guides

GDPR Compliant File Transfer: A Practical Guide for EU Businesses

What actually makes a file transfer GDPR compliant, a checklist you can copy, and how to handle the common cases: HR documents, client data, board papers and more.

2 views

A file transfer is GDPR compliant when the personal data inside it is encrypted in transit and at rest, stored on infrastructure covered by EU rules, kept no longer than needed, and handled by a provider that can tell you clearly what it does with the data. That is the short answer. The rest of this guide turns it into a checklist you can actually use, whether you end up choosing OONOO or something else.

Why email attachments and free tools fall short

Most GDPR problems with file sharing are not dramatic breaches. They are ordinary habits: a spreadsheet of customer details sent as an email attachment that now lives forever in three inboxes, or a contract uploaded to a free tool that stores it in a US data centre indefinitely. GDPR expects you to know where personal data is, who can reach it, and when it gets deleted. Attachments and forever-links make all three questions unanswerable.

The five things to check

1. Where the data is stored

GDPR does not ban storing data outside the EU, but the moment your provider does, you need a legal transfer mechanism and you inherit questions about foreign access laws (like the US CLOUD Act, which can compel US providers to hand over data they control, wherever it sits). The simplest position to defend is a provider that stores files on EU servers, full stop.

2. Encryption in transit and at rest

Article 32 asks for security appropriate to the risk, and encryption is named explicitly. In practice: the upload and download must run over an encrypted connection, and the file must be stored encrypted. If a provider cannot say "in transit and at rest" plainly, keep looking.

3. Retention: files must expire

Storage limitation is a core GDPR principle. Personal data should not outlive its purpose. For file transfers this has a very practical shape: the link should expire, and the file should be deleted, automatically, on a schedule you chose. If deletion depends on someone remembering to clean up, it will not happen.

4. Access control

Who can open the link? Anyone who gets forwarded it? A good setup limits how many times a file can be downloaded, lets you cut access off after a set period, and, when the stakes justify it, verifies who the recipient really is before the file opens.

5. A provider that answers processor questions

Under GDPR the transfer service is your processor. You should be able to find out, without archaeology: what data they hold about senders and recipients, whether they sell or share it, and how you can have it removed. If the privacy policy dodges these, that is your answer.

A checklist you can copy

Question to askWhat a good answer looks like
Where are files stored?EU data centres, stated plainly
Is data encrypted?In transit and at rest
When are files deleted?Automatically, after a period you choose
Can access be limited?Expiring links and download limits
Can you verify the recipient?Ideally yes, for sensitive transfers
Is there a record of the handover?Timestamped, ideally signed, receipt
Is user data sold or shared?A clear no

How OONOO handles each point

OONOO was built in the Netherlands with exactly this checklist in mind, so the answers are short:

There is no subscription: you pay per send, and the current rates are on the pricing page.

Common situations, mapped

SituationSensible setup
HR documents to a new employeeEncrypted transfer, 48h expiry, download limit 1
Client database extract to an agencyTransfer with NDA signed before download
Financial figures to an external accountantShort expiry plus ID verification
Board papers for review onlyView Only, so nothing lands on personal devices
Design drafts to a prospectView Only with a 72h window

One honest caveat

No tool makes you GDPR compliant by itself. Compliance is about your whole process: what you collect, why, and who touches it. A file transfer service with EU storage, encryption and auto-deletion removes one of the most common weak spots, but it does not replace the rest of your homework. For the paperwork side, our free sample letters cover GDPR requests like data removal and subject access.

Comparing providers? We wrote honest side-by-sides against the two tools people usually arrive from: OONOO vs WeTransfer and OONOO vs DocuSign.

Frequently asked questions

What makes a file transfer service GDPR compliant?

Encryption in transit and at rest, a clear answer on where files are stored (ideally EU servers), automatic deletion after a defined retention period, access controls such as expiring links, and a provider that does not sell or share user data.

Is it legal to use US file sharing services under GDPR?

It can be, with the right transfer mechanisms in place, but it adds legal complexity, including exposure to the US CLOUD Act. Many EU businesses choose EU-based providers simply because the compliance position is easier to defend.

Does GDPR require files to be deleted after sending?

GDPR's storage limitation principle requires that personal data is not kept longer than needed for its purpose. Automatic expiry and deletion after a sender-chosen period is the cleanest way to honour that in file transfers.

Is OONOO GDPR compliant?

Yes. Files are encrypted, stored on EU servers in the Netherlands, and deleted automatically after the retention period you choose (24 hours to 1 month). OONOO does not sell or share user data, and senders do not need an account.

Can I prove who received a file?

Yes. Attach an agreement and the recipient signs before access, creating a timestamped record. For stronger proof, the ID verification add-on matches the recipient's government ID against the agreement name and produces an audit receipt.

Tags

gdpr file transfer eu compliance
Share this article Share on X Share on LinkedIn

More from guides

Back to all news