Dropbox meets GDPR requirements across all of its services, including Dropbox Basic, Plus, Professional and Business.

How does Dropbox comply with the GDPR?

• Trust is the foundation of our relationship with millions of people and businesses around the world. We value the confidence you've put in us and take the responsibility of protecting your information seriously.
• ​​Dropbox places the utmost importance on data protection and has a track record of staying ahead of the compliance curve - for example, we were one of the first cloud service providers to achieve ISO 27018 — the internationally recognised standard for leading practices in cloud privacy and data protection. ​​
• Dropbox’s Legal, Trust and Privacy teams have carefully analysed the GDPR and have undertaken the necessary steps to ensure that we comply.
• ​​We met the requirements of the GDPR by 25th May, 2018.

• If you are a business customer, please note that you are the data controller and have specific legal obligations under the GDPR. If you are a Dropbox Basic, Plus or Professional user, Dropbox is the data processor and you are the data controller. Please also note that there are specific legal obligations in that regard under the GDPR. Whether your company is a data controller or a data processor, we cannot provide legal counsel regarding your company's compliance with the GDPR, but do encourage you to seek independent legal counsel.
• ​​If you are a business customer, you should be confident that any providers (data processors) which you work with have a highly robust approach to data protection, understand the obligations of the GDPR and are well prepared to meet them.
• The GDPR does not impose a requirement for personal data to remain within the EU. In fact, the GDPR permits the transfer of personal data to non-EU countries in line with a number of recognized methods, including standard contractual clauses and frameworks such as the EU-US Privacy Shield. Under GDPR data can be hosted and processed in non-EU countries as long as you, or your providers who transfer data on your behalf, have one of the necessary transfer mechanisms in place. ​​
• Dropbox’s shared responsibility guide sets out our approach to working together to keep your data secure and helps make clear Dropbox’s responsibilities and our customers’ responsibilities.

The GDPR brings with it a shift in mindset. It expressly introduces several principles that previously underpinned data protection law, such as the "accountability principle" and "privacy by design", and encourages organisations to take more responsibility for protecting the personal data they handle.

Privacy by design: This means that organisations handling personal data need to think about data protection when designing systems, not just review privacy implications after a product or process is developed.

User rights: The GDPR expands the existing set of user rights and creates several entirely new rights. Companies should review and ensure they have effective systems in place to give effect to these rights.

Tougher breach notification rules: Under the GDPR, organisations are required to have a strong breach notification system in place and understand their specific reporting obligations.

Accountability: Not only must your company adhere to the principles set out in the GDPR, but you must also demonstrate that compliance in line with the principle of accountability. This requires a comprehensive and clear internal privacy governance structure.

Data protection officer: The GDPR requires companies that engage in processing of EU user data to determine if they should appoint a Data Protection Officer. Companies that routinely process large volumes of information or particularly sensitive information should consider appointing a DPO.