Child Item

GDPR Compliance for Personal / Free Accounts

Hi,

I work with various charities in the UK who often use free Dropbox accounts to share files for boards of trustees, teams etc.

There is some confusion as to whether the GDPR compliance steps that Dropbox have made apply to these accounts or only to those on Dropbox Business.

Could this be clarified please?

Find more posts tagged with

Dropbox Business

Developer

Accepted answers

Mark

Hi Tom

As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.).

All comments

nicolabisseker

So is this likely to change or are we all going to need to cancel our subscriptions please ? I pay for Dropbox already but not business as I am a one man band photography business. I don't need all that extra storage. I just need enough to transfer images. I will need to find somebody else if I can't show a DPA.

aukevn

Dropbox does not guarantee that they store the data of business customers in Europe. I asked and they said that if I have 250 users I can negotiate it :-(

But that is not a requirement for de GDPR, but you do need to inform your customers that the data can be stored in the US (which is of course something not everybody will like given how the US government gets access to data).

claires

@nicolabisseker wrote:
So is this likely to change or are we all going to need to cancel our subscriptions please ? I pay for Dropbox already but not business as I am a one man band photography business. I don't need all that extra storage. I just need enough to transfer images. I will need to find somebody else if I can't show a DPA.

It seems so - you will need one of the business accounts where a DPA is available. However, if you are already paying - it might be that the business accounts might not be much more than you already paying and you could upgrade?

Persondatakonsu

Hello

I can't see if you have answered this before:

In our organisation we use DropBox to store personal information (ordinary and more sensitive information).

I think that with should have a DPA with DropBox in order to assure compliance with the GDPR?

I hope to get an answer asap.

Mark

@Persondatakonsu

These are only available to Business customers.

Sabryx

Safe Harbor has not been applicable for three years, now it is the Privacy Shield that regulates relations between the US and the EU. Your answers confuse users

Sabryx

-_-

meldud60

I run a small dance school and just want to share files with the parents of the students. None of it passes on personal data. BUT sharing files means that everyone can see everyone elses email address. Is there a way to turn this off? I sure can't find a way and I am pretty sure that will make it non GDPR compliant for me.

Are there other systems than Dropbox that file sharing can take place?

Jane

I’d happily reply to your question @meldud60 & send you an alternative that may be helpful, welcome to the Dropbox Community!

Your statement above is right (i.e. members can see each other inside the share), if all parents are invited in the same shared folder. That can be bypassed if you send them a view-only downloadable shared link instead, that will let them see certain content that you’d like to share with them & they won’t need a Dropbox account to access it.

Alternatively, you can re-arrange your folder structure & share a separate folder with each parent, so that email addresses are visible only to you.

I hope that this is helpful & please do keep me updated on how these suggestions work for you in your next post here. Thanks!

Jane

What seems to be troubling you @Sabryx?

Please do let me know of any questions you may have & I’ll do my best to check back with you!

BradJohnson

I'm really confused about all that GDPR stuff...Dropbox said they comply, but for any other big site I have a full cookie consent - not just telling me that if I continue using the site I agree with everything! I have specifically to agree - for example I may choose I don't want to be tracked by pixels, analytics and so on, but to accept only cookies, needed for site functionality.

Then, when I login my account I don't have any GDPR agreement to accept, nothing!

I can't see where to manage what information I allow to be shared?

Could you someone explain this, maybe from Dropbox stuff....

Thanks!

aukevn

Yes it is confusing, but cookies is a seperate issue from what is discussed here. Yes Dropbox should warn you if they use them but if they don't, that is their responsibility.

But if you run a business and you store personal data on a platform such as Dropbox, you need a Data Processing Agreement. Dropbox apprently likes its large customers better than the small ones, as they only offer it if you take a Business Account with a minimum of 3 users. So everybody else should move the personal data away from Dropbox, else your company does not comply with de GDPR.

Yes, Dropbox states that they comply to the regulations, what they mean is that if you are a private customer they comply. But if you are a small business users and you can't afford to buy a Business Account with 3 users for 30 euro a month, then Dropbox free and Personal accounts don't comply.

Sabryx

I'm worried because you're not compliant. The DPA stipulates it only for Business accounts, although both the Plus and Professional accounts are paid.

AlessioStorari

I am a DB Business user.

I've been asking DB if DB Business is GDPR compliant and so far I've received no answer - which, as a lawyer, I take as a NO, it isn't, but we won't confess.

Amazon clearly states this with regard to theair cloud services:

https://aws.amazon.com/compliance/gdpr-center/?nc1=h_ls

Why can't DB do the same?

I'm really, really worried.

Please, DB, it's really that simple: just tell us DROPBOX (BUSINESS) IS GDPR COMPLIANT (if it is...).

We need nothing more.

aukevn

They have stated it also on this forum. Here is the DPA that applies to Business accounts:

https://assets.dropbox.com/documents/en/legal/data-processing-agreement-dfb-013118.pdf

AlessioStorari

Hi aukevn and thank you for your prompt reply.

First of all it's a shame that DB staff in Italy haven't been able to provide me with a definitive answer in a week... (I'm still waiting for a simple answer YES DB BUSINESS IS OKAY, RED HERE... (url with a clear statement).

This being said, could you please tell me where actually DB states (just) that DB Business service is GDPR compliant?

