Imagine it’s Monday. You open the laptop, take a look at your dashboards and see that the CRM, the one that boosts your sales, has released an update. “Security and privacy improvements,” the notice says. Two minutes later, the marketing team writes to you: “Can we continue to use the audiences on platform X without getting into trouble with the GDPR?” And, as if the universe wanted to finish the game, you get the article that our partner Jorge del Valle has published in El Español on WhatsApp: The “soap opera” of transatlantic personal data. It is not a coincidence; it is the issue that separates companies that sleep peacefully from those that live in fright.
Why now? Because the chessboard has moved
In September 2025, the General Court of the EU upheld the validity of the EU–US Data Privacy Framework (DPF), the agreement that allows personal data to be transferred from the EU to the USA with guarantees “equivalent” to those in Europe. For companies, the message is simple: there is a stable framework as long as it is used well. It is the first piece of good news in years, following the developments after the demise of Safe Harbour and Privacy Shield. Jorge’s article, published on September 18, 2025, arrives at a moment when we all wonder what truly changes in practice and how it is reflected in contracts, cookies, analytics, AI and technical support. That it is reported in a generalist and reference medium such as El Español is not only an honourable mention; it is a sign of the public relevance of an issue that usually remains in legal jargon. And it is also a way of translating a complex legal debate into business language that any manager can understand.
Let’s face the problem: Lucia’s story
Lucia runs an e-commerce business in Malaga. It utilises an American CRM, an email marketing platform and an analytics service with servers located in several countries. Not at all uncommon. Their question is yours: “Can I continue to operate the same without exposing my company to penalties or uncomfortable incumbents?” With the DPF in force, if the supplier adheres to the framework, the transfers can be covered by the adequacy decision of the European Commission. What if it isn’t? The usual alternative comes into play: Standard Contractual Clauses (SCC) with their transfer analysis (TIA) and technical measures (encryption, pseudonymisation, minimisation). The important thing is not to confuse stability with open bar: the route exists, but it requires checking, documenting and – above all – understanding.
What DPF really brings (and what it doesn’t)
The value of the DPF is not magic. It provides reasonable legal certainty where previously there was uncertainty, establishing safeguards on government access to data and an independent recourse mechanism, the Data Protection Review Court (DPRC), to which EU citizens can turn if they believe there has been undue access to their data. This, for Lucia, means that she is not alone: there is a circuit of guarantees designed for extreme cases. But the DPF does not replace your governance. If your supplier does not adhere to or if you collect more data than necessary yourself, the ball returns to your court.
The often overlooked angle: operation and reputation
The most expensive aspect is usually not the fine, but the management time and damage to reputation. No one likes to be in the press because of a data incident. On the other hand, presenting a transparent, well-communicated and verifiable position — “we work with suppliers adhering to the DPF, the rest goes with SCC + TIA and end-to-end encryption” — generates trust. It’s your way of saying: “We know what we’re doing”. And that’s where the conversation that Jorge opens at El Español aligns with what we do at Certus: translating the legal framework into product, marketing, and technology decisions that can be explained in two sentences without losing rigour.
What about AI? The new frontier of transfers
Another hot spot that Jorge has been analysing for some time: generative AI. When you upload real data to an AI service hosted outside the EU, you’re not just transferring; you may be creating dependency on a provider with rules different from your own. With DPF, there is a way, yes, but you must agree not to reuse data, including the location of the treatment and retention times. The lesson is clear: AI multiplies the value of the data… and so do your obligations.
Malaga, technology and a conversation that goes further
That this debate leaves the specialised forums and reaches El Español is a good sign: Malaga and Andalusia are experiencing a powerful moment in technology, investment and internationalisation. If your company is growing, the order is: first, the strategy, then the technology, and in the background, a clear legal framework, so as not to slow down when you have the most momentum. Jorge’s presence in the press reinforces what we have been doing for years at Certus Legal Firm: accompanying companies that operate with data and want to do it well and without friction.
