We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.
Forum Discussion
GDPR Compliance for Personal / Free Accounts
Hi, I work with various charities in the UK who often use free Dropbox accounts to share files for boards of trustees, teams etc. There is some confusion as to whether the GDPR compliance steps ...
- Hi Tom
As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.).
Norah
Dropbox Staff
Dropbox StaffHi Norah,
The information given here confuses me. Your product support told me I need to upgrade from a personal account to a business account to comply with the GDPR and have the proper agreement in place. Can you please clarify if this is indeed necessary? We share sensitive data with hundreds partners, most of whom are very small (one person) businesses. I need to know if their free or personal accounts will be compliant to the GDPR.
Kind regards,
Auke
- Mark
Super User II
Have you read the links supplied Aukevn?
It depends who you need Dropbox to be doing in order for you to decide if it is compliant or not. Dropbox on its own IS compliant because of how the data is stored etc. But, if you deem you need additional controls (maybe access logs etc.) then you will need a higher package than a Free or Personal account.Yes, and I found out your statement about the Personal and Free accounts is WRONG!!!
In order to comply with the regulations, you need to sign a Data Protection Agreement with all your business partners who process customer data. Dropbox only offers this to Business Accounts. So eventhough you may store the data of the Personal and Free accounts in compliance with the law, by not allowing your customers with these accounts to sign an agreement they can't comply and can't use Dropbox to store business data that contains personal data of customers.
For large organizations, your Business account is a solution, but we have over 100 business customers who are independent contractors. They can't affort to pay the 3 accounts you require as a minimum for the Business account (they would need only 1), so they can't use Dropbox anymore.
Kind regards,
Auke
- MarkHi Tom
As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.). I am involved in a similar charity organisation. I am concerned about the location of the files I hace containing personal information. From the ICO website I note the following
"At a glance
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
In brief When can personal data be transferred outside the European Union?
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR."
Could you give guidance Please
SouthHams
Our legal advisor tells us storing outside the US is not the issue, as long as they comply with the GDPR and provide a DPA
I am a DB Business user.
I've been asking DB if DB Business is GDPR compliant and so far I've received no answer - which, as a lawyer, I take as a NO, it isn't, but we won't confess.
Amazon clearly states this with regard to theair cloud services:
https://aws.amazon.com/compliance/gdpr-center/?nc1=h_ls
Why can't DB do the same?
I'm really, really worried.
Please, DB, it's really that simple: just tell us DROPBOX (BUSINESS) IS GDPR COMPLIANT (if it is...).
We need nothing more.
They have stated it also on this forum. Here is the DPA that applies to Business accounts:
https://assets.dropbox.com/documents/en/legal/data-processing-agreement-dfb-013118.pdf
Hi aukevn and thank you for your prompt reply.
First of all it's a shame that DB staff in Italy haven't been able to provide me with a definitive answer in a week... (I'm still waiting for a simple answer YES DB BUSINESS IS OKAY, RED HERE... (url with a clear statement).
This being said, could you please tell me where actually DB states (just) that DB Business service is GDPR compliant?
The only resource I've found is this:
https://help.dropbox.com/security/standards-regulations
which is lost in a webpage no regular italian user could ever find...
Thank you again, cheers
