The GDPR Translation Trap: Why Your 'Compliant' Tool Might Be Illegal
Most translation tools claim GDPR compliance but fail on data minimization, retention, and residency. Here's the 7-point checklist that separates real compliance from theatre.
"GDPR compliant" has become the "organic" of SaaS. everyone slaps it on the label. nobody checks the ingredients.
I was looking at translation tool landing pages the other day—just out of curiosity—and almost every single one says "GDPR compliant" somewhere. some even have a little shield icon. very reassuring.
then I read their actual privacy policies. and... yeah. let's just say there's a gap between the badge and the behavior.
here's the thing about GDPR compliance for translation tools: it's not a checkbox. it's a set of specific, verifiable requirements. and most tools fail at least two of them.
What 'GDPR-compliant translation' actually means
let's start with the basics, because most of the confusion comes from people treating "GDPR compliant" as a single thing when it's actually a combination of roles, obligations, and controls.
under GDPR, when you upload a document to a translation service, there are two parties:
- the controller (you): you decide why and how the data is processed. you're translating an employee contract because you need a German version. that's your call.
- the processor (the translation tool): they process the data on your behalf. they translate the document because you told them to.
this distinction matters because processors have specific obligations. they need a lawful basis for processing. they need a Data Processing Agreement (DPA). they can't just do whatever they want with your data.
and here's where it gets interesting: most free translation tools don't position themselves as processors. they position themselves as "services" that you voluntarily use, which means you're the one choosing to share the data. different legal framing, very different obligations.
The 7 requirements your translation tool must meet
I went through the actual regulation and pulled out what matters specifically for translation tools. not the generic "we care about privacy" stuff—the actual requirements.
1. Data minimization
the tool should only process what's necessary for translation. that means: your document goes in, the translation comes out, and nothing else is collected, analyzed, or retained beyond what's needed.
if the tool is building analytics dashboards about your content, tracking word frequencies, or feeding your text into recommendation engines—that's not minimized. that's hoarding.
2. Data residency
your data should be processed in a jurisdiction that's compatible with GDPR. for most EU companies, this means EU-only processing.
the tricky part: "processed in the EU" doesn't always mean "stays in the EU." some tools process in the EU but store backups in the US, or route through CDNs with global nodes. you need to ask specifically about the full data lifecycle.
check our GDPR compliance details for how we handle this—EU-only, end to end.
3. Retention limits
GDPR's storage limitation principle: don't keep data longer than necessary. for a translation tool, "necessary" is the time it takes to translate and deliver the file.
so if a tool keeps your documents indefinitely "for your convenience" (translation history, dashboards), that's a compliance decision you need to evaluate. is it necessary? or is it just a feature that happens to create liability?
our retention window is 30 minutes. after that, both the original and the translation are permanently deleted. not archived. deleted.
4. Access control
who at the vendor can access your content? can support staff read your documents? can engineers access them for debugging?
the answer you want is: nobody. a properly designed translation service shouldn't require human access to your content. ever.
5. Deletion on request
under GDPR, you have the right to request deletion of your data. but here's the catch: if the tool has already used your data to train a model, "deletion" becomes... complicated. you can delete the document, but the model has already learned from it.
this is why "no training on customer data" isn't just a nice-to-have. it's the only way to make deletion meaningful.
6. Subprocessor transparency
most translation tools use cloud infrastructure (AWS, Azure, Google Cloud) and possibly other third-party services. under GDPR, they need to tell you who these subprocessors are.
ask for the subprocessor list. if they can't give you one, or if the list includes 15 companies you've never heard of, that's a red flag.
7. Auditability
can you verify the vendor's claims? do they offer a DPA? can they show you where data is processed? will they let your DPO ask questions?
"trust us" is not a GDPR compliance strategy.
