In the modern working world, efficient project management is not a luxury, but a necessity. Collaboration and project management software such as Stackfield helps you to organize tasks and projects quickly and clearly. But functionality alone is not enough – data protection plays a crucial role, especially in Europe. The GDPR (General Data Protection Regulation) sets clear rules for the handling of personal data.
But how secure are the individual tools really? Is your data really protected and processed in full compliance with the law? Or are there gaps in the seemingly tightly woven data protection tapestry? As soon as personal data is involved, the utmost care must be taken. Mistakes can cost companies dearly – not only in the event of the theft of sensitive data, but also through high penalties for data protection violations.
In this context, the label "GDPR compliant" is actually intended to create trust – but is this always the case? Or is it just a catchy marketing promise, a slogan without a message? These and other questions are answered in the following article.
What does "GDPR compliant" actually mean?
The "GDPR compliant" label means that companies comply with the requirements of the EU's General Data Protection Regulation in a legally compliant manner, especially when handling sensitive personal data. The central principles of the GDPR include transparency, purpose limitation, data minimization, accuracy, storage limitation as well as confidentiality and integrity of the data. A key aspect here is that the data is protected against unlawful access by third parties.
In order to comply with the GDPR, software providers, including collaboration software providers, must provide clear information on data storage, processing and transmission. In addition, a contract for commissioned data processing and appropriate technical and organizational measures, such as secure and encrypted data transmission, are required.
GDPR vs. CLOUD Act: the invisible access to data from the EU
In an international context, however, challenges arise. This is because non-EU companies which process the data and information of EU citizens must also comply with the requirements of the GDPR. Nevertheless, this requirement does not completely protect against access by third parties – for example, by governments that can enforce data access through national laws.
The international "EU-US Data Privacy Framework" agreement between the EU and the USA is particularly critical in this context. This agreement is intended to formally guarantee data protection when data is processed in the USA or by US companies. It is supported by standard contractual clauses to be concluded between the client and contractor.
This agreement has come under fire because the US government has left itself a legal loophole through laws such as the CLOUD Act. This law allows the US government to force access to all data of a US company – including all customer data, even if it is processed and stored exclusively in Europe. It is irrelevant whether the US company uses a local company / company name or not.
Why a European server infrastructure alone is not enough
Many US and non-EU providers advertise that they store the data of EU companies in Europe in order to meet the security requirements of their EU customers. Apart from the fact that this offer is often only available with more expensive subscriptions, there is another catch to this claim. In most cases, the data remains on the servers of large US providers and is therefore still potentially accessible by the US government.
Even if these hosting providers offer data storage within the EU, this does not protect against non-European access. For example, the CLOUD Act requires US companies and their subsidiaries to disclose data if ordered to do so by the government – regardless of where it is stored and even if this would violate local data protection laws.
This risk of unlawful data processing therefore even affects EU companies that rely on hosting by US companies. This is because even subcontractors based in the USA – like most hosting providers - can be forced to disclose customer data. A purely European server infrastructure therefore only offers real protection if it is operated completely independently of non-EU providers.
Do you get maximum protection for your data with a GDPR compliant company?
Especially when working with sensitive and personal information, this is the key question that every organization should ask itself before purchasing new software. Due to the uncertainty that has arisen in the course of the discussion about the EU-US Data Privacy Framework Agreement and the CLOUD Act, an assurance of GDPR compliance alone is not sufficient as proof of security. Although the GDPR provides for data protection certifications, ultimately no certificate can guarantee that a US company is protected from the application of the CLOUD Act. Accordingly, there is always a degree of risk remaining.
This risk can be avoided by relying on providers who, in addition to being GDPR compliant, are based in the EU and only use subcontractors from the European Union. If these criteria are observed, you can be sure that sensitive data is completely protected against access from third countries. Additional security is provided by genuine end-to-end encryption, which means that even the software provider's employees have no access to the customer's data.
Checking 5 collaboration tools for GDPR compliance
How GDPR compliant is Stackfield?
Unlike many other providers of collaboration software, Stackfield is a German company that attaches particular importance to data protection and information security. Stackfield stores and processes all data in Germany and fully complies with the strict requirements of the GDPR. The company offers comprehensive end-to-end encryption, which means that the relevant data cannot be viewed even by Stackfield employees.
A client-side end-to-end encryption is implemented in Stackfield
Stackfield's mission is to guarantee its users the highest possible level of data protection and information security. This includes – among other things – the following points:
- Stackfield is subject exclusively to German and EU law: As a German company, Stackfield is under the protection and regulation of the German and European legal framework.
