contact@translatebe.eu
+32 2 315 19 29
TranslateBE.
FRNLEN
GDPR and Translation: How to Protect Your Confidential Documents?
Guides pratiques

GDPR and Translation: How to Protect Your Confidential Documents?

22 June 20246 min read·By the TranslateBE team

Sending confidential documents for translation involves sharing personal data with a third party - which triggers GDPR obligations. Understanding what Article 28 requires, what a data processing agreement (DPA) should contain, and why EU server location matters will help you choose a translation partner that protects your clients' data as robustly as you do.

Why translation is a GDPR data processing activity

Under the General Data Protection Regulation (GDPR), any organisation that handles personal data on behalf of another is a data processor, and the organisation that determines the purpose and means of processing is the data controller. When you send a document containing personal information - a medical record, a legal contract, a HR file, a sworn declaration - to a translation agency, you are sharing personal data with a third-party processor. GDPR Article 28 requires that this relationship be governed by a Data Processing Agreement (DPA), also known as a Data Processing Addendum. Without a valid DPA, the transfer of personal data to a translation agency constitutes a GDPR violation - even if the data never leaves the EU.

What a Data Processing Agreement must contain

A GDPR-compliant DPA between a translation client (controller) and a translation agency (processor) must specify, at minimum:

  • The subject matter, nature, purpose, and duration of the processing
  • The types of personal data involved and the categories of data subjects
  • The controller's instructions to the processor, including deletion requirements
  • The processor's obligations - confidentiality, data security measures, sub-processor controls
  • The processor's assistance obligations (data subject rights, breach notification)
  • Deletion or return of data at the end of the contract

TranslateBE provides a pre-signed GDPR-compliant DPA to every client who requests one. All professional translation assignments are governed by this agreement as standard.

TranslateBE

GDPR-compliant translation of confidential documents

TranslateBE processes your confidential documents on EU servers with a signed GDPR Data Processing Agreement, strict access controls, and a documented data retention policy. Your clients' data is safe.

GDPR Art. 28 DPAEU servers onlyFree quote in 1h
Request a confidential translation

Why EU server location matters

GDPR restricts the transfer of personal data outside the European Economic Area (EEA) to countries that have not been granted an adequacy decision by the European Commission or where appropriate safeguards (such as Standard Contractual Clauses) are not in place. Many translation tools - including popular machine translation APIs - process data on servers located in the United States or other non-EEA countries. Using these tools without proper data transfer safeguards constitutes a GDPR violation.

TranslateBE stores and processes all client documents exclusively on EU-based servers (Frankfurt, EU-West-1) that are subject to European data protection law. We do not use machine translation tools that transfer data outside the EEA for professional confidential assignments. Where we use assisted translation tools, these are configured to process data within the EU only.

Document retention and deletion

Good data hygiene requires that translation agencies do not retain client documents longer than necessary. TranslateBE's data retention policy provides that client documents are deleted from our systems 30 days after delivery of the completed translation. For ongoing clients, documents may be retained for longer with explicit written consent - for example, to maintain a translation memory that speeds up future projects. Clients may request immediate deletion of their documents at any time by contacting our data protection contact. All deletion requests are confirmed in writing within 72 hours.

FAQ

Frequently asked questions

Does TranslateBE use AI or machine translation to process confidential documents?

For professional sworn and confidential assignments, TranslateBE uses human translators exclusively. We do not process confidential personal data through public machine translation APIs. For non-confidential, non-personal content where speed is a priority, we offer MTPE (machine translation post-editing) with strictly EU-based tools - always with explicit client consent and a DPA in place.

What happens if there is a data breach involving my documents?

Under GDPR Article 33, a data processor (TranslateBE) must notify the data controller of a personal data breach within 72 hours of becoming aware of it. TranslateBE maintains a documented incident response procedure and will immediately inform affected clients, provide details of the nature of the breach, and cooperate fully with any regulatory investigation. Our DPA specifies these obligations in detail.

Do I need a DPA if I am only sending one document for translation?

Yes. GDPR obligations apply to every instance of personal data processing, regardless of volume. Even a single document containing personal data - a passport copy, a medical certificate, a payslip - creates a controller-processor relationship that requires a DPA. TranslateBE's DPA is a standard document that covers all current and future translation assignments under a single agreement.

Go further

Related articles on the same topic

Back to blog

Similar articles

Guides pratiques

Translation Agency vs Freelance Translator: Which Option to Choose?

Guides pratiques

Machine Translation vs Human Translation: Why AI Is Not Enough

Ready to get started?

Get your certified translation now

Free quote in 2 min · Express 24h available · 70+ languages

Request a free quote in 2 minutesTalk to an expert