Upwork transfers personal data from Europe to other countries, including the US, and uses Standard Contractual Clauses as the legal mechanism to make those transfers lawful.
This analysis describes what Upwork's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For EU, UK, and Swiss users, the adequacy of the transfer mechanism directly affects whether their personal data receives the same level of protection outside Europe as it does within it. The use of SCCs requires a transfer impact assessment to be conducted and documented.
Interpretive note: The exact verbatim text could not be confirmed from the truncated document. The currency of the SCCs in use and whether a TIA has been conducted are not disclosed in the policy and would require direct inquiry to Upwork.
Upwork's privacy policy previously disclosed that it complied with the U.S. Data Privacy Framework and certified adherence to its Principles regarding how it processes personal data from EU, UK, and Swiss residents. The updated policy removes nearly all of this language, including the explicit commitment to Data Privacy Framework Principles and the statement that those Principles would govern in case of conflict with other policy terms. Users in the EU, UK, and Switzerland no longer have a clear, policy-level statement of the legal framework protecting their data when transferred to the U.S., which may reduce transparency about data protection safeguards. You may contact Upwork to request copies of the data transfer mechanism documents it uses.
View change record →The updated policy now explicitly states that Upwork complies with the U.S. Data Privacy Framework and has certified to the U.S. Department of Commerce that it adheres to DPF principles when processing personal data from EU, UK, and Swiss residents. The policy establishes that if any conflict exists between Upwork's privacy policy and DPF principles, the DPF principles will govern. This creates an explicit legal hierarchy for data protection standards applicable to residents of those jurisdictions. Users from affected regions can visit https://www.dataprivacyframework.gov/ to view Upwork's certification and learn more about the DPF program.
View change record →If you are based in the EU, UK, or Switzerland, your personal data is transferred to the United States under Standard Contractual Clauses, which are a legal safeguard but do not eliminate all privacy risks associated with US government access to data under laws such as FISA Section 702.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
Upwork has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.— Excerpt from Upwork's Upwork Privacy Policy
REGULATORY LANDSCAPE: GDPR Chapter V governs international transfers of personal data. Following the Schrems II ruling by the Court of Justice of the EU, organizations relying on SCCs must conduct Transfer Impact Assessments to evaluate whether the destination country's legal framework undermines the protections offered by the SCCs. The EU-US Data Privacy Framework, established in 2023, offers an alternative transfer mechanism for certified US organizations, but SCCs remain commonly used. The UK GDPR has its own International Data Transfer Agreement as the UK equivalent of SCCs. GOVERNANCE EXPOSURE: Medium. The use of SCCs is a recognized and legally valid transfer mechanism, but the post-Schrems II requirement for TIAs means organizations cannot rely on SCCs alone without documented assessment. If Upwork has not conducted or cannot evidence a TIA, this creates compliance exposure for EU/EEA enterprise clients who must also assess transfers under their own GDPR obligations. JURISDICTION FLAGS: EU/EEA enterprise clients using Upwork may have independent obligations under GDPR to assess the adequacy of Upwork's transfer safeguards as part of their own controller responsibilities. UK organizations must ensure Upwork's transfer mechanism satisfies UK GDPR and ICO guidance, which may diverge from EU standards over time. Swiss users are covered by the Swiss Federal Act on Data Protection. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should request evidence of Upwork's TIA documentation and confirm which version of the SCCs is in use, as older pre-2021 SCCs are no longer valid for new processing. The DPA should specify the transfer mechanism and subprocessor locations. COMPLIANCE CONSIDERATIONS: EU/EEA compliance teams should obtain a copy of Upwork's DPA and confirm the SCCs are the 2021 European Commission standard contractual clauses. A TIA should be documented in the vendor assessment record. Any changes to Upwork's subprocessor locations should trigger a review of the transfer chain.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For EU, UK, and Swiss users, the adequacy of the transfer mechanism directly affects whether their personal data receives the same level of protection outside Europe as it does within it. The use of SCCs requires a transfer impact assessment to be conducted and documented.
If you are based in the EU, UK, or Switzerland, your personal data is transferred to the United States under Standard Contractual Clauses, which are a legal safeguard but do not eliminate all privacy risks associated with US government access to data under laws such as FISA Section 702.
ConductAtlas has identified this type of provision across 11 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Upwork.