Upwork transfers personal data from Europe to other countries, including the US, and uses Standard Contractual Clauses as the legal mechanism to make those transfers lawful.
This analysis describes what Upwork's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For EU, UK, and Swiss users, the adequacy of the transfer mechanism directly affects whether their personal data receives the same level of protection outside Europe as it does within it. The use of SCCs requires a transfer impact assessment to be conducted and documented.
Interpretive note: The exact verbatim text could not be confirmed from the truncated document. The currency of the SCCs in use and whether a TIA has been conducted are not disclosed in the policy and would require direct inquiry to Upwork.
Upwork's privacy policy previously disclosed that it complied with the U.S. Data Privacy Framework and certified adherence to its Principles regarding how it processes personal data from EU, UK, and …
If you are based in the EU, UK, or Switzerland, your personal data is transferred to the United States under Standard Contractual Clauses, which are a legal safeguard but do not eliminate all privacy risks associated with US government access to data under laws such as FISA Section 702.
How other platforms handle this
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
We may transfer, process, and store all personal information we collect anywhere in the world. Different countries have different data protection laws. If we transfer personal information from the European Economic Area, Switzerland, Brazil and/or the United Kingdom to a country that does not provid...
When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been found to provide an adequate level of protection under applicable law, we take steps to provide appropriate safeguards, including through the use of Standard Contract...
Monitoring
Upwork has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.— Excerpt from Upwork's Upwork Privacy Policy
REGULATORY LANDSCAPE: GDPR Chapter V governs international transfers of personal data. Following the Schrems II ruling by the Court of Justice of the EU, organizations relying on SCCs must conduct Transfer Impact Assessments to evaluate whether the destination country's legal framework undermines the protections offered by the SCCs. The EU-US Data Privacy Framework, established in 2023, offers an alternative transfer mechanism for certified US organizations, but SCCs remain commonly used. The UK GDPR has its own International Data Transfer Agreement as the UK equivalent of SCCs. GOVERNANCE EXPOSURE: Medium. The use of SCCs is a recognized and legally valid transfer mechanism, but the post-Schrems II requirement for TIAs means organizations cannot rely on SCCs alone without documented assessment. If Upwork has not conducted or cannot evidence a TIA, this creates compliance exposure for EU/EEA enterprise clients who must also assess transfers under their own GDPR obligations. JURISDICTION FLAGS: EU/EEA enterprise clients using Upwork may have independent obligations under GDPR to assess the adequacy of Upwork's transfer safeguards as part of their own controller responsibilities. UK organizations must ensure Upwork's transfer mechanism satisfies UK GDPR and ICO guidance, which may diverge from EU standards over time. Swiss users are covered by the Swiss Federal Act on Data Protection. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should request evidence of Upwork's TIA documentation and confirm which version of the SCCs is in use, as older pre-2021 SCCs are no longer valid for new processing. The DPA should specify the transfer mechanism and subprocessor locations. COMPLIANCE CONSIDERATIONS: EU/EEA compliance teams should obtain a copy of Upwork's DPA and confirm the SCCs are the 2021 European Commission standard contractual clauses. A TIA should be documented in the vendor assessment record. Any changes to Upwork's subprocessor locations should trigger a review of the transfer chain.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For EU, UK, and Swiss users, the adequacy of the transfer mechanism directly affects whether their personal data receives the same level of protection outside Europe as it does within it. The use of SCCs requires a transfer impact assessment to be conducted and documented.
If you are based in the EU, UK, or Switzerland, your personal data is transferred to the United States under Standard Contractual Clauses, which are a legal safeguard but do not eliminate all privacy risks associated with US government access to data under laws such as FISA Section 702.
ConductAtlas has identified this type of provision across 11 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Upwork.