← Back to blog
    Compliance

    GDPR requirements for file transfer: what your firm needs to know

    A practical explanation of GDPR Article 32, the DPIA obligation, the Data Processing Agreement and breach-notification duty, applied to file transfer in legal case files.

    TransferGuard redactieJuridisch & Compliance8 min

    The GDPR does not prescribe an exact technology; it imposes obligations of result. As a firm, what do you concretely need to arrange around file transfer in order to be compliant and, just as important, to be able to demonstrate it?

    GDPR Article 32: appropriate technical and organisational measures

    Article 32 GDPR is the central provision for file transfer. The controller must, "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing", take appropriate measures. This is expressly an open standard: what is "appropriate" depends on the risk to data subjects.

    For legal case files that risk is, by its nature, high. It concerns special-category or sensitive data (health data in personal-injury cases, criminal data in criminal files, financial data in bankruptcies). That raises the floor of what counts as "appropriate". An ordinary TLS connection when sending via regular email is, in this context, demonstrably insufficient.

    Concrete minimum requirements in 2026

    The Dutch Data Protection Authority (AP) and the European Data Protection Board (EDPB) increasingly apply, in enforcement decisions, the following minimum bar for risk-sensitive sectors:

    • End-to-end encryption or equivalent (TLS 1.3 minimum in transit).
    • Encryption at rest with key management within the EU.
    • Access logs with a minimum retention period of twelve months.
    • Multi-factor authentication for processors and end users.
    • Identity verification of the recipient for sensitive deliveries.

    DPIA: when is it required, when not?

    A Data Protection Impact Assessment (DPIA, Article 35 GDPR) is mandatory when a processing operation "is likely to result in a high risk". The Dutch Data Protection Authority (AP) has published a list of processing operations for which a DPIA is mandatory. Particularly relevant for legal practice are processing operations involving large-scale special-category personal data, or which systematically involve vulnerable data subjects (children, victims).

    For a typical transfer platform used for ad-hoc client communication, a DPIA is strictly speaking not mandatory. We nevertheless advise recording an abbreviated "DPIA-light" when you implement a new platform, if only to be able to reconstruct the assessment in the event of a later complaint.

    The Data Processing Agreement (Article 28)

    Every supplier that processes personal data on your behalf (and a transfer platform does so by definition) is your "processor". You must conclude a Data Processing Agreement (DPA) with them. A few practical points of attention.

    • Sub-processors. The DPA must name all sub-processors (for example the hosting party, the email provider for notifications). A change requires consent or a notification procedure.
    • Transfers outside the EU. Do not allow unlimited transfers. Standard Contractual Clauses (SCCs) are the minimum condition when a transfer takes place.
    • Audit rights. You must be able to audit, possibly via an independent party or via certifications of the underlying infrastructure (such as ISO 27001).
    • Retention periods and erasure. Recorded concretely: within how many days after cancellation are files deleted?

    Data-breach risk: when and how do you report?

    Under Article 33 GDPR a data breach must be reported within 72 hours to the Dutch Data Protection Authority (AP), unless the breach "is unlikely to result in a risk". For data subjects there is a separate obligation (Article 34) when the risk is high. For file transfer, the most common data breach lies not with the provider itself, but with sender errors: the wrong email address, a forgotten identity verification, an excessively long retention period for a sensitive file.

    A verifiable audit trail (about which we write more in Burden of proof in digital case files) is decisive in a data-breach investigation: it proves exactly who received what and when, allowing the scope of a breach to be established objectively.

    Practical checklist for your firm

    The checklist below gives a snapshot of your firm's GDPR position with respect to file transfer. A yes on all points means you stand defensibly in the event of an inspection by the Dutch Data Protection Authority (AP).

    • Is there a single approved transfer platform for client files?
    • Has a Data Processing Agreement been signed?
    • Are all sub-processors known and approved?
    • Is data storage demonstrably EU-only?
    • Is the recipient's identity verified in sensitive matters?
    • Is there an internal procedure for data-breach reporting within 72 hours?
    • Are audit reports of deliveries retained for 5+ years?

    How TransferGuard helps

    TransferGuard is set up around the requirements of Article 32: 100% EU infrastructure, end-to-end encryption, independent verified timestamps, SHA-256 hashes and optional biometric identity verification. A GDPR-compliant Data Processing Agreement is included as standard and can be consulted on the DPA page. Our infrastructure and hosting moreover run on ISO 27001-certified data centres. For a complete overview of evidence and compliance features we refer you to the features page.

    Ready to send certified?

    Certified Delivery from €49/mo excl. VAT. Verified Identity from €79/mo. Cancel monthly.

    Get started

    Read next