- Exclusively German subcontractors: Stackfield relies exclusively on German partners and locations for services such as hosting or e-mail traffic.
- ISO-certified security standards: Stackfield is certified according to internationally recognized ISO standards such as ISO 27001, ISO 27017 and ISO 27018 and has also received the BSI C5 certificate.
- True end-to-end encryption: With genuine end-to-end encryption, your data is protected at all times with Stackfield.
How GDPR compliant is Asana?
Asana, a US provider of project management software, officially declares itself GDPR compliant and has implemented various measures for processing sensitive data. However, despite these efforts, a fundamental problem remains: As a US-based company, Asana is subject to the CLOUD Act.
This means that US authorities – as already explained – can potentially demand access to user data. This access exists regardless of where the data is stored. This is a decisive risk factor for companies looking for a GDPR compliant collaboration tool with maximum data security.
How GDPR compliant is Microsoft?
The US company Microsoft plays a central role with regard to the security of personal data of EU citizens in several respects, both as a provider of the Microsoft 365 suite (with software such as MS Teams, MS Project and MS Planner) and as the operator of the Azure cloud platform, which – similar to Google or Amazon – enables global data hosting.
The company emphasizes its efforts to comply with the GDPR and provides, among other things, order processing contracts that are intended to meet the requirements of the regulation. Nevertheless, there has been criticism and doubts about the tech giant's data protection practices for years. Like other US companies, Microsoft is subject to the CLOUD Act, which potentially gives US authorities access to stored data.
Microsoft has also been criticized for a lack of transparency. For example, the 2022 Data Protection Conference of the independent German data protection supervisory authorities found that the company does not provide sufficient clarity about the processing of personal data. This means that a fundamental problem remains: Even if Microsoft tools are formally considered GDPR compliant, full data protection cannot be guaranteed – neither for Microsoft 365 nor for Azure.
How GDPR compliant is Trello?
Trello, a task management software from the Australian company Atlassian, emphasizes its compliance with the GDPR and, according to its own statements, undertakes to respect the rights of its users. Unlike US providers, there is a different risk here: there is no EU adequacy decision for Australia. This means that the EU Commission has not certified this country as having an adequate level of data protection, which already makes secure data transfer more difficult and entails a high level of effort on the part of customers to comply with the GDPR. In addition, the Australian Telecommunications and Other Legislation Amendment (TOLA) Act of 2018 allows the authorities to order companies to hand over data.
For EU companies, this means that even if customers are able to work in compliance with the GDPR thanks to a comprehensive and complex contractual and technical framework, there is a potential risk that Australian authorities could gain access to sensitive data – a risk that is similar in scope to the CLOUD Act.
How GDPR compliant is Meistertask?
The German provider Meistertask clearly emphasizes the importance of data protection for its project management software on its website. In addition to a hosting location in Germany, the company also emphasizes its full GDPR compliance. And as a German company, Meistertask should also be GDPR-compliant without any issues – shouldn't it?
The initial situation looks promising, but it is not only the headquarters that is decisive, but also the choice of subcontractors. Meistertask stores its data in Germany, but uses the infrastructure of Google – a US company that is subject to the CLOUD Act. This means that even if the servers are located in Germany, Google can be forced to hand over data by order of the US government. This can also affect the data of Google customers such as Meistertask. In addition to Google, other US subcontractors such as Cloudflare Inc. and Mailgun Technologies Inc. or European providers with data processing in the USA are also used.
This means that even if Meistertask itself is GDPR compliant, there is still a residual risk due to the choice of several US subcontractors. As long as a provider falls under US jurisdiction, it cannot be ruled out that third parties will be able to force access to the data. If you want absolute data security, you should therefore opt for companies with a purely European infrastructure.
Conclusion: The highest security can be found with EU companies
The comparison highlights the differences: even if non-EU companies are considered GDPR compliant, they cannot offer complete data security without residual risk. The uncertain relationship between the EU and the US in particular makes it clear that GDPR compliance is not synonymous with carefree handling of sensitive data. The CLOUD Act means that the US government still has access to data from US companies with EU customers, even if this data is stored on servers in the European Union.
Despite all data protection efforts by US and non-EU companies, there is still a risk that authorities could access user data without authorization – a scenario that is by no means unlikely in view of current geopolitical developments. EU companies should therefore ask themselves the honest question of whether they want to take this risk.
Stackfield, on the other hand, offers a secure EU alternative: in addition to the many functions for efficient project management, the uncompromising protection of user data is the top priority here.