DeepL and GDPR: What Is a Data Processing Agreement and How to Sign It¶

A translation agency in Berlin got an urgent request: translate a batch of medical documents. The project manager opened DeepL, pasted the text, got the translation in seconds. Fast, convenient, free. Two months later, a letter arrived from the Berlin data protection authority asking them to explain why patient personal data was being processed by a service with no data processing agreement in place. The fine was manageable only because they switched to a paid plan and signed a DPA immediately.

Most businesses don’t even know this contract exists or that it’s mandatory. Let’s fix that.

What Is a Data Processing Agreement and Why It Matters¶

A DPA (Data Processing Agreement) is a legally binding contract between a data controller and a data processor.

• Data controller - that’s you or your company. You decide why and how to process the data.
• Data processor - that’s DeepL (or any other service you send data to for processing). They process the data according to your instructions.

The requirement to have a DPA comes from Article 28 of GDPR. In plain terms: whenever you send personal data of EU residents to a third party for processing, you MUST have a written (or electronic) contract in place.

What Article 28 requires the DPA to cover: - The processor may only process data on documented instructions from the controller - Confidentiality obligations for everyone with access to the data - The processor must delete or return all data at the end of the service - The processor must provide all information needed to demonstrate GDPR compliance - Sub-processors may only be engaged with the controller’s written consent

Penalty for violating Article 28: up to €10 million or 2% of global annual revenue - whichever is higher.

When You Need a DPA with DeepL¶

Quick test: do personal data points appear in the text you’re sending for translation?

Personal data is any information that can identify a living person: name, email, address, passport number, national ID, IP address, medical records, bank account details.

A DPA is required if you’re translating through DeepL: - Client correspondence (contains names, email addresses) - Contracts with individuals (contains passport data, addresses) - Medical documentation (especially sensitive under Article 9 GDPR) - HR documents (salaries, employee personal information) - Client bank statements or financial records - Legal documents referencing specific individuals

A DPA is not required for purely technical or public content: translating terms of service, technical documentation without personal data, marketing materials that don’t mention specific people. The moment “John Smith, 123 Main Street” appears in your text - it’s required.

As GDPR.eu notes, a DPA is required even when processing occurs at very low volume - there’s no threshold of “too little data to matter.”

DeepL Free vs Paid Plans: The Critical GDPR Difference¶

This is the most important part of this article, because this is where most businesses get it wrong.

DeepL Free - Why It Doesn’t Work for Business¶

On the free plan: - A DPA cannot be signed - the feature simply isn’t available - DeepL may use your translations to train neural networks (stated in the terms of service) - No guarantees about data retention timelines - No legal protection for you as a controller

If your company processes personal data of EU residents through DeepL Free - that’s a direct GDPR violation, even if your company isn’t registered in the EU but serves EU clients.

DeepL Pro / API / Teams - What You Get¶

On paid plans: - A DPA is available and can be signed electronically - Texts are deleted immediately after translation (not stored) - Data is not used for model training (contractual guarantee) - Data isn’t shared with other users or third parties (other than sub-processors listed in the DPA) - Encryption in transit and at rest

As DeepL states on their data security page: “Your texts are not stored by DeepL, are not used to improve our service.”

One nuance that honest independent analysts point out: “not training” and “not retaining” are different things. Technical logs (request metadata: timestamp, file size, no content) may be kept for billing and security purposes. But this is a far better position than using the free plan.

How to Sign the DeepL DPA: Step by Step¶

Step 1. Get a paid plan¶

A DPA is only available on: - DeepL Pro (individual or team plan) - DeepL API (Advanced or higher) - DeepL Business / Enterprise

The free plan won’t work here.

Step 2. Find the Legal Documents section¶

Log into your DeepL account → Settings → Legal Documents or Data Processing Agreement. Depending on the interface version, this might be under Account Settings → Security & Privacy.

Step 3. Use the Trust Center as an alternative path¶

If you can’t find it through the interface, DeepL has a separate Trust Center at deepl.safebase.us. You can request the DPA there using a corporate email address (not a personal gmail.com or outlook.com).

Step 4. Review the sub-processor list¶

Before signing, check the sub-processor list. These are companies DeepL shares data with to deliver the service (hosting, security, etc.). As of 2026, the list includes AWS - more on this in the next section.

