Because of cloud 7: So data transfer in times of the DSGVO

Freelancers know the problem. The project data must go to the customer, to the printing house or elsewhere. CDs and DVDs are long out, but e-mails do not hold the X gigabytes. So you take one of the data transfer services from the cloud. This is convenient and fast, but is it permissible and should you really want that?

The initial situation: the file must go here and there

Let’s tackle the problem from the root. The print data for your customer’s annual report must be sent in printable PDF format to the printer in Poland. E-mail is not suitable because your vendor’s size limits do not cover your project. So what that looks like with the post office of the printing house, you need not even ask. You could read a DVD, but the start of printing should be tomorrow morning. It was clear that your customer had to come with changes at the last moment.

Why Dropbox, WeTransfer and a few more are not the answer

You only have one cloud provider who promises to make your data available for download on a server for authorized individuals. There are a lot of them. This starts with the classic Google Drive, Onedrive or Dropbox cloud storage solutions, but you typically do not want to host customer downloads if you use the service for your business.


The cloud is only someone else’s computer 😉 (Photo: Depositphotos)

It would be better if you used a service that does nothing more than to provide a download for a defined period of time. When the period expires, the service clears the download and you’re done. There are also some of these types of services, the best known being probably WeTransfer.

With WeTransfer you can deposit up to 2 GB data packets for free. Your customer or, as in our example, the printer you give the generated link and you can download the PDF of the annual report. It’s easy and fast and reliable. It is no wonder that WeTransfer and its competitors, such as Lickety Link, File Pizza, Surge Send and all of them are very popular.

The reason why I do not actively use these services as an uploader is that the generated link regularly represents access to the data. That’s too simplistic and that should be too simplistic. In the case of the annual report, it may not be very critical, because these documents are usually made for the public, but there are of course other constellations also conceivable.

If you are wondering what alternatives exist, read on. Below, I introduce you to the German service provider

The DSGVO tightened the conditions for data transfer enormously

The precautionary principle just described has been normatively anchored since May 2018 by the EU General Data Protection Regulation, or DSGVO for short. The basic idea of the DSGVO is that of data economy and data security. In general, data processing should be reduced to an absolute minimum. The storage of any data must meet high security standards, which many experts only really see fulfilled if the respective storage space is within the EU.

Nowadays, cloud providers mostly use infrastructure from third-party vendors, which makes it difficult to always say exactly what is actually flowing through which lines and whether the hat-bearers from the FBI are not fooling your data. Essentially, the world market is shared by Amazon with its Web Services, Microsoft with the Azure Cloud, and Google with its Cloud Platform. Alibaba Cloud already follows on its heels, ahead of IBM and Oracle. All others are marginal players.

Aggressive pricing and high availability have led to a preponderance of Amazon Web Services (AWS), especially in the area of storage service providers. Also WeTransfer or even Dropbox make use of the scalable offer of the former book seller.

To prove DSGVO compliance, these providers like to refer to additional agreements that they would have concluded with Amazon. The content should be that the storage of customer data takes place exclusively in Europe. Many a lawyer considers this agreement inadequate or ineffective because the American Patriot Act, which compels companies to cooperate with the intelligence services, is valid for the companies and not for individual data sites of the respective company. I’m not the one who wants to find out that the critical lawyers were right in the end.

In any case, it goes without saying that a cloud service that stores data for you, albeit temporarily, will become a DSGVO processor. This means that you have to conclude a written contract with the processor in which the data protection is regulated in the sense of the GDPR.

Look for a service provider from the EU with server location EU

If you want to operate on the very safe side, you are leaving out third-country vendors out there and looking for a resident within the EU and operating service provider with one or more server locations in Germany or in other EU countries. Then you also need a contract processing contract with the provider, but you can rely on legal compliance with some certainty with regard to its regulatory content.

The topic DSGVO we have with Dr. med. Incidentally, web already often lights up, here, here, here and here.

Suitable service providers are not priced on the free line of a WeTransfer, but not so expensive that you could not afford them. Safety comes with the local services not only from the location, but also from the concept itself. You do not find shared hosting here, but you get your own server instance, which you use to handle data transfers.

Before you object now that data transfer can also be organized via SFTP, be aware that I also know that. But, and we will certainly agree quickly, this is not a procedure that can be quickly made familiar to the average customer. So we need something simpler.

DSGVO-compliant data transfer using the example of

By the example of the German I will briefly show you the basics. Let’s start with the price, because if you find out in the end that it does not fit into your budget, you could have saved yourself the time to read.

Clean overview of the downloads starts with monthly 24.90 EUR net. In return, you will receive your own server instance with location Germany, 30 gigabytes of memory and a subdomain according to the pattern, whereby the interface is White Label, which means it can be customized with your corporate design.

It is not paid per user, as with the services mentioned above, but per instance, to which you can assign an unlimited number of users. Of course, you can also spend more money. Then you will essentially get more storage space. It is even possible to install the solution on your own server. Obviously, this is the most expensive solution.

The transfer is created by form.

The administration of the data is done comfortably via web app. The transfer runs via SSL with TLS encryption. Important parameters can be automated, such as the withdrawal of access rights after a download or the deletion of the same. A meaningful dashboard gives you a detailed look at the history of your downloads. You make any necessary changes during operation.

The cost of providing a download is low. You use the email address of the recipient within a normal on-form, just as if you were writing an email with the file as an attachment. In addition to providing the link to the recipient, you implement password protection so that not everyone who knows the link can start downloading. allows you to create the upload form according to the specifications of your corporate design. You then send the link to the branded upload form to your customer via e-mail, which simplifies uploading and not only conveys that subjective feeling of greater security. does not rely on long-term contracts. So you can cancel monthly. A free demo does not exist, but if you are not satisfied after seven days of use, you just ask for your money back.

If you need to exchange more than occasionally with your customers, your co-workers or other project participants, then the few euros for are money well spent. By the way, you can advertise aggressively with data security 😉