certifications provide assurance for Asia-Pacific and broader cross-border transfers. The FTC is the primary U.S. enforcement authority for DPF compliance. European Data Protection Authorities retain oversight authority for EU data subjects. GOVERNANCE EXPOSURE: Medium. The current EU-U.S. DPF is legally operative, but its political and legal durability has been subject to scrutiny in EU institutions. Organizations relying on D&B's DPF certification as the sole transfer mechanism should maintain supplementary safeguards (standard contractual clauses) as a contingency. The Global CBPR certification (2025) is relatively new and its operational scope should be confirmed. JURISDICTION FLAGS: EU and EEA data subjects have the strongest standing to challenge transfer mechanisms via national data protection authorities. UK data subjects are covered by a separate extension, which itself depends on the UK-U.S. data bridge arrangement remaining in force. Swiss data subjects are covered by the Swiss-U.S. DPF, which operates under Swiss FADP rather than GDPR, creating a distinct legal framework. CONTRACT AND VENDOR IMPLICATIONS: Organizations entering data sharing agreements with D&B that involve EU, UK, or Swiss personal data should confirm which transfer mechanism applies to their specific contract and whether standard contractual clauses are available as a fallback. Due diligence should include verification of D&B's current DPF certification status via the official DPF list maintained by the U.S. Department of Commerce. COMPLIANCE CONSIDERATIONS: Compliance teams should monitor the political and judicial environment around the EU-U.S. DPF and maintain records of supplementary transfer mechanism documentation. Transfers involving Eyeota Pte. Ltd. (a Singapore-incorporated entity) may engage PDPA (Singapore) transfer restrictions in addition to GDPR, which should be assessed separately.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These certifications are the legal basis on which D&B transfers personal data from the EU, UK, and Switzerland to the United States; if a certification lapses or is challenged, the lawfulness of those transfers could be called into question.
For EU, UK, and Swiss individuals whose data is processed by D&B, these certifications provide the legal mechanism for data being sent to or processed in the U.S. The EU-U.S. DPF replaced the invalidated Privacy Shield and is currently recognized under EU law, though its long-term legal stability has been subject to ongoing political and legal debate.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Dun & Bradstreet.