Need to see if your shared folder is taking up space on your dropbox 👨💻? Find out how to check here.
Forum Discussion
Solved
GDPR Compliance for Personal / Free Accounts
Hi, I work with various charities in the UK who often use free Dropbox accounts to share files for boards of trustees, teams etc. There is some confusion as to whether the GDPR compliance steps ...
- Hi Tom
As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.).
Actually, Google and Mailchimp are providing DPAs to non-fee paying accounts - they use model contract clauses. So I wonder whether Dropbox could also do this?
Dropbox does that too, but only for Business Account holders with a minimum of 3 users. So even if you pay for a Personal account they don't provide anything and small one person businesses are toast
It would seem rather short sighted not to make a simple electronic agreement available for personal and plus account holders in the way that Evernote and many other large companies are doing.
A business account just doesn't make sense for me, and my solicitor has advised me that I do need a DPA agreement or should stop using the service.I agree. It took me about 5 email to get Dropbox support to say clearly that "yes, Bacis and Personal accounts can't get a DPA". I have asked them to reconsider but as they try to get us on their Business accounts I don't expect them to change. When I asked if they could guarantee my data to be stored in Europe rather than the US their answer was that it can be negotiated if you have more than 250 users. Up there in the clouds..
- They are going to lose LOADS of EU customers if they don't / can't provide a general DPA for non business account holders (me being one of them, as I too keep all my business docs on Dropbox, but run a micro / one man band business).
I agree with you @aukevn it must surely be in their own interest to do this or supply a 1 user Business plan. - Seems they are cutting off their nose to spite their face here! Thanks Norah, I really hope Dropbox will change this. Currently the statement that the Basic and Personal accounts comply to the GDPR are false.
Kind regards,
Auke
- Mark
Super User II
It is compliant - from all of the legal advice I've been given for my own personal businesses they are compliant. The biggest risk we have is from my devices so thats where we had to tighten things up.
As Dropbox is part of the US Privacy Shield is is more than robust to use:
https://www.privacytrust.com/privacyshield/gdpr-vs-privacy-shield.html
https://www.transatlantic-lawyer.com/2018/03/is-privacy-shield-gdpr-compliant/
I do think a lot of this is because the guidance is so wooly around what we can and cannot do though. I honestly think its going to be one of these regulations thats going to dramatically change due to court cases or similar over the next few years (with big companies, not us small fry) when things like TalkTalk happen (again!) and that we need to keep an eye on the Privacy Shield thing above as that is likely to be dramatically updated. The EU GDPR clearly states that you need a Data Processing Agreement with all those who process our data. Therefor businesses in Europe cannot use a Dropbox Free or Personal account to store personal data as Dropbox will not 'sign' such agreements with those customers. Our legal advisor conforms that and Dropbox has admitted this is the case and 'advices' to upgrade to a Business Account.
- -_-
- Jane
Dropbox Staff
- I'm worried because you're not compliant. The DPA stipulates it only for Business accounts, although both the Plus and Professional accounts are paid.
