Skip to main content

General Information

GDPR compliance is a shared challenge by companies and state-owned organizations. Nextcloud offers a number of features in order to help customers meet the strict requirements.

Some of the below features are available as Apps. If you'd like to use them, please, consult your provider of App availability on your Nextcloud version. We are happy to help.

In a Nutshell

GDPR requirements

Security and Encryption

The GDPR requires organizations to ensure adequate protection for private data, from encryption to clear and well implemented security practices.

Availability and access

Private users have a right to demand a full overview of what data is collected, including an export of what an organization has on them.

Transparency and auditability

Upon request, an organization has to be able to show what they do with user data, who has (had) access and they must be able to modify or delete any data they have on private individuals.

Official Nextcloud Documentation

In order to fulfill the above we recommend the following apps and settings.


Enforce strong password policy

The default settings are the following:


We recommend setting the policy according to the below principals:

  1. Minimum password length: 8
  2. User password history: 12
  3. Number of days until user password expires: 30
  4. Number of login attempts before the user account is blocked: 10
  5. And enable the following:
      • Forbid common passwords
      • Enforce upper and lower case characters
      • Enforce numeric characters
      • Enforce special characters

Dual factor authentication

This feature is not flexible in terms of how many devices can be added as a 2nd factor. Turn it on only after consulting with your administrator.


Server side encryption means that a master key is generated on the server which will encrypt all uploaded files from the time of the service being turned on.


For more information about server side encryption, consult the official Nextcloud documentation.

Availability and Access

To review how to meet this requirement check our Activity log and Data request articles.

Transparency and auditability

To review how to meet this requirement check our User account deletion and Terms of Service articles.


This will be visible on the logon screen.


Please, note that this guide is offered "as is". We strongly advice that all of our customers should consult a GDPR expert to review their own unique needs! When the requirements are clear, we are happy to help to implement them from the technical side.