Nextcloud helps you being GDPR-compliant

Originally published at:

When the General Data Protection Regulation (GDPR) became a topic in 2016, most companies didn’t immediately realize that they were affected. But they quickly realized that GDPR is not yet another legislation about European companies: any company doing business with European citizens’ personal data was affected by the text, whether the business itself was European-based or not. And the definition of personal data is wider than you may think at first sight: any data linked to a person is considered as personal data. It can be their e-mail address, the name of their company, the details of their bank account that you have in your database. Or their purchases on your e-commerce solution. If your company owns any data of this kind, you’d better have a look at what GDPR is about and how you can be compliant.


Picking the right EFSS solution

Picking the right Enterprise File Sync, Share, and Collaboration solution to be GDPR is not easy. Using a free Public Cloud is certainly the worst idea you could have: do you have a clear proof that your customers consented to have their driving license uploaded on Google servers in the USA, with all the privacy and security concerns it implies? All US-based companies currently worry about GDPR, since they cannot ensure the "adequate level of protection" (General Data Protection Regulation, article 45). The Privacy Shield has been presented as a solution but it suffers from a lack of confidence in Europe and from constant legal challenges. Privacy experts have raised issues more than once, and it is questionable if relying on the Privacy Shield is a long-term solution for enterprises doing business in Europe.

But companies face another issue: they often use legacy solutions like an internal Windows Network Drive with, precise access rights management and trackable use of data. But their employees have started to work around them years ago already because collaboration with these solutions is a real pain. So, they adapted. They send sensitive company information through insecure email attachments or, worst, from their personal Dropbox or Google Drive account, completely against the rules codified in the GDPR. If that information leaks, or even by the simple fact that the persons whose data is being shared so irresponsible haven’t given their approval, your organization has a huge legal problem. Fines can go up to 20 million or 4% of annual revenue, whichever is greater. Per incident. Think how many files are emailed as attachments per day by your employees…

So, what are the criteria you should examine when picking a GDPR-compliant EFSS solution?

Data cartography and access

Being GDPR-compliant starts with one requirement: knowing which data you have, where they are stored, and who has access to these data.

If the data authority of your country controls your company, you must be able to provide them with a full list of your data processing and precise information about who has access to which data, where they are stored and how they are managed.

Nextcloud offers a full audit trail with audit logs including:

  • user session (login, logout, user agent)
  • file handling (download, upload, modify, (un)delete, tag, comment, restore old version)
  • user management (creating/deleting/changing user, setting a password)
  • sharing (creating, deleting, changing permissions, updating a password, setting an expiration date
To ensure various levels of legal compliance, personal data must be stored in certain countries only. For distributed companies, our Global Scale architecture provides an easy way to decide where data should be stored, still ensuring easy collaboration and a seamless experience for users.


Ensuring security of personal data is one of the most important requirements of GDPR: companies must evaluate their risks and mitigate them. Main requirements include:
  • encryption of data at rest, in transit and on the cloud. Your company alone must have the key. That already blocks most server-side encryption solutions and public clouds from usage: if you don't encrypt the data first before sending it off, using Amazon S3, Google, Microsoft or other cloud services is very risky, especially in their free versions.
  • ability to retrieve personal data in case of accidental or non-accidental problems, from malicious attacks to ransomware issues. 2017 might be the year of ransomware but there is no reason to assume the problem is solved in 2018.
  • the software used to manage data must be trustworthy, that is, verified, approved, certified or at least transparent enough (like open source).
These boxes are ticked when using a self-hosted, open source solution like Nextcloud. It offers server-side encryption for external storage, making sure a cloud storage provider would never get access to the data. A further protection is full End-to-end Encryption on the clients which even protects against the Nextcloud server itself being compromised or being run in a jurisdiction without enough protection. And, unique in the industry, it enables very granular application of these protections, letting server administrators pick what storage solutions need full encryption. Users can pick one or more folders to be fully end-to-end encrypted and server administrators can enforce this on certain groups or types of data. On to of that, Nextcloud offers versioning, backup and anti-ransomware facilities and the code is 100% open source and developed aligned to the strictest ISO/IEC27001-2013 standards.

Data retention (no more, no less)

GDPR is clear about the retention of personal data: they must be kept only as long as they are needed, but certain types of personal data must also be kept at least 6 months for legal reasons.

Nextcloud data retention policy allows a perfect control of sharing, with user-friendly options like sharing expiration and password. This way, you can share data with your customers and ensure they don’t have access to data anymore after a defined period of time.

On the other side, our retention app also allows to tag certain types of data to ensure they will not be erased before they are not legally required anymore.

Ensure privacy and respect of data with Nextcloud: discover our analysis of legal issues regarding personal data!



How GDPR compliant is Nextcloud in terms of importing, exporing and deleting your data? Honest question. Not looking for a flame war. I ran a test instance on a host who closed down and all I could send them was a request. No confirmation was ever received on my end, plus they never followed up with me before closing my account. Sure, they are obviously a bad host, but I had no way to export Deck data or other information in apps not supporting import/export. It all just… disappeared from my own access.

