With the General Data Protection Regulation (GDPR) just around the corner, we're committed to being GDPR-ready by May 25, 2018, so that our customers can use Box with GDPR compliance in mind. At Box, we meet the highest bars possible for data privacy, as well as support organizations using Box while meeting data privacy obligations across the globe. With Box, every company — regardless of location or data privacy obligations — can work as one.
The GDPR's global impact
The GDPR harmonizes data privacy laws and regulations across the EU, enhances data protection for EU citizens and reshapes the way organizations approach data privacy. The GDPR covers the personal data of every EU person and provides comprehensive rights to data subjects. Every company that works with European employees, customers and partners will need to comply with the regulation. Failure to meet the GDPR requirements can result in fines up to EUR 20 million or up to 4% of the company’s worldwide annual turnover for the preceding fiscal year, whichever is higher.
Sign your DPA
We make it easy for our customers to formalize and share with their stakeholders, including employees, customers and potential auditors, that they use Box in a way that meets GDPR data processing obligations. The Data Processing Addendum (DPA), pre-signed by Box, is a self-serve and easy-to-execute document that only requires an electronic signature from the customer.
After you execute the DPA, it will automatically be sent to the Box Legal team, and if accurately completed, the DPA will then become legally binding. For reference, please see the "How to Execute this DPA" section in the DPA. We'll communicate with you in the event of any issues. Send questions to DPAprocessing@box.com.
Our GDPR commitment
Our Processor Binding Corporate Rules, Controller Binding Corporate Rules (BCRs), the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks provide legally recognized ways to transfer data across European borders. From Germany, we've also received the Cloud Computer Compliance Control Catalogue (C5) and the Trusted Cloud Data Protection Profile (TCDP). The C5 and the TCDP show we've been independently audited by German organizations for meeting their high bar for adequate security and data protection.
Information use that's fully transparent
The GDPR requires organizations provide more information about the way individuals’ information is used. Box gives you full control of your content and ways to access it, including access controls that allow administrators to grant or rescind access through the Admin Console.
More visibility into processing
Under the GDPR, you should be able to access a copy of your data and know where it's being processed. At Box, our customers can easily exercise these rights with accessible usage logs, effortless downloads and easy management of all third-party integrations.
The right to be forgotten
Under the GDPR, individuals have the right to ask the organizations they work with to delete their personal data. At Box, our customers are in control of their content deletion with trash settings and retrieval. In addition, they have the ability to set retention schedules with Box Governance.
Box enables our customers to enhance their compliance posture comprehensively, beyond data privacy and the GDPR, by allowing them to address data residency requirements, select from key encryption options, and meet retention and legal hold needs. With our enterprise-grade governance, risk and compliance products, you can strengthen your organization's GDPR and data protection story. Learn more about using Box Zones, Box KeySafe and Box Governance in your data protection journey.
Box Consulting and Box Compliance teams come together to help your company understand, prepare for and address evolving compliance requirements with Cloud Content Management.
Hear our VP of Compliance talk about vendor GDPR obligations
The features and functionality you need for GDPR compliance