Hi Norah,
The information given here confuses me. Your product support told me I need to upgrade from a personal account to a business account to comply with the GDPR and have the proper agreement in place. Can you please clarify if this is indeed necessary? We share sensitive data with hundreds partners, most of whom are very small (one person) businesses. I need to know if their free or personal accounts will be compliant to the GDPR.
Kind regards,
Auke
Yes, and I found out your statement about the Personal and Free accounts is WRONG!!!
In order to comply with the regulations, you need to sign a Data Protection Agreement with all your business partners who process customer data. Dropbox only offers this to Business Accounts. So eventhough you may store the data of the Personal and Free accounts in compliance with the law, by not allowing your customers with these accounts to sign an agreement they can't comply and can't use Dropbox to store business data that contains personal data of customers.
For large organizations, your Business account is a solution, but we have over 100 business customers who are independent contractors. They can't affort to pay the 3 accounts you require as a minimum for the Business account (they would need only 1), so they can't use Dropbox anymore.
First of all a correction, I refered to the statement of Norah, not yours Mark, sorry.
Your situation is different than ours. We share sensitive information with our partners. We have a Business account but most of them can't affort it. Our lawyers states that our customers must also have a Data Processing Agreement with Dropbox, but with their Personal and Free accounts they can't unfortunately.
Cheers,
As far as I can see, Dropbox could either provide a single person business account, or just make the agreement applicable to their other types of accounts. Maybe it is good business for them
Hi
I currently store client information I work on via my Dropbox Plus account. Please would you confirm that Dropbox Plus meets the GDPR criteria that everyone is rushing to comply with at the moment? I understand that Dropbox Business is, but it is not expressly stated that my files in the Plus account would be treated in the same secure way. I do not need a Business account as the Plus account serves my needs.
Please would you confirm that the data storage services you offer on Dropbox Plus comply with the EU/US Privacy Shield?
Actually, Google and Mailchimp are providing DPAs to non-fee paying accounts - they use model contract clauses. So I wonder whether Dropbox could also do this?
Dropbox does that too, but only for Business Account holders with a minimum of 3 users. So even if you pay for a Personal account they don't provide anything and small one person businesses are toast
It would seem rather short sighted not to make a simple electronic agreement available for personal and plus account holders in the way that Evernote and many other large companies are doing.A business account just doesn't make sense for me, and my solicitor has advised me that I do need a DPA agreement or should stop using the service.
I agree. It took me about 5 email to get Dropbox support to say clearly that "yes, Bacis and Personal accounts can't get a DPA". I have asked them to reconsider but as they try to get us on their Business accounts I don't expect them to change. When I asked if they could guarantee my data to be stored in Europe rather than the US their answer was that it can be negotiated if you have more than 250 users. Up there in the clouds..
Thanks Norah, I really hope Dropbox will change this. Currently the statement that the Basic and Personal accounts comply to the GDPR are false.
It is compliant - from all of the legal advice I've been given for my own personal businesses they are compliant. The biggest risk we have is from my devices so thats where we had to tighten things up. As Dropbox is part of the US Privacy Shield is is more than robust to use: https://www.privacytrust.com/privacyshield/gdpr-vs-privacy-shield.htmlhttps://www.transatlantic-lawyer.com/2018/03/is-privacy-shield-gdpr-compliant/I do think a lot of this is because the guidance is so wooly around what we can and cannot do though. I honestly think its going to be one of these regulations thats going to dramatically change due to court cases or similar over the next few years (with big companies, not us small fry) when things like TalkTalk happen (again!) and that we need to keep an eye on the Privacy Shield thing above as that is likely to be dramatically updated.
The EU GDPR clearly states that you need a Data Processing Agreement with all those who process our data. Therefor businesses in Europe cannot use a Dropbox Free or Personal account to store personal data as Dropbox will not 'sign' such agreements with those customers. Our legal advisor conforms that and Dropbox has admitted this is the case and 'advices' to upgrade to a Business Account.
