Do paper files really fall under the GDPR?

Yes, if they form part of a filing system or are intended to be included in one. A structured folder with customer data or personnel files in a binder falls under the GDPR.

Does the GDPR also apply to data on my local computer?

Absolutely. It doesn't matter whether data is in the cloud, on a local server, or on your laptop. If it's personal data that you process in a business context, it falls under the GDPR.

What should I do with old paper archives?

Inventory what personal data they contain, determine whether you still need it, and destroy what is no longer necessary. What you keep must be secured - for example in a locked cabinet with limited access.

GDPR Only for Cloud Data? No - Paper and Local Files Count Too

Many businesses think the GDPR only applies to digital data in the cloud. But the GDPR covers all personal data - including paper files, local systems, and handwritten notes.

The misconception

“We moved everything to the cloud, so we’re covered by GDPR. The data on our local server and in our filing cabinets? That’s not GDPR territory.”

This misconception arises from the association between GDPR and technology. Because GDPR is often discussed in the context of websites, cookies, and cloud services, many business owners conclude that it only applies to digital data in the cloud.

But the GDPR is technology-neutral.

What the law actually says

The GDPR applies to the processing of personal data “wholly or partly by automated means” AND to “non-automated processing of personal data which form part of a filing system”.

That last part is crucial. A filing system is any structured set of personal data that is accessible according to specific criteria. Your filing cabinet with customer files ordered alphabetically? That’s a filing system. Your desk drawer with personnel contracts sorted by department? Filing system.

Where personal data actually lives in your business

On paper

Personnel files in binders
Customer cards or order forms
Signed contracts with names and addresses
Notes from meetings with personal details
Business cards collected at events

On local systems

Spreadsheets on your computer
Documents on your local server
Email stored locally (Outlook PST files)
Scanned documents on shared drives

In the cloud

CRM system
Cloud email (Gmail, Outlook 365)
Accounting software
HR platforms

In less obvious places

WhatsApp messages on company phones
Voice recordings from customer service
CCTV footage
GPS data from company vehicles

The GDPR covers all of these. The medium doesn’t matter - the content does.

What you need to do

1. Inventory everything

Don’t just map your digital systems. Include paper archives, local files, and non-obvious data sources in your processing register.

2. Secure paper files

Store paper documents with personal data in locked cabinets. Limit access to those who need it. Shred documents when the retention period expires.

3. Don’t forget local devices

Encrypt laptops and external drives. Password-protect local files with personal data. Include local systems in your backup strategy.

4. Clean up old archives

Check old paper files and local archives. If you’re storing personal data you no longer need, destroy it securely.

auto_awesome Map all your data processing

GDPRWise helps you build a complete processing register covering all personal data - digital and physical.

Start your free scan

Misconception: GDPR Only Applies to Cloud Data