All 27 conversion tools available — files never leave your browser
HarborConvert
Security & Privacyabout 1 month ago

GDPR and File Conversion: A Guide for European Users and Businesses

Uploading documents to online converters can trigger GDPR obligations you didn't anticipate. Here's what to know.

By HarborConvert Team

GDPR and File Processing

The General Data Protection Regulation (GDPR) applies to the processing of personal data of EU residents. "Processing" includes collecting, storing, transferring, or using data in any way. "Personal data" is any information relating to an identifiable natural person.

When you upload a document containing personal data to an online file converter — an employee contract, a customer invoice, a CV — you're transferring personal data to a third-party processor. GDPR has specific rules about this.

Controller vs. Processor

Under GDPR:

  • You are the data controller (you collected the data and decide how to use it)
  • The converter service becomes a data processor (processes data on your behalf)

GDPR Article 28 requires that you have a Data Processing Agreement (DPA) with any processor you use. Free online converters almost never offer DPAs. Using them to process personal data means you're likely in violation of GDPR.

Data Transfer Restrictions

If the converter's servers are outside the EU/EEA, GDPR Chapter V applies — international transfers require either an adequacy decision, Standard Contractual Clauses (SCCs), or another approved mechanism. Uploading an EU resident's data to a US server without these safeguards is a violation.

The Simplest Compliant Solution

Browser-based local processing sidesteps all of this. If your file never leaves your device, there's no third-party processor, no DPA required, and no international transfer. The entire GDPR data transfer framework simply doesn't apply.

HarborConvert processes everything in your browser. Your documents stay on your device. No processor relationship is created.

What If You Need Cloud-Based Conversion?

If your workflow requires cloud processing (for collaboration, automation, or document management), choose a service that:

  1. Offers a Data Processing Agreement (DPA)
  2. Uses EU-based servers or provides SCCs for international transfers
  3. Has a clear data retention and deletion policy
  4. Can document its security controls

EU-based alternatives include providers certified under ISO 27001 or SOC 2 who explicitly target GDPR compliance.

Practical Checklist

  • ✅ Does the document contain personal data? (Names, addresses, IDs, health info, etc.)
  • ✅ If yes: use local conversion or ensure you have a DPA with your converter
  • ✅ Is the converter's infrastructure in the EU or covered by SCCs?
  • ✅ Does the converter have a stated and short data retention period?
  • ✅ Can you verify deletion upon request?
Back to blog