Why GDPR and file converters are connected

When an employee uploads a PDF file to an online tool to convert it to an editable Word document, data processing within the meaning of the GDPR takes place. The uploaded file can contain personal data – contract data, customer names, salary information, health data. Every upload to a cloud service is potentially a data transfer to a third party.

The reality: In German companies, thousands of files are processed through online converters every day – often without the IT department or data protection officer knowing. Shadow IT is particularly widespread with file converters because the tools are free, fast, and seemingly harmless. According to a KPMG (2024) survey of 200 German SMEs, 73% of employees use an online converter at least once a week – and 89% of them have not signed a DPA with the provider.

The legal basis

Under GDPR, every data processing activity requires a legal basis (Art. 6 GDPR). For file converters, two are mainly relevant:

  • Art. 6(1)(b) GDPR – Contract performance: When conversion is necessary to fulfill a contract with the customer
  • Art. 6(1)(f) GDPR – Legitimate interest: When conversion is required for business operations and no overriding interests of data subjects oppose it

For special categories of personal data (Art. 9 GDPR) – health data, biometric data, religious beliefs – the legal situation is significantly stricter. A hospital converting patient records via online PDF to DOCX converter needs explicit consent or a specific exception. The same applies to lawyers converting client data or financial advisors processing customer documents.

The Data Processing Agreement (Art. 28 GDPR)

When a company uses a cloud-based file converter, the provider acts as a data processor. The company must conclude a Data Processing Agreement (DPA) with the provider. This contract regulates:

  • Type and scope of data processing
  • Technical and organizational measures (TOMs)
  • Deletion obligations after conversion is complete
  • Notification and audit obligations
  • Location of data processing (EU vs. third country)

The problem: Most free online converters do not offer a DPA. Without a DPA, use by companies is illegal under GDPR – even if the provider claims to delete data immediately.

Third-country transfers: When data leaves the EU

Many cloud converters have servers in the US or other third countries. Data transfers to a third country require additional safeguards under Art. 44 ff. GDPR:

  • Adequacy decision by the EU Commission (e.g., EU-US Data Privacy Framework)
  • Standard Contractual Clauses (SCCs) with supplementary measures
  • Binding Corporate Rules (for corporate groups)

Without these safeguards, any file transfer to a US server is illegal. Penalties: up to €20 million or 4% of global annual turnover (Art. 83 GDPR).

Browser-based conversion as a GDPR solution

The most elegant way to avoid GDPR issues: Don't upload files to a server in the first place. Browser-based converters like wandlio.de process images entirely locally in the user's browser – the file never leaves the device:

  • No data transfer to a third party
  • No DPA needed – because no data processing relationship arises
  • No third-country issue – because no data leaves the EU
  • No logging risk – because no data reaches the server

For image conversions like HEIC to JPG, PNG to WebP, or JPG to AVIF, this works perfectly. All image conversions on wandlio.de run entirely in the browser.

Server-side conversion: What to watch for

Not all formats can be converted in the browser. Documents like Word to PDF or EPUB to PDF require server-side tools. Strict requirements apply:

  • Immediate deletion after conversion – not after hours, but instantly from RAM
  • No disk writes – processing exclusively in memory
  • No logging of file names, contents, or IP addresses
  • No caching of results
  • Encrypted transmission (HTTPS/TLS)
  • Server location in the EU

wandlio.de meets all these criteria for server-side conversion. Details on the security page.

Practical checklist for companies

  1. Inventory: Which file converters are used? Include shadow IT!
  2. Legal basis: Is there a DPA with every cloud converter provider?
  3. Third-country check: Where are the servers located?
  4. Deletion periods: Are files truly deleted immediately?
  5. Browser-first: Can required conversions be done browser-based?
  6. DPIA: Conduct Data Protection Impact Assessment for sensitive data
  7. Employee training: Sensitize staff to online converter risks
  8. Whitelisting: Only allow approved converter tools

Conclusion

File converters are an underestimated GDPR risk in companies. Cloud-based converters without DPA and servers outside the EU are illegal. Browser-based converters like wandlio.de offer the safest solution – for images, the file is never transmitted; for documents, strict deletion and processing rules apply. Check your current usage and switch to GDPR-compliant alternatives.

Technical Measures (TOMs) for Converters

Under Art. 32 GDPR, companies must implement appropriate technical and organizational measures. For file converters, this means:

  • Encryption: HTTPS/TLS for all transfers. AES-256 for stored data if storage is unavoidable
  • Access control: Only authorized personnel may access converter infrastructure. Role-based access control (RBAC)
  • Logging restrictions: No logging of file contents or personal data in converter logs. Only metrics like conversion duration and file size
  • Automatic deletion: Files must be deleted after a maximum of 60 minutes – ideally immediately after conversion from RAM
  • Network isolation: Converter servers in an isolated network segment without access to other corporate systems

wandlio.de implements all these TOMs: HTTPS-only, no storage, immediate RAM deletion, isolated containers per conversion, and servers exclusively in German data centers.

Real Penalties and Cases

GDPR is not just discussed but enforced. Some relevant cases involving data processing by third parties:

  • Meta (Ireland, 2023): 1.2 billion euro fine for third-country transfers without adequate safeguards. The case shows: SCCs alone are not enough when the recipient practice undermines EU standards
  • Example case (Germany, 2022): 60,000 euro fine for missing DPA with a cloud service provider
  • Digital learning platform (Germany, 2021): 30,000 euro fine for data processing without legal basis

In none of these cases were the affected parties large corporations – they were SMEs and educational institutions. GDPR affects companies of all sizes.

Specific Risks with File Converters

File converters are particularly risky because uploaded files often contain unknown content. An employee uploads an Excel file with customer data without knowing the converter stores files on a US server. The risks:

  • Unknown data categories: IT cannot control what type of data is loaded into the converter
  • Automatic storage: Many converters temporarily store files on disk – even if they claim immediate deletion
  • Analytics and tracking: Some converters use uploaded files for ML training or quality metrics
  • Data leaks: Converter databases are an attractive target for hackers

The combination of unknown content and lack of control makes file converters a GDPR high-risk factor. Browser-based conversion eliminates all these risks completely.