Step 5. Sign electronically and save¶

Most companies sign electronically through the interface. Keep the signed DPA as part of your Article 30 GDPR documentation (records of processing activities). If your industry requires a wet signature (law firms, pharma) - contact DeepL sales for separate arrangements.

DeepL and AWS in 2026: A New Compliance Wrinkle¶

On May 20, 2026, DeepL announced it was adding AWS as a sub-processor - and this became a hot topic in regulated industries.

Until that point, all data for paid customers was processed exclusively on DeepL’s own servers in Germany and Iceland. That was one of DeepL’s biggest competitive advantages: 100% EU processing, no American cloud.

That’s changed now. What DeepL guarantees: - Encryption in transit and at rest; encryption keys stay with DeepL, not AWS - Customers with data residency requirements can configure EU-only processing - BYOK (Bring Your Own Key) option - if you revoke your key, data becomes inaccessible even to AWS - All certifications (ISO 27001, SOC 2 Type II, BSI C5, HIPAA) are maintained

Why this still matters for certain companies: the US CLOUD Act. AWS is an American company. The CLOUD Act allows US authorities to demand data from American companies regardless of where the servers physically are. Even if the data is encrypted and sitting on servers in Frankfurt - a legal request can go to AWS.

As Heise Online reported: “DeepL, which had positioned itself as an EU-first alternative to American cloud providers, is now building on the same cloud infrastructure it sought to avoid.”

For most companies this isn’t critical - DeepL remains one of the most GDPR-compliant translation services out there. But for law firms, hospitals, pharma companies, and government agencies that specifically chose DeepL for its EU-only processing, this requires a fresh risk assessment.

Customers who didn’t opt out of the new terms by May 19, 2026, will have their subscriptions terminated by December 31, 2026.

DeepL vs Google Translate: A GDPR Comparison¶

The key difference between Google Cloud Translation API and DeepL Pro: Google doesn’t pin processing to a specific region - data flows through Google’s global infrastructure. Google also collects metadata tied to your Google account, potentially used cross-service.

For EU businesses where GDPR compliance matters - DeepL Pro remains the better choice, even accounting for the AWS question.

DeepL Security Certifications in 2026¶

DeepL (as of May 2026) holds these independent certifications:

• ISO 27001:2022 - international information security management standard
• SOC 2 Type II - systems audit covering security, availability, confidentiality
• BSI C5 Type 2 - German cloud security standard (Federal Office for Information Security)
• HIPAA - healthcare data protection standard
• GDPR - EU regulatory compliance

All certifications are available for review in DeepL’s Trust Center. This is important for enterprise clients who need to document due diligence when selecting a vendor.

What to Include in Your Article 30 Processing Register¶

Once you’ve signed a DPA with DeepL, update your internal Article 30 GDPR register. Here’s what to include:

Practical Tips¶

Check which plan your team is actually using. If someone on the team “just uses DeepL” - verify it’s a paid plan with DPA coverage. A corporate license needs to cover everyone processing client data.

Identify which documents contain personal data. Not every translation requires a DPA - only those involving personal data of EU residents. If you’re translating only public-facing materials, you don’t need one.

Request a DPA from all your translation providers. DeepL isn’t the only tool where this matters. If you use Google Cloud Translation, Azure Translator, or others - each one needs a signed DPA.

Watch the sub-processor list. Your DeepL DPA includes a sub-processor list. Under GDPR, when a sub-processor changes, you must be notified and have the right to object. That’s exactly what happened in May 2026 with AWS.

Enterprise deployment for highly sensitive data. For law firms, hospitals, and government agencies, DeepL offers an enterprise option where you can deploy in your own IT environment via AWS Marketplace. In that setup, data never leaves your infrastructure at all.

Sources¶

1. GDPR Article 28 — Processor obligations (EUR-Lex)
2. DeepL Pro Data Security
3. DeepL Trust Center
4. DeepL expands infrastructure — AWS migration (official blog)
5. Cybernews: DeepL AWS data sovereignty concerns
6. Compound Law: GDPR analysis of DeepL DPA
7. GDPR.eu: What is a Data Processing Agreement
8. Heise Online: DeepL now relies on AWS