Common traps (and how to spot them)
The "free tier" trap
most free translation tools make money by using your data. not all of them, but most. the free tier is the product—or rather, you are. your translations improve their models, your usage patterns feed their analytics, and your content sits on their servers indefinitely.
if you're not paying, ask yourself: what's the business model?
The "cross-border" trap
a tool says "EU data centers." great. but do they use a US-based parent company's infrastructure? do support tickets get routed to a team in a non-EU country with access to your account? does their CDN cache content globally?
"EU data centers" is a necessary condition, not a sufficient one.
according to the European Commission's guidance on Standard Contractual Clauses, cross-border transfers require specific legal mechanisms. just having a server in Frankfurt doesn't cover you if the data touches Virginia.
The "vague retention" trap
"we retain data for a reasonable period." what does that mean? a day? a year? forever?
if the retention policy uses words like "reasonable," "appropriate," or "as needed," you don't have a retention policy. you have a vibe.
Template procurement questions
if you're evaluating a translation tool for GDPR compliance, here are the questions to send to the vendor. copy-paste this into your procurement process.
- Are you a data processor under GDPR? (If yes, provide your DPA.)
- Where is document content processed? (List all regions and subprocessors.)
- How long do you retain uploaded documents? (Specific timeframe, not "reasonable.")
- Do you use customer content for AI/ML training? (Binary answer: yes or no.)
- Who has access to document content? (List all roles with access.)
- Can we request deletion of all data? (And will it actually be deleted from all systems?)
- What encryption is used in transit and at rest? (Minimum: TLS 1.3 + AES-256.)
acceptance criteria: all seven must be answered clearly. "we're working on it" is a no.
What data minimization looks like in practice
this is where I'll be transparent about what we do at noll, because I think it's useful as a reference point—not because we're perfect, but because it shows what "compliant" can look like operationally.
- we process documents in EU data centers only
- files are deleted 30 minutes after translation
- we don't train on customer data. never have, never will
- we don't require accounts for basic usage (less PII collected)
- we publish our subprocessor list
- we offer a DPA
is this the only way to be compliant? no. but it's a concrete example of what each of the 7 requirements looks like when actually implemented.
Frequently asked questions
Does AI training violate GDPR?
not automatically. but if a tool trains on your data without explicit consent and a lawful basis, it's a problem. and "you agreed to the terms of service" is a increasingly shaky legal basis in the EU.
What about EU-only processing?
EU-only processing means the data never leaves EU jurisdiction during any part of its lifecycle—upload, processing, storage, delivery, deletion. ask about subprocessors, failover, and backup locations specifically.
How short should the deletion window be?
as short as practically possible. for a translation tool, there's no reason to keep a file for more than the time needed to complete the translation and let the user download it. 30 minutes is a good benchmark.
Takeaways
- "GDPR compliant" on a landing page means nothing without verifiable controls
- check the 7 requirements: minimization, residency, retention, access, deletion, subprocessors, auditability
- free tiers are the biggest risk—the business model often depends on your data
- ask the 7 procurement questions before committing to a tool
- vague retention policies are a red flag, not a feature
the bar for GDPR-compliant document translation isn't impossible to meet. it's just that most tools were built to maximize data collection, and compliance got bolted on as an afterthought.
Further reading
Tags
Related Articles
Data Residency Lies: Why 'Processing in EU' Doesn't Mean 'Staying in EU'
'EU-only processing' can mean storage, processing, or just marketing. Here's a checklist to verify data residency claims for cloud translation tools.
4 min read
Which translation services should I use for sensitive documents?
A practical guide to choosing secure translation services for confidential, regulated, or legally sensitive documents—plus a checklist you can hand to procurement.
6 min read
Is Your Legal Translation Actually Privileged? A 5-Point Security Checklist
Uploading legal docs to the wrong translation tool can waive attorney-client privilege. Here's a 5-point checklist to translate legal documents securely.
6 min read
Try noll for free
Translate your sensitive documents with zero data retention. Your files are automatically deleted after download.
Get started for free
