We are excited to share that we are set to begin a new chapter with Dropbox, Inc. Dropbox is acquiring our IP technology to embed natively into the Dropbox product, bringing end-to-end, zero-knowledge encryption to millions of business customers around the world. Check out our blog to find out more!

This is how we implement the new European General Data Protection Regulation, here at Boxcryptor.

Andrea Pfundmeier | CEO


Boxcryptor’s GDPR Journey Part 4: Dealing with Third Party Providers

Since May 25th 2018 the new General Data Protection (GDPR) applies for Boxcryptor and all companies, processing any personal data of EU citizens. This new provision of the European Union is fundamentally reshaping how personal data is processed within the EU. The amendment is demanding far-ranging changes and re-structuring of the companies. Surveys show that the GDPR is striking fear in many companies affected by this regulation.
We, at Boxcryptor decided to perceive the GDPR as a chance, rather than a threat. Therefore, Boxcryptor CEO Andrea Pfundmeier is going to report how the new GDPR is implemented and applied at Boxcryptor, in a multi-part series of articles.

Read the other parts of the series here:

Part 1 – Getting an overview (Steps 1-4)
Part 2 – Optimization of existing processes (Steps 5-8)
Part 3 – Internal implementation and external data protection officers
Part 5 – Encryption
Part 6 – Before GDPR is past GDPR

Step 9: Review of Third Party Providers

Third party providers are companies and services we depend on to manage our business. In the framework of the new GDPR, the term applies to all providers processing personal data on our account. Here are some examples:

  • Mailchimp – email newsletter distribution
  • Onapply – web-based job application processing
  • Salesforce – invoicing and customer retention management
  • Dropbox – storage of company data

As described in step 2 (documenting processes) I have already compiled a complete list of third party services. Now every one of them has to be checked for GDPR compliance.
For this reason, I did conducted research on the providers’ websites for information on the status of their GDPR-compliance measures. Some companies have been assiduously and are already providing extensive information on that matter, e.g. Mailchimp’s GDPR information page.
For the companies I was able to find all necessary information, I added a checkmark on my list. In all other cases I contacted the respective company and asked for a statement, following these questions:

  1. What is the current status of GDPR implementation?
  2. When will GDPR compliance be achieved?
  3. When will the company be able to send me the respective documents?

In some cases, the companies responded quite extensively, in others I simply got redirected to the law department or received a date, GDPR compliance is supposed to be achieved. The answers were put on my list and I created templates for further requests so I will not lose track in the future.

Third Party Providers and the External Data Protection Officer

In part 3 of our GDPR article series I also mentioned the installment of an external data protection officer (DPO) – despite being not legally obligated to do so. But as CEO, I am factually not allowed (by law) to take on this position. Furthermore, none of our employees has enough capacities to take on this responsibility. In addition, the necessary initial and following trainings would probably cause a collapse of our current start-up structures. I furthermore consider the fact that internal DPOs are nonredeemable - an interesting information for some employers.

Supervision of service providers and the implementation of guidelines for commissioned data processing are part of the DPO’s work. In recruiting a DPO for our company, industry knowledge was a crucial criterion for me. For us, as an IT company it is essential that our service providers know our internal processes and the tools we are working with. Further I need partners who are open-minded towards future innovations.

Apart from that I consciously choose a regional DPO, to keep personal contact as simple as possible. Short distances for trainings and other appointments are really important to me – as is mutual trust. To see whether this may develop throughout our collaboration, we agreed to a one-year contract duration, initially.

As it applies to many topics, having conversations with other entrepreneurs and exchanging experiences about external DPOs proves to be rather successful. By doing so, you will certainly receive valuable references.

Condividi questo articolo

Articoli Correlati


Our New Chapter with Dropbox: What Boxcryptor Users Need to Know

Last week we already announced that we sold important technology assets to Dropbox. What our customers need to know now, we explain in detail here.


A letter from our Founders: We’re joining Dropbox!

Almost 12 years ago, we set out to make complex security solutions easy to use. Now we are excited to share that we are set to begin a new chapter with Dropbox, Inc.

Dummies Book Cover and Back

CLOSED We Celebrate Our Book Release: Your Chance to Win

We have published our first book to get even more people excited about the cloud and data security. Celebrating the official launch, you can win printes copies and Boxcryptor licenses in our raffle. Read about the details in our blog post.