The only resource I've found is this:

https://help.dropbox.com/security/standards-regulations

which is lost in a webpage no regular italian user could ever find...

Thank you again, cheers

aukevn

Here on the forum they state it and I got an email (after askin about 5 times I finally got a clear answer)

Haven't found it anywhere else.

AlessioStorari

This is really unfortunate and upsetting. Let's hope they state it clearly soon. Cheers

BradJohnson

So, all these stuff, cookies, GDPR, they will make life harder for small sites, the big ones - Facebook, Twitter, Dropbox - all they ignorantly simply don't give a [profanity removed by Moderator]....Take a look for Dropbox - even the cookie consent is not by the rules - by the law before dropping a cookie on your computer, you should aggree specifically (not passive, by simply move on site) and to have an option to continue using a site without any restrictions. Also you must have an option to turn off tracking for non-esential cookies and etc....As can see - noone of this has been implemented and I doubt it will be...

Jane

Hey again @aukevn & @Sabryx, GDPR compliance varies from organization to organization, and we are unable to provide you with specific legal guidance or recommendations. Please consult independent legal counsel regarding how GDPR will impact you, and/or your business.

When it comes to your inquiry @BradJohnson, please note that we use technologies such as cookies and pixel tags to provide, improve, protect and promote our Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use the Services. If our systems receive a DNT:1 signal from your browser, we’ll respond to that signal as outlined here.

Other than that, I’d like to ask you to keep the discussion as civil as possible, since this is a public Forum. For that reason, I’m also attaching our Community Guidelines, so as to have a look at your convenience.

@AlessioStorari please keep in mind that we aim to provide all our Dropbox Business users with all relevant GDPR documentation, as your data protection is our main priority.

I do understand that you may need an update on the progress at the moment though & for that reason I’ve also made sure to transfer your comments on the open ticket I’ve located on our system. Our specialized colleague will make sure to get back in touch there in order to address any further questions or concerns you may have.

Hopefully this info is helpful & I remain at your entire disposal in case you have more security-specific queries. I’m wishing you all a great weekend!

aukevn

Hi Jane,

GDPR compliance is complex but also has some simple rules that apply equally to all organizations. There is no need for Dropbox to provide legal guidance or recommendations here. The main issue here is the unwillingness of Dropbox to provide Data Processing Agreements to small business users who can't afford a business account with 3 users and the lack of clear communication about this. Please aks your collegaeues to recondiser this issue, it seems quite unetical to use these new regulations to force people into upgrading to accounts that they have no use for as single person companies. Dropbox states frequently that they comply to the GDPR, it should be nothing more than an administrative procedure.

Jane

I can make sure to pass on your interest & comments along to our team for future consideration @aukevn.

Thanks again for writing us on the Forum & happy Friday!

Sigrid2

From what I understand my business account will need to sign a DPA with Dropbox to fullfill the new GDPR-legislation? Other platforms such as MailChimp has made this easy, but I can not find any information about signing this agreement on this site?

Rich

You'll want to contact Dropbox Business Support. The options for doing so can be found in your Admin console under Help, or you can open a ticket.

Open your ticket here: https://dropbox.com/support
Track your ticket here: https://dropbox.zendesk.com

Replies take approximately 1 - 3 business days with Plus, Professional and Business users getting priority (longer for Basic users).

Hi all

Thanks for your patience on this matter. Our legal team has just confirmed that we're GDPR compliant and has updated this page: https://www.dropbox.com/business/trust/compliance/certifications-compliance

Thank you

aukevn

Thanks Ed, but regarding the topic being discussed here it sounds a bit misleading that you comply.

I can find no information in the link you provide about a Data Processing Agreement. If you want to be compliant for people using Dropbox professionally, you need to offer such agreements. The information I have is that you only provide it for business account users, thus excluding all those contractors and small businesses that only need a single or two accounts. So no matter what technical measures you take, if you don't provide such an agreement many will have to stop using Dropbox to store personal information of clients.

Kind regards,

Auke

siri1

Hi Ed,

leaves us with the open question: what about your customers that are running small businesses, pay for your services and don't need a business version. I could be interested in getting to know, how many accounts we're talking in Europe, that you obviously want to force to upgrade - or to change to another provider, if the small businesses want to comply to the rules. What is our very intention!

noerpol

Yes, thanks Ed. I'm sure You (dropbox) comply in every way possible, but that is beside the point of this discussion. What I want is for ME (the user) to comply, and a can't do that without a Data Processing Agreement (DPA), and that DPA is not available to me even though I'm a paying customer. The way I read the information in the link you provided, I have to upgrade from my pro plan to a business plan to get a DPA. Otherwise, I am not able to be compliant.

claires

I got very excited when I saw your reply Ed, but as others have said - nothing has changed for those of us who use DropBox professionaly but cannot afford to pay for a business account, which is the only way any of us can currently get a Data Processing Agreement from DropBox.

Can you please confirm if DropBox are indeed looking into providing a Data Processing Agreement for those without a business account - as we would like to continue using DropBox if we can, but can only do that if we have a DPA. If a DPA isn't going to be available, we will need to cancel our DropBox account and go with a provider who will provide a DPA.

Many thanks

louisebeattie

just about all the email providers that I know of, along with many other service providers, have put this in place very simply and effectively using one of two methods - adding the DPA as an addendum to their T&Cs, or using a standard one for the company which is electronically signed.