I am involved in a similar charity organisation. I am concerned about the location of the files I hace containing personal information. From the ICO website I note the following
"At a glance
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
In brief When can personal data be transferred outside the European Union?
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR."
Could you give guidance Please
SouthHams
Our legal advisor tells us storing outside the US is not the issue, as long as they comply with the GDPR and provide a DPA
Sorry Ed, you can't state that you will meet all requirements. If you don't provide DPA's, you don't comply with the GDPR for any business using Free or Personal accounts to store personal data. No matter how many security measures you take or privacy policies you write.
One simple agreements would solve that but up to now your company is unwilling to provide this. It seems this is driven more by the desire for more profit than any technical reason, since you state that everything is in place by the GDPR.
I am a Dropbox Plus customer, and I was searching everywhere on dropbox.com for the DPA. I couldn't understand why it was so difficult to find, until i finally found (stumble upon) this thread.
I don't understand why a DPA is not available to ALL (or at least all paying) users, and why it is so difficult to get good valid information regarding aquiring an DPA from Dropbox.
GDPR clearly states that i need a DPA to be compliant with the law and for now the only solution seems to be an upgrade to business. As i really dont think i'll be able to afford that in the long run, I feel kinda let down by a service i have been using and promoting to others for many years
It does appear to be a cynical move by companies to force customers to pay more by only providing a DPA for business accounts (which will remain completely under utilised).
I store 1.8GB of data (most of which are PDF raster scans for our purchase ledger. I don't need 2TB, I don't need 3 users, I don't need API access. In fact I need very little of what Dropbox Business provides.
I use Dropbox to store documents in a manner that I can access from multiple locations, that's it. Rather than offering a simple solution to small businesses and sole traders who only need a single user, Dropbox are saying "Pay for our business solution, that you'll completely under-utilise", or don't use us at all.
I'll be opting for the latter, and not using it at all...
@JB13 wrote: Actually, Google and Mailchimp are providing DPAs to non-fee paying accounts - they use model contract clauses. So I wonder whether Dropbox could also do this?
Hi JB13 - could you point me in the direction of the info for a DPA on Google non-fee paying accounts? It's something I haven't managed to find.
many thanks!
Claire
@Ed wrote:Hi AllTo add to that:Our Dropbox Terms of Service and Privacy Policy govern Dropbox Basic, Professional and Plus products while our DPA is only applicable for Dropbox’s Business users. Additionally, Dropbox is bound by the language of the Privacy Policy with respect to Dropbox Business customers and the users on a Dropbox Business team.While Data Processing Amendments are only for Dropbox Business customers, Dropbox will meet the requirements of the GDPR by May 25, 2018 as required across all its services, including Dropbox Basic, Plus, Pro, and Business.
So, what I take from this is that business users can have a DPA - which allows them to use Dropbox to store personal data they are controllers for. If you have a basic account - Dropbox will be GDPR compliant in terms of what they have to do to store our details i.e. Dropbox customers data who are from the EU (not personal data that their customers are controllers of).
They are complient as far as individual users are concerned, but not if you use their service for work related items. So Dropbox can not be used by contractors/people who are self employed or small businesses who do not require 3 user accounts.
Dropbox is using server capacity in Germany for business customers.
"Dropbox versucht dem Misstrauen gegenüber den Serverstandort in den USA entgegenzuwirken, indem es Unternehmenskunden beziehungsweise professionellen Nutzern anbietet, deren Daten auf Servern in Deutschland zu speichern (dieses Angebot gibt es allerdings nicht für Privatnutzer). Dropbox nutzt hierfür die Ressourcen der Amazon Web Services im Frankfurter Rechenzentrum." (www.pcwelt.de)
What I am wondering is, if there is GDPR compliance economy and business class at Dropbox. And why Mailchimp is able to provide the necessary DPA.
I was hoping, that Dropbox would find a solution, and not leave its (paying) customers in the cold. My 12-month-plan just extended automatically, and there is obviously no chance to get money refundet, when I cancel the plan now.
After all is Dropbox not the only company offering cloud services (let alone that others do comply to GDPR AND provide DPAs).
