GDPR-Compliant File Sharing: What Your Business Needs to Know

← Back to Blog

The General Data Protection Regulation (GDPR) has been in effect since May 2018, yet most businesses still share files using methods that create significant compliance risks. Every time an employee sends a client's passport scan via email or uploads a contract to Google Drive, the business adds another link to a chain of data processors, each with their own obligations and potential for failure.

This article explains what GDPR requires for file transfers, where common tools fall short and how zero-knowledge encryption can simplify compliance.

What GDPR Says About Data Transfers

Article 32: Security of Processing

Article 32 requires data controllers and processors to implement "appropriate technical and organisational measures" to ensure security. It explicitly mentions:

Pseudonymisation and encryption of personal data
The ability to ensure the ongoing confidentiality of processing systems
The ability to restore availability and access to personal data in a timely manner
A process for regularly testing and evaluating the effectiveness of measures

Encryption is the first measure listed. It is not optional for sensitive data transfers. The regulation specifically calls it out as an expected safeguard.

Article 28: Data Processors

When you use a third-party service to transfer files, that service becomes a "data processor" under GDPR. This triggers a cascade of obligations:

You must have a Data Processing Agreement (DPA) with the service provider
The processor must implement sufficient technical measures
You must verify the processor's compliance and audit their practices
You are liable if the processor mishandles data

Every cloud service that can read your files is a data processor. Google Drive, Dropbox, WeTransfer, OneDrive — all of them process your personal data because they have the technical ability to access it. Each one requires a DPA and ongoing compliance monitoring.

Article 33: Breach Notification

If a data breach occurs, you must notify the supervisory authority within 72 hours. If the breach involves files shared through a cloud service, you depend on that service to detect and report the breach to you in time. This adds another dependency and risk.

The Problem with Common File Sharing Tools

Tool	Is a data processor?	Can read your files?	DPA required?	Breach liability
Google Drive	Yes	Yes	Yes	Shared
Dropbox	Yes	Yes	Yes	Shared
WeTransfer	Yes	Yes	Yes	Shared
OneDrive	Yes	Yes	Yes	Shared
Email (Gmail, Outlook)	Yes	Yes	Yes	Shared
Zero-knowledge sharing	No*	No	Simplified	Minimal

*A zero-knowledge service stores only encrypted data it cannot access. The GDPR definition of "processing" requires the ability to access personal data. If the service technically cannot access the data, its role as a processor is fundamentally different.

How Zero-Knowledge Encryption Helps

Encryption as the "Appropriate Measure"

Article 32 asks for "encryption of personal data." Client-side AES-256-GCM encryption — where the key never reaches the server — is the strongest form of encryption you can apply. It goes beyond what the regulation expects.

When files are encrypted before leaving your device, the data in transit and at rest is always protected. Even if the server is compromised, the encrypted data is useless without the key.

Eliminating the Data Processor Chain

If the server cannot access the personal data, the question of whether it qualifies as a "data processor" changes fundamentally. The service never processes personal data in any meaningful sense — it stores opaque bytes it cannot interpret.

This does not eliminate all compliance obligations, but it dramatically simplifies them. You no longer need to:

Audit the service provider's data handling practices in detail
Worry about the provider's employees accessing personal data
Monitor the provider's sub-processors (AWS, Azure, etc.)
Include the service in your Records of Processing Activities as a full data processor

GDPR Recital 26 states that the regulation does not apply to data that has been rendered anonymous or that cannot be attributed to a specific person. While encrypted data with a key is technically pseudonymized rather than anonymous, the server operator has no access to the key — making the data effectively anonymous from their perspective.

Automatic Data Minimization

GDPR's principle of data minimization (Article 5(1)(c)) requires that personal data be "adequate, relevant and limited to what is necessary." With TTL-based file sharing, data is automatically deleted after the configured period. This built-in expiration aligns perfectly with data minimization: the file exists on the server only as long as it is needed and is then permanently removed.

Simplified Breach Response

Article 33 requires breach notification within 72 hours. However, Article 34(3)(a) provides an exception: notification to data subjects is not required if "the controller has implemented appropriate technical and organisational protection measures... in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption."

If your files were shared with client-side encryption and the server is breached, the encrypted data is unintelligible to the attacker. This may exempt you from the obligation to notify affected individuals — a significant reduction in breach response burden.

Practical Scenarios for Businesses

Law Firms

Client confidentiality is paramount. Sharing case documents via Google Drive makes Google a processor of privileged legal communications. Using zero-knowledge links means the document is encrypted before upload. Set a 24-hour TTL or single-use download. The server never sees the contract contents.

Healthcare Providers

Medical records fall under GDPR's "special categories of data" (Article 9), requiring even stricter protection. Sharing test results or referral letters through email exposes them to multiple intermediaries. Client-side encryption ensures the medical data is only readable by the intended recipient.

HR Departments

Hiring processes involve CVs, ID copies, salary information and background check results. Sharing these files via Dropbox creates processor relationships and retention concerns. Zero-knowledge links with short TTLs ensure documents expire automatically after the hiring decision.

Accountancy Firms

Tax documents contain Social Security numbers, income details and bank information. Clients typically email these files. Replacing email attachments with encrypted links removes the email provider from the processing chain and adds automatic expiration.

What About International Transfers?

GDPR Chapter V restricts transfers of personal data outside the European Economic Area (EEA). When you use a US-based service (Google, Dropbox, WeTransfer), your personal data is transferred to US servers, triggering additional requirements (Standard Contractual Clauses, adequacy decisions, etc.).

The Schrems II ruling (2020) invalidated the EU-US Privacy Shield. While the EU-US Data Privacy Framework (2023) provides a new mechanism, its long-term stability remains uncertain. Using a US-based file sharing service for personal data requires ongoing monitoring of the legal framework.

With zero-knowledge encryption, the international transfer question is simplified. The server stores only encrypted data that it cannot access. Even if the server is in the US, no personal data in the GDPR sense is accessible to the US-based operator. SecureSend, built into UnveilPass, is hosted in France (OVH) within the EEA — but even if it were not, the zero-knowledge architecture means the operator cannot access the transferred data.

Building a GDPR-Compliant File Sharing Policy

For businesses looking to improve their file sharing practices, here is a practical framework:

Classify files by sensitivity. Not everything needs encryption. Marketing materials and public documents can use standard tools. Personal data, financial records, legal documents and medical information require encryption.
Set TTL policies by category. Tax documents: 7 days. ID verifications: single-use. Contract reviews: 24 hours. Match the TTL to the business need.
Document your encryption practices. GDPR requires you to demonstrate compliance. Record that sensitive files are shared with client-side AES-256-GCM encryption with configurable TTL.
Train employees. The tool is only as good as its adoption. Ensure staff understand why email attachments are problematic and how to use encrypted alternatives.
Review and audit. Periodically verify that sensitive files are not being shared through unencrypted channels.

The Bottom Line

GDPR compliance for file sharing is not primarily about checking boxes — it is about ensuring that personal data is genuinely protected during transfer. Client-side encryption with zero-knowledge architecture is the most effective technical measure available. It satisfies Article 32's encryption requirement, simplifies the data processor chain, enables automatic data minimization through TTL and can exempt you from certain breach notification obligations.

For any business handling personal data in the European Union, replacing unencrypted file sharing with zero-knowledge alternatives is one of the highest-impact compliance improvements you can make.

Try SecureSend — Free Encrypted File Sharing

Send files with end-to-end encryption. The server never sees your data. No account required to receive.

Get Started Free