Tax Advisor Stores Client Data in Dropbox

The Scenario

Berger & Partner is a small tax advisory firm based in Augsburg, Germany, serving around 180 clients — from sole proprietors to mid-sized limited companies. Three years ago, firm owner Thomas Berger introduced Dropbox Business to simplify document exchange with clients. Tax returns, payroll statements, profit and loss reports, and personal tax assessments are routinely shared through Dropbox folders between the firm and its clients.

The system works smoothly in daily operations: office manager Sabine Meier creates a shared folder for each new client and sends out an invitation link by email. Some clients even receive public links without password protection because it is "easier that way." Financial statements from the past three fiscal years sit in a shared folder structure accessible to all firm employees without restriction.

In November 2025, the Bavarian Data Protection Authority (BayLDA) conducts a random audit of three tax advisory firms in the Swabia region — Berger & Partner among them. Within hours, the auditors identify the following issues:

1. No Data Processing Agreement (DPA): No DPA pursuant to Art. 28 GDPR has been signed with Dropbox Inc. The standard Dropbox terms of service do not satisfy this requirement.
2. Third-country transfer without legal basis: Client data is processed on servers in the United States. Following the Schrems II ruling by the Court of Justice of the EU, no adequate legal basis exists for this transfer. The EU-US Data Privacy Framework is deemed insufficient by the auditors because no Transfer Impact Assessment was conducted.
3. Unprotected shared links: 47 of the 180 client folders are accessible via public links — no password, no expiration date, no access controls. The auditors locate three of these links through a simple Google search.
4. No audit trail: The firm cannot demonstrate who accessed which client data and when. Dropbox activity logs were never reviewed or archived.
5. No content encryption: Files are stored unencrypted in Dropbox. Dropbox itself has technical access to all file contents.

In January 2026, Thomas Berger receives a 12-page enforcement notice from the authority.

The Risks

Using US cloud services like Dropbox for sensitive client data carries risks that extend far beyond formal data protection violations.

US CLOUD Act: American authorities can compel US-based companies — including Dropbox — to hand over data, even when that data is stored on European servers. For tax-related data that is subject to professional secrecy, this risk is particularly severe. A client whose financial records are disclosed to US authorities could suffer significant economic harm.

Schrems II aftermath: The CJEU ruling (C-311/18) invalidated the EU-US Privacy Shield. While the subsequent EU-US Data Privacy Framework provides a mechanism, it requires an individual risk assessment by the data controller. Most small tax advisory firms never conduct this assessment.

Missing Data Processing Agreement: Without a DPA that governs technical and organizational measures, binding instructions, and deletion obligations, the data controller effectively relinquishes control over data processing. Dropbox processes data for its own purposes as well — such as product improvement — which is impermissible without an explicit legal basis.

Public shared links: A link without password protection and expiration is functionally equivalent to publishing the data on the open internet. Search engines can index such links, and anyone who knows or guesses the URL gains unrestricted access to sensitive financial records.

No audit trail: Without comprehensive logging, the firm cannot determine which data was affected in the event of a breach, who accessed it, or when. The notification obligation under Art. 33 GDPR cannot be properly fulfilled without this information.

Legal Consequences

The data protection violations span multiple regulatory provisions simultaneously:

Art. 44-49 GDPR — Third-country transfers: Any transfer of personal data to a third country requires a legal basis under Chapter V of the GDPR. Without an adequate level of protection, Standard Contractual Clauses with supplementary measures, or an approved certification, the transfer is unlawful. Fines of up to 20 million euros or 4% of annual global turnover may apply.

Art. 28 GDPR — Data processing: The controller may only engage processors that provide sufficient guarantees and with whom a contract meeting the requirements of Art. 28(3) has been concluded. Using Dropbox without a DPA directly violates this obligation.

Art. 32 GDPR — Security of processing: Unprotected shared links and the absence of encryption violate the obligation to ensure a level of security appropriate to the risk. Tax data — which routinely reveals financial circumstances, health-related expenditures, and family situations — demands a high level of protection.

