A note at the outset: When evaluating a tool in terms of data protection law, you must always consider what content is stored in a file repository. Is this personal data or is it data without personal reference? From a data protection perspective, there is nothing to be said against sharing a draft of a new price list via a service such as DropBox. This service is no longer fully recommended for the exchange of participant lists. Sensitive data, such as personnel files, should not be stored in file repositories that can be accessed from the Internet if at all possible.
Below we present some solutions for file storage and online collaboration:
🟢 Cryptpad:
Cryptpad is an open source solution and offers the option to create and edit documents online in addition to file storage. Cryptpad is operated in France and the basic function is free of charge. (https://cryptpad.fr/)
🟢 Nextcloud:
Nextcloud is a complete business suite on an open source basis. In addition to pure file storage, Nextcloud offers countless functions such as calendars, to-do lists and much more. The service can be expanded with many functions via plugins and can be operated on your own servers. There are also many providers from whom you can rent a fully set-up Nextcloud environment. (https://nextcloud.com/)
🟢 Teamdrive: A cloud service for data storage from a German company. (https://teamdrive.com/)
🟡 Dropbox: Here, too, nothing stands in the way of using US service providers under data protection law. However, the use of a Dropbox Business contract is recommended here, as only then will you receive the corresponding data protection guarantees.
🟡 Microsoft Sharepoint and Microsoft OneDrive: In terms of data protection law, there is nothing to prevent the use of US service providers. In the case of Microsoft, however, we urgently recommend checking and adjusting the configuration of Microsoft services at admin level. We also strongly recommend checking the file storage location in the admin interface and changing it to a location in the EU if necessary.
🟡🔴 Google Drive:
Initially, the same assessment applies here as for Microsoft. The fact that there is hardly any reliable information on data processing by Google for its own purposes makes the assessment even more difficult. Another difficulty is that Google's product names and services change very frequently. It is therefore difficult for controllers to track whether the use is appropriate from a data protection perspective.
This is just a small selection of tools that can be used in this area. You can often also rent data protection-compliant file storage from your web hosting provider. The list does not claim to be exhaustive and is not intended as a recommendation. The list merely provides an indication of the assessment from a data protection perspective. We do not receive any support from the companies listed here.