GDPR (General Data Protection Regulation)

Definition

The General Data Protection Regulation (GDPR) is a regulation of the European Union that came into effect on May 25, 2018. It governs the processing of personal data by companies and organizations within the EU, as well as the export of personal data from the EU. The GDPR replaced the Data Protection Directive 95/46/EC and applies directly in all EU member states without the need for national implementation.

The regulation comprises 99 articles and 173 recitals. It establishes principles such as purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality of processing. Companies that violate the GDPR face fines of up to 20 million euros or 4% of their global annual revenue, whichever is higher.

Simply Explained

Imagine you give a friend your house key so they can water your plants while you are on vacation. You expect them to do only what you asked and not pass the key to anyone else. That is essentially how the GDPR works: when you entrust a company with your data, that company may only use it for the purpose you consented to.

The GDPR is fundamentally a rulebook that dictates how businesses must handle people's personal information. This includes names, email addresses, phone numbers, but also IP addresses and location data. The goal is simple: individuals should retain control over their own data.

Why Does It Matter?

For companies that handle customer data, the GDPR is not an optional recommendation but enforceable law. This is especially relevant for the digital exchange of documents:

• Accountability: Every company that processes personal data must be able to demonstrate GDPR compliance. This applies equally to receiving files from clients or customers.
• Fines: Supervisory authorities have imposed billions of euros in fines in recent years. In 2024 alone, over 2 billion euros in penalties were issued across Europe.
• Trust: Customers and business partners expect GDPR-compliant processes. A data protection violation can cause significant financial and reputational damage.
• International Data Transfers: Companies that process data outside the EU (for example, through US-based cloud services) must meet additional requirements such as Standard Contractual Clauses or adequacy decisions.

Industries such as accounting, legal services, healthcare, and financial services are particularly affected, as they regularly process sensitive personal data.

Practical Example

A mid-sized accounting firm regularly receives documents from its clients: payroll statements, tax assessments, and bank statements. Until recently, these documents were sent via email, often without encryption.

During an audit by the regional data protection authority, it is discovered that the firm has not implemented adequate technical and organizational measures for file transfers. Email attachments were unencrypted, there was no access management concept, and no logging of data access. The authority imposes a fine and orders the firm to implement a GDPR-compliant process for document exchange within three months.

The firm then implements a platform for secure file transfer with encrypted transmission, access logging, and automatic deletion after defined retention periods. The result: GDPR compliance, happier clients, and an auditable trail of all data access.

How SendMeSafe Implements This

SendMeSafe was built from the ground up with GDPR compliance in mind. As a platform hosted in Germany for secure document exchange, we translate GDPR requirements into concrete technical measures:

• Hosting in Germany: All data is stored exclusively on servers in Germany (Hetzner Cloud). There is no data transfer to third countries.
• Encryption: All files are stored with AES-256 encryption and transmitted over SSL/TLS encrypted connections.
• Data Processing Agreement: SendMeSafe provides a complete DPA for all customers.
• Data Minimization: We collect only the data necessary for secure file transfer. Upload links can be created without requiring personal data from senders.
• Right to Erasure: Files can be configured with automatic expiration dates. Organizations can completely delete all data associated with a client.
• Audit Trail: Every access, upload, and download is logged and traceable for audit purposes.
• Access Controls: Upload links can be configured with password protection, expiration dates, and file size restrictions.

FAQ

Does the GDPR apply to small businesses?

Yes, the GDPR applies to all companies and organizations that process personal data of EU citizens, regardless of their size. Even sole proprietors and freelancers must comply with the GDPR. There are some exemptions for companies with fewer than 250 employees (for example, regarding the obligation to maintain processing records), but the fundamental data protection obligations apply without restriction.

What happens if I send emails containing personal data without encryption?

Sending unencrypted emails containing personal data can constitute a violation of Article 32 GDPR, which requires appropriate security measures. Supervisory authorities have repeatedly clarified that unencrypted email transmission of sensitive data is not GDPR-compliant. Using a secure platform like SendMeSafe for exchanging sensitive documents is a simple and effective measure for GDPR compliance.

Do I need to conduct a Data Protection Impact Assessment when using a file transfer platform?

A Data Protection Impact Assessment (DPIA) is required under Article 35 GDPR when processing is likely to result in a high risk to the rights and freedoms of individuals. When using a platform like SendMeSafe that implements comprehensive security measures, the risk is generally low. However, you should evaluate whether the nature of the transferred data (for example, health data or financial data) necessitates a DPIA. SendMeSafe provides the necessary information to support such an assessment.