As a freelancer, you probably handle client data every single day. Think invoices, contracts, contact details, project files, most of it stored or shared via the cloud. Convenient, of course, but the moment you store personal data, GDPR applies to you too.
That makes it worth knowing what you can and cannot simply use.
Do you need a data processing agreement with your cloud provider? Can you store client data with American providers? And how do you stay compliant without it becoming a full-time job?
This article explains what you need to arrange as a freelancer under GDPR, where things typically go wrong, and whether your current cloud storage actually measures up.
Yes. GDPR applies to every organisation, including sole traders and self-employed individuals, that processes personal data. The size of your business does not matter. Even if you have a handful of clients, you fall under it the moment you store their name, address or email address anywhere.
Personal data is any information that can directly or indirectly identify a person. A client’s name on an invoice is personal data. An email address in your inbox is too. Even a sole trader’s company registration number can fall under the definition, because it traces back to an individual.
You process personal data the moment you store, send, view or edit it β even if you are not doing so consciously. Most freelancers do this daily, simply by keeping their administration in order.
Think about: invoices with client names and addresses, email correspondence, proposals, contracts, CVs from subcontractors, and photos or files linked to individuals.
If all of that lives in Google Drive, Dropbox or a similar service, you are processing personal data in the cloud and GDPR applies.
As a freelancer, there are four things to consider the moment you store personal data in the cloud:
Here is what each of these means in practice.
GDPR requires that you have a valid reason to hold personal data. For most freelancers, that reason is automatically in place: when you invoice a client, you have a contract with that person, and that is a valid legal basis. You do not need to do or record anything extra.
This only becomes relevant if you hold data without a direct client relationship β for example, email addresses from people who signed up to a newsletter. In that case, you need consent. In practice, consent comes through an opt-in: the person actively enters their email address and agrees to receive messages. That sign-up moment is the consent. Just make sure you can demonstrate when and how someone subscribed.
GDPR requires you to protect personal data with appropriate technical measures. What is appropriate depends on how sensitive the data is.
For most freelancers, this means: use a strong password, enable two-factor authentication, and make sure your cloud storage is not accessible to everyone. A shared link to a folder with client data that anyone with the link can open is not appropriate.
A data processing agreement (DPA) is an arrangement between you and your cloud provider about how they handle the personal data you store with them. The provider commits to processing your data only for your purposes, not for their own use, and to complying with GDPR.
Google, Microsoft and Dropbox offer such an agreement, but only on paid business subscriptions. You rarely sign it consciously: it is embedded in the terms you accept when setting up a business account.
The problem is that many freelancers use a free or personal account. On those accounts, the DPA simply does not apply. That means the provider has no obligation to treat your client data as confidential business information. They may in principle use that data for their own purposes, such as product improvement or personalised advertising. You then have no legal basis to hold them accountable under GDPR.
Using Google Drive or Dropbox for client data? Check whether you have a business subscription that includes the DPA. If not, that is the first thing to sort out.
Organisations with fewer than 250 employees are in most cases exempt from keeping formal records of processing activities. As a freelancer without staff, you generally do not need to maintain these β unless you regularly process sensitive data such as medical or financial information.
Worth doing anyway: write down for yourself which personal data you process, which provider holds it, and why you keep it. That takes an hour and gives you a solid reference if questions ever arise.
Suppose you have a business account and the DPA is in place. Are you done? Almost, but there is one point many freelancers do not know about. Even when everything is contractually in order, there may still be a country with legal jurisdiction over your data. And that has nothing to do with what you clicked to agree to.
Google and Dropbox are American companies. They fall under the US CLOUD Act, a law that gives the American government the right to demand data from US companies, even when that data is stored on European servers.
Even if your files are physically located in Amsterdam, American authorities can in theory demand access. GDPR offers no protection against this; it governs European law, not what another country is permitted to request.
What does this mean for you as a freelancer?
Working with ordinary client data β invoices, contact details β and have the DPA activated with Google or Dropbox? In most cases you meet the basic requirements of GDPR. The CLOUD Act risk is small for the average freelancer.
Working with sensitive data, such as medical records, legal information or clients’ financial details? Then an American provider is not a safe choice, regardless of the DPA. In that case, choose a European cloud provider that falls outside the scope of the CLOUD Act.
A provider is more than its server location. The combination of where data is stored, who owns the company, and which legal system that owner falls under together determines how secure your data is in legal terms.
Many providers advertise “data in Europe” or “stored in the Netherlands”. That is a start; European servers fall under European data protection law. But if the parent company is American, the CLOUD Act still applies to that company as a whole.
Server location is one factor. Ownership is another. Both matter. This phenomenon even has a name: sovereignty washing: the use of European server locations as a marketing argument, while legal authority over the data remains American.
A European cloud provider, owned by a European company with no American parent, falls exclusively under European law. The CLOUD Act has no reach. GDPR is the only framework that applies.
That provides a meaningfully different level of legal certainty than an American company with European servers and a tidy DPA. For freelancers working with sensitive client data, this is the relevant distinction: not whether a provider offers a DPA, but who can ultimately compel access.
β Read more: European cloud storage: what it is, how it works and when it matters
No, and that is an important misconception. GDPR does not disappear because you use a European provider. Your legal basis, security and data processing agreement remain your responsibility, regardless of which cloud you choose.
What does change: the legal complexity around your provider becomes significantly smaller.
Whether you use Google Drive, Microsoft 365 or a Dutch provider, these three things always remain:
With providers like Microsoft 365 or Google Workspace, an extra layer is added. You also need to think about:
That makes the compliance picture legally more complex, and harder to explain to clients, auditors or in procurement processes.
With a Dutch or European provider under European ownership, much of that extra layer disappears. Data is in the EU, the provider falls under European law, and there are no conflicting jurisdictions. The compliance story is simpler:
You can give clients and auditors a clear answer, without caveats.
A European cloud does not make you automatically compliant. But the provider itself adds no legal complexity, and that is precisely what American providers do.
Use this as a quick audit of your current setup:
Not able to tick everything? It is worth reviewing your current setup.
Yes. GDPR applies to anyone who processes personal data β even without staff. The moment you store client details, invoices or contact information, you fall under it. The size of your business is not relevant.
In principle yes, if you store personal data through that provider. Most large providers include this as part of their business terms. Check whether you have activated or accepted it. If not, contact your provider or consider an alternative.
Your national data protection authority can issue fines. For minor infringements by freelancers, the chance of a large fine is small, but the risk is not zero, especially in the event of a data breach. More importantly: if something goes wrong with client data you manage, you are responsible to your clients.
GDPR-compliant means a provider meets the requirements of GDPR: a DPA, security measures, a privacy policy. European cloud storage goes a step further; the provider falls exclusively under European law, without exposure to the US CLOUD Act or other foreign legislation. The first is a minimum. The second is a deliberate choice.
