Spotlight on GDPR

Meet the highest bar for data protection


GDPR readiness with Box

With the General Data Protection Regulation (GDPR) now effective, Box is GDPR-ready so that all customers can use Box as the Cloud Content Management platform to facilitate their GDPR compliance program. At Box, we meet the highest bars possible for data privacy, as well as support organizations using Box while meeting data privacy obligations across the globe. With Box, every company — regardless of location or data privacy obligations — can work as one.

Global impact

The GDPR's global impact

The GDPR harmonizes data privacy laws and regulations across the EU, enhances data protection for EU citizens and reshapes the way organizations approach data privacy. The GDPR covers the personal data of every EU person and provides comprehensive rights to data subjects. Every company that works with European employees, customers and partners will need to comply with the regulation. Failure to meet the GDPR requirements can result in fines up to EUR 20 million or up to 4% of the company’s worldwide annual turnover for the preceding fiscal year, whichever is higher.

Sign your DPA

Box is committed to protecting the privacy of personal data. No matter the changing landscape, including the Court of Justice of the European Union’s (CJEU) Schrems II decision to invalidate Privacy Shield, the United Kingdom’s departure from the European Union (Brexit) or the issuance of updated Standard Contractual Clauses (SCCs) by the European Commission, we’ve made it easy for our customers to maintain a lawful data transfer mechanism.

To offer the most flexible options to customers when it comes to transfers of personal data our updated Data Processing Addendum (DPA) now includes the recently updated European Economic Area (EEA) SCCs published on 4 June 2021 by the European Commission and references the forthcoming new UK SCCs. The self-serve and easy-to-execute DPA is pre-signed by Box and only requires an electronic signature from the customer.

After you have executed the DPA, it will automatically be sent to the Box Legal team, and if accurately completed, the DPA will then become legally binding. For reference, please see the “How to Execute this DPA” section in the DPA. We’ll communicate with you in the event of any issues.

Our commitment to data privacy

Customer and end-user privacy rights are fundamental to Box. That’s why we committed early on to provide a cloud-based content management platform and product portfolio that not only met, but surpassed industry standards.

Following the issuance of the European Data Protection Board's (EDPB) guidance, we understand that our customers may have additional questions about how Box safeguards customer personal data. To support our customers in meeting their due diligence obligations as controllers and to comply with our own Article 28 obligations as a processor, we’ve created a Due Diligence and Supplementary Measures Report (Report), which will be made available upon request. To request for the Report, please contact

See an update below on what we’ve done since the EDPB published its guidance on Supplementary Measures and Essential Guarantees for cross-boarded data transfers.

Box maintains an array of certifications that supports customers in the European Economic Area (EEA), United Kingdom (UK) and elsewhere. We proudly adhere to many of the most comprehensive privacy and information security certifications, like Germany’s Cloud Computing Compliance Controls Catalogue (C5), the Trust Cloud Data Protection Profile (TCDP), and Binding Corporate Rules (BCRs). To learn more, please visit our Compliance page.

Box Zones for GDPR Readiness

Many organizations leverage Box Zones, our solution for in-region storage, for GDPR readiness. By doing so, they can store their organizations' content across multiple storage zones, and effectively demonstrate risk mitigation and proactive regulatory compliance in a complex compliance environment. In addition, Box Zones allows them to also adhere to internal and external rules that may mandate local storage for particular types of data.

Address key GDPR requirements

Information use that's fully transparent

The GDPR requires organizations provide more information about the way individuals’ information is used. Box gives you full control of your content and ways to access it, including access controls that allow administrators to grant or rescind access through the Admin Console.

More visibility into processing

Under the GDPR, you should be able to access a copy of your data and know where it's being processed. At Box, our customers can easily exercise these rights with accessible usage logs, effortless downloads and easy management of all third-party integrations.

right to be forgotten
The right to be forgotten

Under the GDPR, individuals have the right to ask the organizations they work with to delete their personal data. At Box, our customers are in control of their content deletion with trash settings and retrieval. In addition, they have the ability to set retention schedules with Box Governance.

Virgin Trains uses Box with Zones and Governance to power productivity with GDPR in mind

Beyond GDPR

Box enables our customers to enhance their compliance posture comprehensively, beyond data privacy and the GDPR, by allowing them to address data residency requirements, select from key encryption options, and meet retention and legal hold needs. With our enterprise-grade governance, risk and compliance products, you can strengthen your organization's GDPR and data protection story. Learn more about using Box Zones, Box KeySafe and Box Governance in your data protection journey.

Box Consulting and Box Compliance teams come together to help your company understand, prepare for and address evolving compliance requirements with Cloud Content Management.

Where to focus your GDPR efforts in 2021

Take a look at this years top areas of GDPR concerns

White paper: Get GDPR-ready with Box

The features and functionality you need for GDPR compliance