GDPR-Compliant File Sharing With Clients: What You Actually Need
Most small businesses and freelancers in the EU share client files over email, Google Drive, Dropbox, or WeTransfer — and most of them have never thought about whether that's GDPR compliant.
It usually isn't. Not because the tools are inherently dangerous, but because of two specific requirements that almost everyone skips: the Data Processing Agreement and the question of where data actually lives.
This guide explains both — practically, without legal jargon — so you know what you actually need to do.
Quick answer (TLDR)
- Sharing files containing personal data with a third-party tool makes that tool a data processor under GDPR
- You need a signed DPA with every tool that processes personal data on your behalf — most people don't have these
- EU storage is the simplest path to compliance; US-hosted tools require additional transfer mechanisms (SCCs) that add complexity
- Most common client files — contracts, proposals, financial docs, invoices — contain personal data
What counts as personal data in client files
GDPR defines personal data broadly: any information that relates to an identifiable person.
In practice, almost every client file qualifies:
- Contracts and engagement letters — names, addresses, signatures
- Invoices — client name, address, tax ID
- Financial documents — bank statements, payslips, tax returns, P&L figures
- Intake forms — contact details, sometimes health or legal information
- Proposals — client name and business information
- Correspondence — names, contact information, circumstances
If you're in legal, accounting, HR consulting, healthcare, or financial services, your files regularly contain what GDPR calls special categories of data — financial records, health information, legal matters — which are subject to even stricter handling requirements.
The two GDPR requirements most people miss
1. The Data Processing Agreement (DPA)
When you store or send client files using a third-party tool — an email provider, a cloud storage service, a file sharing platform — that tool is processing personal data on your behalf. Under GDPR Article 28, you (the controller) must have a signed DPA with every such processor before any processing begins.
A DPA is a contract that specifies:
- What data is being processed and for what purpose
- How long it's retained
- What security measures the processor applies
- Which sub-processors are used
- What happens to data upon termination
Most small businesses have never signed a DPA with any of their tools. That's the gap.
What this means practically: Before you can legally use a file-sharing tool to handle client personal data, that tool needs to offer a DPA — and you need to actually sign it. Many tools offer DPAs only on paid plans.
2. Where data is stored
GDPR restricts transferring personal data outside the EU unless specific conditions are met. The most common mechanism is Standard Contractual Clauses (SCCs) — a template contract approved by the European Commission — which US-based providers like Google, Dropbox, and Microsoft rely on.
SCCs are legally valid, but they come with complexity:
- You need to verify the provider actually uses them
- Data may still be accessible to US authorities under US law
- Some EU member states and data protection authorities take stricter positions, particularly for regulated professions
- The Schrems II ruling introduced ongoing uncertainty about US transfers
EU storage eliminates this entirely. If data never leaves the EU, there is no transfer to worry about, no SCCs to verify, and no ambiguity about which legal framework governs the data.
What the common tools actually look like under GDPR
Gmail / Outlook
Your email provider processes every attachment you send. Google and Microsoft both offer DPAs — but only if you're on a paid Workspace / 365 plan. If you're on a free Gmail account and sending client contracts as attachments, you don't have a DPA in place. That's a violation.
Even on paid plans, email is a poor choice for client file management: no version control, files get buried, and you can't revoke access when a client relationship ends.
Google Drive / Dropbox
Both offer DPAs on business plans and rely on SCCs for EU data. Compliant in the narrow sense — if you've actually signed the DPA, which most people haven't. Data may reside on US infrastructure.
Neither tool is designed for the client-facing use case: clients need accounts, permissions are opaque, and there's no messaging layer. Compliance aside, they're the wrong tool for the job.
WeTransfer (free)
WeTransfer's free tier stores files on US infrastructure and does not offer a DPA. Sending personal data over free WeTransfer is a GDPR violation if you haven't got a separate data processing agreement — which you can't get on the free tier.
WeTransfer's paid plans offer a DPA. But links expire in 7 days, there's no persistent workspace, and every project means a new link. It's a one-shot delivery tool, not a client document layer.
No DPA available. Data processed by Meta, including content. Not a compliant channel for client documents. Widely used anyway, including in legal and accounting practices.
What a GDPR-compliant setup looks like
You need a tool where:
- A DPA is available — ideally on all plans, not just enterprise tiers
- Data is stored in the EU — ideally with a provider you can verify (not just "we use SCCs")
- The tool is operated by an EU entity — so your contractual relationship is governed by EU law
- You can control access — revoke when a client relationship ends, rather than leaving files in shared folders forever
For the client-facing document layer specifically, a per-client portal model is also better for GDPR reasons beyond just storage: each client only sees their own data, there is no shared workspace where documents from different clients could mix, and you can revoke access cleanly when the engagement ends.
What to check before you sign up for any tool
Ask these questions:
- Is a DPA available? On my plan, not just on a custom enterprise contract?
- Where is data stored? Germany, Ireland, Netherlands — or the US?
- Who operates the company? EU-registered entity, or a US parent company with a nominal EU subsidiary?
- Can I sign the DPA before processing starts? The DPA must be in place before you start uploading client data — not retroactively.
Where Droplana fits
Droplana is a client portal built for this use case — one isolated portal per client, files and messages in one place, no account required for the client to open their documents.
From a GDPR standpoint: all files, messages, and metadata are stored exclusively on Hetzner infrastructure in Germany. The product is operated by Ubique d.o.o., a company registered in Croatia, EU. Every sub-processor is EU-based — storage and infrastructure (Hetzner, Germany), mail delivery (Brevo, France), payments (Creem, Estonia). A DPA is available for all plans.
That combination — EU company, EU storage, DPA available from the start — means you're not piecing together SCCs and hoping the transfer mechanism holds. The data stays in the EU, the DPA exists, and your contractual relationship is with an EU entity.
The free tier covers your first client. If you're currently sharing sensitive client files over email or a US-hosted Drive folder and GDPR applies to your work, it's the lowest-friction way to fix that.
Wrapping up
GDPR compliance for file sharing comes down to two things: sign the DPA, and understand where your data lives. Most small businesses and freelancers in the EU haven't done either — not because they're indifferent to compliance, but because the tools they use don't make these requirements obvious.
The practical fix is simpler than it sounds: pick a tool that offers a DPA on the plan you're actually using, stores data in the EU, and is operated by a company subject to EU law. Then sign the DPA before you start uploading client data.
That covers the core of what GDPR requires for this part of your workflow.