File transfers are more than just cloud uploads—they pose a data protection risk. WeTransfer is a popular online service for sending large file attachments. The free version allows you to send files up to 2 gigabytes in size. This is particularly convenient for users when, for example, photos or videos are too large to send by email but need to be bundled and sent in high quality. However, WeTransfer recently changed its terms and conditions, raising the question of how secure this practical data transfer option still is about data protection. The following article provides an overview of which aspects are considered critical from a GDPR perspective and how well SwissTransfer performs as an alternative.
How does sending data with WeTransfer work?
Sending data via WeTransfer is relatively easy. Users can upload their files directly to the WeTransfer website. Both the sender’s and recipient’s email addresses are requested. There’s also the option to add a personalized message to the files. A user account isn’t required for this. However, especially when sending personal documents and personal data such as email addresses, users often wonder whether their data is secure with the services they use. WeTransfer scores highly in terms of security because the data is uploaded encrypted. The service also sends the link for retrieving the data encrypted. Nevertheless, WeTransfer does have a few vulnerabilities when it comes to data security. So, what’s the status of WeTransfer’s data protection?
Is data transfer with WeTransfer secure?
The issue of data protection at WeTransfer is complex – and not without vulnerabilities. While the upload and the generation of the download link are encrypted, the notification email to the recipient is not content-encrypted. Anyone who has access to this email – e.g., through phishing, insecure mail servers, or forwarding – can potentially retrieve the data. The data is also temporarily stored unencrypted – on servers operated in the USA or other third countries outside the EU. Different data protection regulations apply there than those under the GDPR. A data protection-compliant transfer to such third countries is only permitted under certain conditions, such as an adequacy decision, standard contractual clauses (SCCs), and additional security measures.
The access question: Who really sees your data?
In addition, WeTransfer is regularly criticized for its terms and conditions (T&Cs) and the associated access rights to transferred content. According to PresseBox and Tarnkappe.info, the service provider grants itself extensive rights to analyze, review, or temporarily use uploaded data in certain cases – for example, for malware detection or system optimization. However, whether and to what extent these rights apply remains unclear for many companies.
This poses a significant risk for data-sensitive organizations—particularly in healthcare, law firms, or industry—because data sovereignty no longer lies exclusively with the sender.
Data protection & GDPR: What data protection officers need to consider
- Check the legal basis: Is the transfer of personal data to relevant service providers permitted under Art. 6 GDPR?
- Maintain data sovereignty: Who analyzes, stores, or monitors the content for their own purposes?
- Conclude a data processing agreement: In the case of pseudonymised or personal data, a valid data processing agreement must be concluded on behalf of the data subject.
- Consider third-country transfers. Is there an EU/EEA service, or is the transfer taking place in third countries?
Practical tip: Pay attention to terms and conditions clauses that allow extended use, such as machine evaluation or optional data storage.
Looking for a WeTransfer alternative?
The conclusion is that using WeTransfer can be problematic for those responsible. It is not recommended to send sensitive data via WeTransfer simply because the data is stored unencrypted on US servers. Sensitive data or even special categories of personal data, as defined by Art. 9 GDPR, should generally not be transferred unencrypted to providers like WeTransfer. One way to better protect the data sent via WeTransfer is to use additional encryption methods, which can be used, for example, with the compression software 7-Zip. However, it should be noted that the recipients must also use the program to unpack and decrypt the files after downloading them.
If this is too complicated for you, there are alternatives to WeTransfer that take data protection even more seriously. Here is a comparison with SwissTransfer – a Swiss tool with a focus on data protection:
WeTransfer offers several encryption methods for data protection, but the question remains whether WeTransfer is secure and free. The server location in the US and the unencrypted storage of data on-site alone should give us cause for concern. WeTransfer users are therefore well advised to look for an alternative that better implements GDPR requirements. SwissTransfer is a good choice in this regard.
*According to press releases, there are references to US servers and expanded data access.
**GDPR equivalent
Concept & Recommendations
- Check your requirements: Large media files, sensitive health or personal data?
- Evaluate providers based on data protection standards: encryption, data location, access rights – all crucial.
- Implement T&C checks and DPA processes: Even for seemingly free offers.
- Use tools like Swiss Transfer or GDPR-certified data protection software for secure data transfer.
Conclusion for compliance officers
Choosing a file transfer service is a compliance decision—not a convenience. The GDPR requires clarity and control over data access.
Your next steps:
- Ask the provider specifically about control and access rights
- Use privacy-friendly alternatives
- Anchor file transfer in the ISMS or DSMS