A file transfer is GDPR compliant when the personal data inside it is encrypted in transit and at rest, stored on infrastructure covered by EU rules, kept no longer than needed, and handled by a provider that can tell you clearly what it does with the data. That is the short answer. The rest of this guide turns it into a checklist you can actually use, whether you end up choosing OONOO or something else.
Why email attachments and free tools fall short
Most GDPR problems with file sharing are not dramatic breaches. They are ordinary habits: a spreadsheet of customer details sent as an email attachment that now lives forever in three inboxes, or a contract uploaded to a free tool that stores it in a US data centre indefinitely. GDPR expects you to know where personal data is, who can reach it, and when it gets deleted. Attachments and forever-links make all three questions unanswerable.
The five things to check
1. Where the data is stored
GDPR does not ban storing data outside the EU, but the moment your provider does, you need a legal transfer mechanism and you inherit questions about foreign access laws (like the US CLOUD Act, which can compel US providers to hand over data they control, wherever it sits). The simplest position to defend is a provider that stores files on EU servers, full stop.
2. Encryption in transit and at rest
Article 32 asks for security appropriate to the risk, and encryption is named explicitly. In practice: the upload and download must run over an encrypted connection, and the file must be stored encrypted. If a provider cannot say "in transit and at rest" plainly, keep looking.
3. Retention: files must expire
Storage limitation is a core GDPR principle. Personal data should not outlive its purpose. For file transfers this has a very practical shape: the link should expire, and the file should be deleted, automatically, on a schedule you chose. If deletion depends on someone remembering to clean up, it will not happen.
4. Access control
Who can open the link? Anyone who gets forwarded it? A good setup limits how many times a file can be downloaded, lets you cut access off after a set period, and, when the stakes justify it, verifies who the recipient really is before the file opens.
5. A provider that answers processor questions
Under GDPR the transfer service is your processor. You should be able to find out, without archaeology: what data they hold about senders and recipients, whether they sell or share it, and how you can have it removed. If the privacy policy dodges these, that is your answer.
A checklist you can copy
| Question to ask | What a good answer looks like |
|---|---|
| Where are files stored? | EU data centres, stated plainly |
| Is data encrypted? | In transit and at rest |
| When are files deleted? | Automatically, after a period you choose |
| Can access be limited? | Expiring links and download limits |
| Can you verify the recipient? | Ideally yes, for sensitive transfers |
| Is there a record of the handover? | Timestamped, ideally signed, receipt |
| Is user data sold or shared? | A clear no |
How OONOO handles each point
OONOO was built in the Netherlands with exactly this checklist in mind, so the answers are short:
- Files live on EU servers (Netherlands) and nowhere else.
- Every transfer is encrypted in transit and at rest.
- You pick the retention period per send: 24 hours, 48 hours, 72 hours, 2 weeks, or 1 month. When it ends, the file is deleted automatically.
- You set a download limit (1 to 8) per transfer, and View Only sends let recipients read a file in the browser without downloading it at all.
- For sensitive handovers, an agreement can be attached that the recipient signs before access, and an optional €5.00 ID verification checks their government ID against the agreement name.
- OONOO does not sell or share user data, and no account is needed to send, so there is less personal data in the system to begin with.
There is no subscription: you pay per send, and the current rates are on the pricing page.
Common situations, mapped
| Situation | Sensible setup |
|---|---|
| HR documents to a new employee | Encrypted transfer, 48h expiry, download limit 1 |
| Client database extract to an agency | Transfer with NDA signed before download |
| Financial figures to an external accountant | Short expiry plus ID verification |
| Board papers for review only | View Only, so nothing lands on personal devices |
| Design drafts to a prospect | View Only with a 72h window |
One honest caveat
No tool makes you GDPR compliant by itself. Compliance is about your whole process: what you collect, why, and who touches it. A file transfer service with EU storage, encryption and auto-deletion removes one of the most common weak spots, but it does not replace the rest of your homework. For the paperwork side, our free sample letters cover GDPR requests like data removal and subject access.
Comparing providers? We wrote honest side-by-sides against the two tools people usually arrive from: OONOO vs WeTransfer and OONOO vs DocuSign.
Frequently asked questions
What makes a file transfer service GDPR compliant?
Encryption in transit and at rest, a clear answer on where files are stored (ideally EU servers), automatic deletion after a defined retention period, access controls such as expiring links, and a provider that does not sell or share user data.
Is it legal to use US file sharing services under GDPR?
It can be, with the right transfer mechanisms in place, but it adds legal complexity, including exposure to the US CLOUD Act. Many EU businesses choose EU-based providers simply because the compliance position is easier to defend.
Does GDPR require files to be deleted after sending?
GDPR's storage limitation principle requires that personal data is not kept longer than needed for its purpose. Automatic expiry and deletion after a sender-chosen period is the cleanest way to honour that in file transfers.
Is OONOO GDPR compliant?
Yes. Files are encrypted, stored on EU servers in the Netherlands, and deleted automatically after the retention period you choose (24 hours to 1 month). OONOO does not sell or share user data, and senders do not need an account.
Can I prove who received a file?
Yes. Attach an agreement and the recipient signs before access, creating a timestamped record. For stronger proof, the ID verification add-on matches the recipient's government ID against the agreement name and produces an audit receipt.