Honestly, it is bad. Just being honest, especially when I can use Google Take Out to very simply export and import data from any or all of my accounts. I have no way of knowing if my request was received or if my data was deleted according to GDPR. Also, I could not export my data or actually contact any admin… so, okay. Just curious on the experiences of others and how they’ve handled these issues.

1 Like

That sucks so bad. I’d be devoting my life to hunting down the hosting people to get a reckoning of accounts.

I self-host. If you search for old servers without operating systems installed, you can self-host at a bargain price. I’ve worked out most of the problems of hosting behind residential DHCP connections, so my cost is just the electricity and UPS battery replacements over time.

For the most part your files are just in folders under the OS’s normal management system. I haven’t tried doing a migration type thing with any of my data, but it’s been really stable over time, and I do a lot of things to the system; manage it like I stole it.


This is the complicated situation with Nextcloud Gmbh - they did post a disclaimer on the site when they used to feature the hosting partners page; but there was no guarantee that the hosting providers on the Nextcloud site were actually following good hosting practices. It’s disappointing because they still have their free account sign up function but most of the hosts that are signed up to that have not been vetted for security in any significant way. The problem is that there is an implicit assumption by the consumer that signing up via the Nextcloud software/website will provide them with a quality/secure host. This isn’t the case, and IMO it’s a bit unethical.
Providing Nextcloud certification for hosts has been asked by the good hosts and consumers for a couple of years now but it doesn’t fit into Nextcloud Gmbh’s business model which is focused on enterprise-scale deployments.
IOW; the Nextcloud service is:

Enterprise: Nextcloud Gmbh support.
VPS: Must be a knowledgeable user to self-manage.
Managed VPS/Managed Hosting: Trust advertising.
Self-Host: Must be a knowledgeable user to self-manage.

There’s a huge gap for the individual either disinterested in managing a Nextcloud instance or non-technical consumer that wants to host their data privately. The current model is goofy/not well thought out.


Perhaps you must pay with money or data.

1 Like

I believe the issue is between what the consumer is prepared to pay (perceived price of privacy) and the real price of privacy what Facebook, Google and the likes make their profits off. Once the perceived price is lower than the actual price most are not prepared to spend a couple of dollars/month on a privacy protecting solution and privacy selling business will prevail.

Only when large amounts of people see this there will be viable business to provide services at those price levels. Currently the perceived price is close to zero looking at huge droves who are giving away their privacy for almost nothing.


It is a shame that Nextcloud GmbH itself is not GDPR compliant. For example their privacy policy does not include required details according to GDPR. There is also no process on how to request rectification or a transcript of data according to GDPR. This is very poor of a company that so strongly promotes privacy.

What are you trying to achieve here and with your other comments? Your statements are not supported by facts.
If you do not like the project so please stay away.

I will silence you until next monday and kindly ask you to consider your words carefully in the future.

We need a pleasant, objective manner here. That will help everyone.


GDPR compliance by a non-EU commercial entity is such a can of worms (or minefield, whatever you prefer), it won’t be sorted for years…

Having EU users data stored on EU soil won’t help you.
If the feds come knocking you will provide all the data you have, even on your EU-based servers.
It’s called the CLOUD Act!


I delketed that content because I was posting without full understanding of the topic.

GDPR is a sensitive topic, especially for Europeans.
It is bit similar to talking about “NHS sellout to the US” or “chlorinated chickens in Germany”.
And while it has reasonably well understood rules for European companies, in today’s digital cosmopolitan world it’s barely half the picture…

Here is the simplest way to make your website GDPR compliant: the first time a new user logs in make him/her click through a popup informing the user that all the data will be used at your own discretion… Done! You are GDPR compliant!!

And that’s exactly what Nextcloud is talking about when it claims it helps you.
Just edit the first run wizard PHP file to ask the users to give up their rights, in polite form

You can modify it from time to time and make users accept it again

If you are a multinational and your business model is to collect users data and “sell” them, that’s a different game… But those guys have $100M+ legal departments working on just that…

I don’t care about GDPR. If anyone accesses my site, my private site, it’s bounded to MY rules. Not happy? Sorry, stay away from my private site :wink:

1 Like

Good point…
Make sure your visitors understand this!

If this is not communicated, you put yourself at risk…

1 Like

I agree with you. and what is GDPR?

The basics

What it can trigger

Thank you, I will look into them

So I am in the US, if someone from the EU goes to my website do I need to make it GDPR compliant?

If your site “stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU” - from the linked article above.

That’s the theory…

If you don’t do that, your chance to get in trouble is probably as high as winning the next 6/49.
But at some point EU will make an example out of a foreign company to make the point.
The goal of this legislation is to slow down the FAAGs of this world that happen to be all US companies…

Once again, just ask your visitors to allow you to ignore the GDPR and you’re golden…

1 Like

Ok so I can just have a pop up that says “that this site dose not comply with the GDPR, if you do not agree get lost”?


Just make it sound a bit more polite and that’s all you’ll need…