German Tax Advisory Act (StBerG) Section 57 — Professional secrecy: Tax advisors in Germany are subject to a statutory duty of confidentiality. Storing client data in a cloud service where the provider and potentially foreign authorities can access the contents constitutes a breach of this duty. In the most severe cases, the advisor's license may be revoked.

Art. 33/34 GDPR — Breach notification: The publicly discoverable shared links constitute a reportable data breach that must be notified to both the supervisory authority and the affected clients.

Financial Impact

Cost Item	Estimated Amount
Fine from data protection authority (third-country transfer)	15,000 – 50,000 €
Fine for missing DPA	5,000 – 15,000 €
External data protection consultant (immediate remediation)	3,000 – 8,000 €
Client notification pursuant to Art. 34 GDPR	2,000 – 5,000 €
Migration to GDPR-compliant solution	1,500 – 4,000 €
Legal representation in enforcement proceedings	3,000 – 12,000 €
Reputational damage and client attrition	5,000 – 30,000 €
Total estimated cost	30,000 – 120,000 €

These estimates are based on published fine decisions by German data protection authorities against small and medium-sized businesses. In cases of particularly severe violations or lack of cooperation, the amounts may be substantially higher.

How to Prevent This

SendMeSafe was built specifically for scenarios like document exchange in tax advisory firms — with data protection as a foundational principle, not an afterthought.

EU-hosted infrastructure: All data is exclusively processed and stored on Hetzner servers in Germany. No third-country transfer takes place. The complications arising from the CLOUD Act and the Schrems II ruling are entirely eliminated.

End-to-end encryption: Files are stored with AES-256 encryption. Even in the event of a server breach, the contents are worthless without the decryption key.

Secure upload links: Instead of open Dropbox folders, firms create individual upload links for each client. Each link can be configured with a password, an expiration date, and a maximum file size. Once expired or used, the link is automatically deactivated.

Complete audit trail: Every access event, every upload, and every download is logged with a timestamp, IP address, and user identifier. During a regulatory audit, the firm can demonstrate at any time who accessed which data and when.

DPA included: SendMeSafe provides a Data Processing Agreement that meets all requirements of Art. 28 GDPR. No additional negotiation effort, no legal uncertainty.

Seamless integration into daily workflows: Clients receive a simple link through which they can upload receipts, tax assessments, and documents — without registration, without creating an account, without technical barriers. The firm retains full control at all times.

Learn more about the security architecture of SendMeSafe or start a free 14-day trial today.

Frequently Asked Questions

Is Dropbox not GDPR-compliant?

Dropbox offers Standard Contractual Clauses and has certified under the EU-US Data Privacy Framework. However, this alone does not ensure GDPR compliance. The data controller — in this case the tax advisory firm — must conduct its own risk assessment (Transfer Impact Assessment), implement supplementary technical measures, and execute a comprehensive DPA. In practice, most small firms do not complete these steps, leaving the use of Dropbox non-compliant.

Can tax advisors use cloud services at all?

Yes, the use of cloud services is fundamentally permissible for tax advisors — provided that data protection and professional law requirements are met. The key conditions are that data is processed exclusively within the EU, a valid DPA is in place, adequate technical safeguards such as encryption are implemented, and the duty of professional secrecy under German law is maintained. EU-hosted services like SendMeSafe meet these requirements by design.

What happens if a client reports the Dropbox violation?

Every data subject has the right to lodge a complaint with a data protection authority (Art. 77 GDPR). Such a complaint typically triggers a formal investigation by the authority. Additionally, the client may claim compensation under Art. 82 GDPR for both material and non-material damages. For tax advisors specifically, the professional chamber may impose disciplinary sanctions that can range from a formal warning to revocation of their professional license.

How quickly must I respond after a data breach?

Under Art. 33 GDPR, a personal data breach must be reported to the supervisory authority within 72 hours of becoming aware of it. If there is a high risk to the rights of the individuals concerned — which is regularly the case with tax data — the affected clients must also be notified without undue delay (Art. 34 GDPR). Late notifications are treated as a separate violation and can increase the fine.