We're making changes to the Community, so you may have received some notifications - thanks for your patience and welcome back. Learn more here.
Forum Discussion
GDPR Compliance for Personal / Free Accounts
Hi,
I work with various charities in the UK who often use free Dropbox accounts to share files for boards of trustees, teams etc.
There is some confusion as to whether the GDPR compliance steps that Dropbox have made apply to these accounts or only to those on Dropbox Business.
Could this be clarified please?
I work with various charities in the UK who often use free Dropbox accounts to share files for boards of trustees, teams etc.
There is some confusion as to whether the GDPR compliance steps that Dropbox have made apply to these accounts or only to those on Dropbox Business.
Could this be clarified please?
- Hi Tom
As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.).
NorahDropbox Staff
Hi Norah,
The information given here confuses me. Your product support told me I need to upgrade from a personal account to a business account to comply with the GDPR and have the proper agreement in place. Can you please clarify if this is indeed necessary? We share sensitive data with hundreds partners, most of whom are very small (one person) businesses. I need to know if their free or personal accounts will be compliant to the GDPR.
Kind regards,
Auke
- Mark
Super User II
Have you read the links supplied Aukevn?
It depends who you need Dropbox to be doing in order for you to decide if it is compliant or not. Dropbox on its own IS compliant because of how the data is stored etc. But, if you deem you need additional controls (maybe access logs etc.) then you will need a higher package than a Free or Personal account.
- MarkHi Tom
As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.). I am involved in a similar charity organisation. I am concerned about the location of the files I hace containing personal information. From the ICO website I note the following
"At a glance
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
In brief When can personal data be transferred outside the European Union?
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR."
Could you give guidance Please
SouthHams
Our legal advisor tells us storing outside the US is not the issue, as long as they comply with the GDPR and provide a DPA
From what I understand my business account will need to sign a DPA with Dropbox to fullfill the new GDPR-legislation? Other platforms such as MailChimp has made this easy, but I can not find any information about signing this agreement on this site?
- Rich
You'll want to contact Dropbox Business Support. The options for doing so can be found in your Admin console under Help, or you can open a ticket.
Open your ticket here: https://dropbox.com/support
Track your ticket here: https://dropbox.zendesk.com
Replies take approximately 1 - 3 business days with Plus, Professional and Business users getting priority (longer for Basic users).- EdHi all
Thanks for your patience on this matter. Our legal team has just confirmed that we're GDPR compliant and has updated this page: https://www.dropbox.com/business/trust/compliance/certifications-compliance
Thank you
Hi
I currently store client information I work on via my Dropbox Plus account. Please would you confirm that Dropbox Plus meets the GDPR criteria that everyone is rushing to comply with at the moment? I understand that Dropbox Business is, but it is not expressly stated that my files in the Plus account would be treated in the same secure way. I do not need a Business account as the Plus account serves my needs.
Please would you confirm that the data storage services you offer on Dropbox Plus comply with the EU/US Privacy Shield?
- MarkHi Anita
Have a look at https://www.dropboxforum.com/t5/Sharing-and-collaboration/GDPR-Compliance-for-Personal-Free-Accounts/m-p/275027#M19691
Dropbox IS GDPR compliant, but, like most of this stuff its based upon your own Risk Assessments.
I am using Dropbox to store information on my business (swim school enrolments, first aid course records and employee information) and have been told as long as I am clear with the customers and clients where and how I store it that is fine. It is the same with emails (think Office365/Hotmail or Gmail) as you'll never get them to send you a personal contract of compliance. There has to be a bit of common sense applied to things.
My legal and HR teams are quite happy with the continued use of Dropbox based upon its updated Safe Harbour compliance and, as I said above, informing people what I do with their data.
Hello
I can't see if you have answered this before:
In our organisation we use DropBox to store personal information (ordinary and more sensitive information).
I think that with should have a DPA with DropBox in order to assure compliance with the GDPR?
I hope to get an answer asap.
Br
- Mark
I run a small dance school and just want to share files with the parents of the students. None of it passes on personal data. BUT sharing files means that everyone can see everyone elses email address. Is there a way to turn this off? I sure can't find a way and I am pretty sure that will make it non GDPR compliant for me.
Are there other systems than Dropbox that file sharing can take place?
- pCloud will be implementing a DPA, Tresorit, I believe Google Drive but don't know for sure.
I'm really confused about all that GDPR stuff...Dropbox said they comply, but for any other big site I have a full cookie consent - not just telling me that if I continue using the site I agree with everything! I have specifically to agree - for example I may choose I don't want to be tracked by pixels, analytics and so on, but to accept only cookies, needed for site functionality.
Then, when I login my account I don't have any GDPR agreement to accept, nothing!
I can't see where to manage what information I allow to be shared?
Could you someone explain this, maybe from Dropbox stuff....
Thanks!
Yes it is confusing, but cookies is a seperate issue from what is discussed here. Yes Dropbox should warn you if they use them but if they don't, that is their responsibility.
But if you run a business and you store personal data on a platform such as Dropbox, you need a Data Processing Agreement. Dropbox apprently likes its large customers better than the small ones, as they only offer it if you take a Business Account with a minimum of 3 users. So everybody else should move the personal data away from Dropbox, else your company does not comply with de GDPR.
Yes, Dropbox states that they comply to the regulations, what they mean is that if you are a private customer they comply. But if you are a small business users and you can't afford to buy a Business Account with 3 users for 30 euro a month, then Dropbox free and Personal accounts don't comply.
Hi,
I´d like to raise the question regarding the accessibility to DropBox' EU/EES servers for really small businesses, like one person. As I understand it DB has made it possible for 10-licens business to use this option. But...
When will professional one person/licens users be able to use DropBox in a legal way when conducting business within the EU/EES with regards to GDPR?
