Legal documents, medical records, and personal correspondence — translators handle some of the most sensitive personal data in any profession. And GDPR applies to all of it.
This is a summary. Read the full guide on the Custodia blog.
Why Translation Agencies Face Significant GDPR Exposure
Translation is a unique profession in the data protection world. Unlike most businesses, translation agencies and language service providers (LSPs) don't just hold personal data — they actively read it, process it, and reproduce it in another language.
If your agency translates legal contracts, medical records, immigration documents, HR files, personal correspondence, or financial statements, you are a data processor under GDPR. The moment a document containing personal data is handed to a translator, that personal data is being processed — reading, storing, transmitting, copying, and reproducing data all qualify under GDPR's definition.
The stakes are high:
- Volume of sensitive data: Translation projects routinely involve hundreds or thousands of people's personal information
- Multi-party processing chains: Data flows from clients to agencies to freelancers to tools and back
- Special category data: Health information, religious content, criminal records, immigration status
- Cross-border transfers: Documents often sent to translators or tools outside the EU
Types of Documents Translated
- Legal documents — Contracts, court judgments, witness statements
- Medical records — Patient notes, discharge summaries, clinical trial documents (special category data under Article 9)
- Immigration documents — Visa applications, asylum claims, birth certificates
- HR files — Employment contracts, disciplinary records, payroll information
- Personal correspondence — Letters, emails, witness statements
- Financial statements — Bank statements, tax returns, financial disclosures
Special Category Data in Source Texts
GDPR Article 9 imposes stricter obligations on special category data: health data, racial or ethnic origin, religious beliefs, political opinions, trade union membership, genetic data, sexual orientation, and criminal convictions. Translation agencies regularly encounter all of these.
Controller vs. Processor
Most translation agencies are data processors when working on client documents. The client is the data controller. This means:
- You need a written Data Processing Agreement (DPA) with every client whose documents contain personal data
- You can only process data for the agreed purpose — translation
- You must implement appropriate security measures
- You must assist clients with data subject rights requests
- You must notify clients of data breaches
Freelance Translators as Sub-Processors
When you engage freelancers, they become sub-processors under GDPR Article 28(2). Requirements:
- Written sub-processing agreements with every freelancer
- Client notification when sub-processors change
- You remain liable if a freelancer causes a data breach
- Vetting that freelancers implement appropriate security
CAT Tools and Cloud Platforms
Cloud-based CAT tools (Phrase, memoQ cloud, Transifex) store translation memories and project files on third-party servers — making the vendor a sub-processor. For every cloud-based tool: obtain a DPA, check server location, understand retention policies.
Machine Translation: The Free MT Problem
Free versions of DeepL, Google Translate, and Microsoft Translator are not appropriate for confidential or personal data. They may use submitted text to train models, there's no DPA, and you have no contractual protection. Use paid API versions with DPAs, or on-premise MT engines.
Secure Document Transfer
High-risk: standard email attachments, WhatsApp, personal Dropbox, free WeTransfer.
Lower-risk: business-grade cloud storage with DPA, purpose-built translation portals, SFTP servers.
Document Retention
- Source documents: delete after translation + revision period, unless specific legal reason to retain
- Translation memories: complex — segments may include personal data
- Client contact data: duration of relationship + 6–7 years for legal/accounting
Compliance Checklist
Freelance translators:
- Privacy policy on your website
- GDPR obligations in translator agreements
- DPAs for cloud-based tools
- No free MT tools for confidential data
- Secure document transfer method
- Document deletion policy
Translation agencies:
- DPA template for client relationships
- Sub-processor agreements with all freelancers
- DPAs for all cloud tools
- Secure client portal or file transfer
- Data retention policy
- Data breach response procedure
- Records of Processing Activities (RoPA)
The starting point is understanding what personal data flows through your systems. Custodia can scan your website to identify what data is being collected and whether your privacy infrastructure is in place — free scan, 60 seconds.
Top comments (0)