WeTransfer in turmoil - Are your files feeding their AI without your knowledge?

We've all been in this situation before: about to send an e-mail with an attachment, and bim - that familiar message: "Your file is too big." 

So we do what we always do: we open WeTransfer, enter our contact's address, our own address, a small subject, drag in our files or folders... and off we go. Simple, fast, efficient. 

But in early July 2025, a discreet ToU update raised doubts. Not least on the part of the Dutch Data Protection Authority: when using WeTransfer, are our files still protected? 

A discreet update, a worrying blur

In its new ToU release, WeTransfer explained that some transferred files could be used to "improve its services via AI".

The problem was that the information was not very visible, and the terms and conditions were vague. 

• Which files are affected? 
• When are they used?
• How do I opt out?

Yet the GDPR is clear: consent cannot be guessed at. It must be free, informed and specific. Modifying ToU on the sly to slip in AI processing is not compliant.

User companies also on the front line

WeTransfer is the target of the survey, but this doesn 't mean that corporate clients are covered.
When you transfer personal data, you remain responsible for its processing. And if your service provider acts outside the legal framework, it's also you who's liable.

Result: WeTransfer loses out, competitors benefit

The controversy has already caused a stir. As a result, users are leaving and companies are looking for clearer, more compliant alternatives.

Once again, this is concrete proof that GDPR isn't a hindrance - it's a competitive advantage.

A case that reminds us of one of the fundamental rules of the GDPR

As the WeTransfer affair clearly shows, regular audits of service providers are not a luxury, they're a necessity. Especially when they handle personal data - yours or your clients'. 

The GDPR clearly demands it: as a data controller, you must check that your processors are complying with their obligations, and be able to prove it.

Here are the best practices to put in place

✔ S et up an audit right in your contracts: it must allow an annual check at the very least, or at any time in case of doubt or incident. ✔ Ask for up-to-date evidence: security policy, GDPR documentation, incident log, etc. ✔ Document follow-up: exchanges, checks, corrective actions... everything must be traced.

At Dipeeo, we've found that when several service providers are involved, it's hard to keep track of them all. That's why we've developed an automated provider auditing solution.

In concrete terms: you don't have to manage anything. We take care of everything, guaranteeing rigorous, documented monitoring of all your processors.