D&B has obtained certifications under multiple international data transfer frameworks, including the current EU-U.S. Data Privacy Framework, meaning personal data can flow from the EU, UK, and Switzerland to D&B's U.S. operations under these recognized legal mechanisms.
This analysis describes what Dun & Bradstreet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These certifications are the legal basis on which D&B transfers personal data from the EU, UK, and Switzerland to the United States; if a certification lapses or is challenged, the lawfulness of those transfers could be called into question.
For EU, UK, and Swiss individuals whose data is processed by D&B, these certifications provide the legal mechanism for data being sent to or processed in the U.S. The EU-U.S. DPF replaced the invalidated Privacy Shield and is currently recognized under EU law, though its long-term legal stability has been subject to ongoing political and legal debate.
How other platforms handle this
We may transfer to and process your personal information in countries outside of the jurisdiction where you are located for the various purposes described above. When required by law, we will ensure that we rely on an appropriate legal mechanism for the transfer, such as your consent, standard contr...
OpenAI is based in the United States and the information we collect is governed by U.S. law. If you are accessing our services from outside of the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities in the United States and by tho...
Where required by law, we provide adequate protection for the transfer of personal data in accordance with applicable law, such as by obtaining your consent, relying on the European Commission's adequacy decisions, or executing Standard Contractual Clauses. Where relevant, you may request a copy of ...
Monitoring
Dun & Bradstreet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Since 2016, we have upheld multilateral standards to provide assurance for how we manage our cross-border privacy and data protection obligations and to support our certifications under the following frameworks recognized by regulators: EU-U.S. Privacy Shield (2016), Swiss-U.S. Privacy Shield (2017), EU-U.S. Data Privacy Framework (2023), Swiss-U.S. Data Privacy Framework (2023), UK Extension to EU-U.S. Data Privacy Framework (2023), APEC Cross-Border Privacy Rules System (2023), TRUSTe Responsible AI Certification (2024), Global Cross Border Privacy Rules (CBPR) (2025)— Excerpt from Dun & Bradstreet's D&B Privacy Policy
REGULATORY LANDSCAPE: The EU-U.S. Data Privacy Framework is the primary legal mechanism for EU-to-U.S. personal data transfers and operates under the European Commission's adequacy decision. The Swiss-U.S. DPF operates under Swiss FADP requirements. The UK Extension to the EU-U.S. DPF is recognized under UK GDPR adequacy arrangements. APEC CBPR and Global CBPR certifications provide assurance for Asia-Pacific and broader cross-border transfers. The FTC is the primary U.S. enforcement authority for DPF compliance. European Data Protection Authorities retain oversight authority for EU data subjects. GOVERNANCE EXPOSURE: Medium. The current EU-U.S. DPF is legally operative, but its political and legal durability has been subject to scrutiny in EU institutions. Organizations relying on D&B's DPF certification as the sole transfer mechanism should maintain supplementary safeguards (standard contractual clauses) as a contingency. The Global CBPR certification (2025) is relatively new and its operational scope should be confirmed. JURISDICTION FLAGS: EU and EEA data subjects have the strongest standing to challenge transfer mechanisms via national data protection authorities. UK data subjects are covered by a separate extension, which itself depends on the UK-U.S. data bridge arrangement remaining in force. Swiss data subjects are covered by the Swiss-U.S. DPF, which operates under Swiss FADP rather than GDPR, creating a distinct legal framework. CONTRACT AND VENDOR IMPLICATIONS: Organizations entering data sharing agreements with D&B that involve EU, UK, or Swiss personal data should confirm which transfer mechanism applies to their specific contract and whether standard contractual clauses are available as a fallback. Due diligence should include verification of D&B's current DPF certification status via the official DPF list maintained by the U.S. Department of Commerce. COMPLIANCE CONSIDERATIONS: Compliance teams should monitor the political and judicial environment around the EU-U.S. DPF and maintain records of supplementary transfer mechanism documentation. Transfers involving Eyeota Pte. Ltd. (a Singapore-incorporated entity) may engage PDPA (Singapore) transfer restrictions in addition to GDPR, which should be assessed separately.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These certifications are the legal basis on which D&B transfers personal data from the EU, UK, and Switzerland to the United States; if a certification lapses or is challenged, the lawfulness of those transfers could be called into question.
For EU, UK, and Swiss individuals whose data is processed by D&B, these certifications provide the legal mechanism for data being sent to or processed in the U.S. The EU-U.S. DPF replaced the invalidated Privacy Shield and is currently recognized under EU law, though its long-term legal stability has been subject to ongoing political and legal debate.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Dun & Bradstreet.