You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
TomMacD89
7 years agoExplorer | Level 3
GDPR Compliance for Personal / Free Accounts
Hi, I work with various charities in the UK who often use free Dropbox accounts to share files for boards of trustees, teams etc. There is some confusion as to whether the GDPR compliance steps ...
- 7 years agoHi Tom
As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.).
Norah
7 years agoDropbox Staff
Dropbox will meet the requirements of the GDPR by May 25, 2018 as required across all its services, including Dropbox Basic, Plus, Professional, and Business.
You can read about our GDPR preparation, as well as our approach to safeguarding your data at our GDPR guidance center.
I hope this helps!
- aukevn7 years agoHelpful | Level 7
Hi Norah,
The information given here confuses me. Your product support told me I need to upgrade from a personal account to a business account to comply with the GDPR and have the proper agreement in place. Can you please clarify if this is indeed necessary? We share sensitive data with hundreds partners, most of whom are very small (one person) businesses. I need to know if their free or personal accounts will be compliant to the GDPR.
Kind regards,
Auke
- Mark7 years agoSuper User IIHave you read the links supplied Aukevn?
It depends who you need Dropbox to be doing in order for you to decide if it is compliant or not. Dropbox on its own IS compliant because of how the data is stored etc. But, if you deem you need additional controls (maybe access logs etc.) then you will need a higher package than a Free or Personal account.- aukevn7 years agoHelpful | Level 7
Yes, and I found out your statement about the Personal and Free accounts is WRONG!!!
In order to comply with the regulations, you need to sign a Data Protection Agreement with all your business partners who process customer data. Dropbox only offers this to Business Accounts. So eventhough you may store the data of the Personal and Free accounts in compliance with the law, by not allowing your customers with these accounts to sign an agreement they can't comply and can't use Dropbox to store business data that contains personal data of customers.
For large organizations, your Business account is a solution, but we have over 100 business customers who are independent contractors. They can't affort to pay the 3 accounts you require as a minimum for the Business account (they would need only 1), so they can't use Dropbox anymore.
Kind regards,
Auke
- Mark7 years agoSuper User IIHi Tom
As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.). - SouthHams7 years agoNew member | Level 2
I am involved in a similar charity organisation. I am concerned about the location of the files I hace containing personal information. From the ICO website I note the following
"At a glance
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
In brief When can personal data be transferred outside the European Union?
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR."
Could you give guidance Please
SouthHams
- aukevn7 years agoHelpful | Level 7
Our legal advisor tells us storing outside the US is not the issue, as long as they comply with the GDPR and provide a DPA
- AlessioStorari7 years agoExplorer | Level 3
I am a DB Business user.
I've been asking DB if DB Business is GDPR compliant and so far I've received no answer - which, as a lawyer, I take as a NO, it isn't, but we won't confess.
Amazon clearly states this with regard to theair cloud services:
https://aws.amazon.com/compliance/gdpr-center/?nc1=h_ls
Why can't DB do the same?
I'm really, really worried.
Please, DB, it's really that simple: just tell us DROPBOX (BUSINESS) IS GDPR COMPLIANT (if it is...).
We need nothing more.
- aukevn7 years agoHelpful | Level 7
They have stated it also on this forum. Here is the DPA that applies to Business accounts:
https://assets.dropbox.com/documents/en/legal/data-processing-agreement-dfb-013118.pdf
- AlessioStorari7 years agoExplorer | Level 3
Hi aukevn and thank you for your prompt reply.
First of all it's a shame that DB staff in Italy haven't been able to provide me with a definitive answer in a week... (I'm still waiting for a simple answer YES DB BUSINESS IS OKAY, RED HERE... (url with a clear statement).
This being said, could you please tell me where actually DB states (just) that DB Business service is GDPR compliant?
The only resource I've found is this:
https://help.dropbox.com/security/standards-regulations
which is lost in a webpage no regular italian user could ever find...
Thank you again, cheers
About Create, upload, and share
Find help to solve issues with creating, uploading, and sharing files and folders in Dropbox. Get support and advice from the Dropbox Community.
Need more support
If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!