Disclaimer: This site is intended to provide helpful guidance to customers on the GDPR and not as a comprehensive solution or legal advice. Each organization should undertake their own steps to ensure compliance.

Welcome to Dropbox's General Data Protection Regulation (GDPR) Guidance Center

This guidance center offers some helpful insights and practical steps for organizations that must comply with the GDPR.

Every organization’s journey to GDPR compliance is different.  Organizations should consider several factors regarding GDPR adherence, including, company size, the types and amount of data it processes, and current security and privacy measures.

Complying with the GDPR

Organizations established in the EU or processing personal data of EU-based individuals will, in almost all cases, be required to comply with the GDPR. The GDPR updates and harmonizes the framework for processing personal data in the European Union, and brings with it new obligations for organizations and new rights for individuals. 

Dropbox has many years experience earning our users’ trust. Dropbox Business is certified compliant with the most widely-accepted security and privacy standards and regulations in the world, such as ISO 27001/2, ISO27018/17 and SOC 2. Our cross-functional team of data protection specialists has put together a series of insights and resources to help you on your road to GDPR compliance.

What is the GDPR?

The GDPR is a European Union regulation that establishes a new framework for handling and protecting the personal of data subjects in the EU. It came into effect on May 25, 2018. 

Personal data plays a huge part in society and the economy. It is essential that people have—and know they have—control and clarity over how their data is used and protected by any organization they interact with, and that organizations are given clear guidelines to protect their personal data.

One of the goals of the GDPR is to reconcile disparate data privacy laws across Europe, keeping in mind the rapid technological changes within the past two decades. It builds upon the current legal framework in the European Union, including the EU Data Protection Directive, which has been in existence since 1995. 

GDPR: The basics

Dropbox meets GDPR requirements across all of its services, including Dropbox Basic, Plus, Professional, and Business..

What are your obligations under the GDPR? ​​

  • If you are a Dropbox Business customer, please note that you are the data controller, and have specific legal obligations under the GDPR. Dropbox acts as your data processor in these cases. If you are a Dropbox Basic, Plus, Professional user, Dropbox is the data controller of your data. Please also note that there are specific legal obligations in that regard under GDPR. Whether your company is a data controller or a data processor, we cannot provide legal counsel regarding your company's compliance with GDPR, but do encourage you to seek independent legal counsel.
  • ​​If you are a business customer, you should be confident that any providers (data processors) which you work with have a highly robust approach to data protection, understand the obligations of the GDPR and are well prepared to meet them.
  • The GDPR does not impose a requirement for personal data to remain within the EU. In fact, the GDPR permits the transfer of personal data to non-EU countries in line with a number of recognized mechanisms, including standard contractual clauses and frameworks such as the EU-US Privacy Shield. Under the GDPR data can be hosted and processed in non-EU countries as long as you, or your providers who transfer data on your behalf, have one of the necessary transfer mechanisms in place. ​​
  • Dropbox’s shared responsibility guide sets out our approach to working together to keep your data secure and helps make clear Dropbox’s responsibilities and our customers’ responsibilities.

GDPR: Key changes

The GDPR brings with it a shift in mindset. It expressly introduces several principles that previously underpinned data protection law, such as the "accountability principle" and "privacy by design," and encourages organizations to take more responsibility for protecting the personal data they handle.

Privacy by design: This means that organizations handling personal data need to think about data protection when designing systems, not just review privacy implications after a product or process is developed.

User rights: The GDPR expands the existing set of user rights and creates several entirely new rights. Companies should review and ensure they have effective systems in place to give effect to these rights.

Tougher breach notification rules: Under the GDPR, organizations are required to have a strong breach notification system in place and understand their specific reporting obligations.

Accountability: Not only must your company adhere to the principles set out in the GDPR, but you must also demonstrate that compliance in line with the principle of accountability. This requires a comprehensive and clear internal privacy governance structure.

Data protection officer: The GDPR requires companies that engage in processing of EU user data to determine if they should appoint a Data Protection Officer. Companies that routinely process large volumes of information or particularly sensitive information should consider appointing a DPO.

Dropbox's GDPR compliance journey

Like many of our customers, we here at Dropbox prepared for the GDPR.

At Dropbox, trust is the foundation of our relationship with millions of people and businesses around the world. We value the confidence you’ve put in us and take the responsibility of protecting your information seriously. Respect for privacy and security was built into our business from the beginning and as we've grown, our focus on handling and protecting the data our customers entrust to us has remained a top priority. For example, we were one of the first cloud service providers to achieve ISO 27018 — the internationally recognised standard for leading practices in cloud privacy and data protection.

 To supplement our GDPR compliance efforts, Dropbox has chosen to adhere to the Cloud Security Alliance (CSA) Code of Conduct for GDPR Compliance. Dropbox describes its data protection practices and compliance with the Code of Conduct in a Privacy Level Agreement that is publicly available on the CSA website. Dropbox takes GDPR very seriously, and we are committed to ensuring our compliance with both the GDPR and  the Code of Conduct. In the event there is a material change in the GDPR that conflicts with the Code of Conduct, Dropbox shall comply with the terms of the GDPR.

Read more about “Dropbox’s GDPR Compliance Journey” here.

Updates to our ToS, Privacy Policy, & Business Agreement

At Dropbox, we’re dedicated to being worthy of trust. That’s why we’ve updated our Terms of Service, Privacy Policy, and Business Agreement. Read our summary of the changes.

We’re committed to protecting your personal data

We see data protection as integral to our work, and as we’ve grown, the way we handle and protect the data our customers entrust to us has remained a priority.

The accountability principle: A shift in mindset

The concepts of privacy by design and privacy by default underpin the accountability principle and are at the heart of the shift in mindset the GDPR aims to achieve.