€15 million. That’s what OpenAI paid Italy’s data protection authority Garante for violating GDPR. And that’s getting off easy - TikTok handed over €530 million for transferring European users’ data to Chinese servers. Since 2018, EU regulators have issued over 2,800 fines totaling more than €6.2 billion. If your translation business uses AI tools to process client documents - every click of “Translate” is legally your responsibility. And “I didn’t know” won’t fly with a regulator.
What GDPR Requires from Businesses Using AI Translation¶
When a translation agency or freelancer uploads a client contract into DeepL or ChatGPT - that’s not just “translation.” Under GDPR, it’s personal data processing. Names, addresses, passport numbers, medical diagnoses in those documents - all personal data, and the law is very specific about who can handle it and how.
Here’s the key distinction: you’re the data controller, and the AI tool is the data processor. The controller decides why and how data gets processed. The processor carries out the processing under the controller’s instructions. And the responsibility for choosing a trustworthy processor? That’s on you.
Three GDPR articles you should know by heart:
Article 28 - Data Processing Agreement (DPA). You’re required to sign a DPA with every AI service that processes your clients’ personal data. Without a DPA, using any tool for documents containing personal data is a direct GDPR violation. Fine: up to €10 million or 2% of annual turnover.
Articles 44-49 - Cross-border data transfers. If the AI service stores data in the US (like OpenAI) - you need additional safeguards: Standard Contractual Clauses (SCC), Adequacy Decisions, or other transfer mechanisms. After Privacy Shield was struck down in 2020 and the EU-US Data Privacy Framework was adopted in 2023, the situation is still legally shaky, and not every service has properly documented transfer mechanisms.
Article 25 - Privacy by Design. Data protection must be built into your processes from the start. This means: pick tools that minimize data collection and storage by default, not ones where you have to manually toggle off model training on your texts.
DPA: The Document You Can’t Work Without¶
A Data Processing Agreement isn’t optional and isn’t a “nice bonus.” It’s a legal requirement under GDPR (Article 28). If you process clients’ personal data through an AI tool and don’t have a signed DPA with that service - you’re breaking the law. Even if there’s never been a data breach.
What a DPA must include:
- Subject and duration of processing
- Categories of personal data being processed
- Processor obligations: encryption, access restrictions, deletion after processing
- List of sub-processors (which other companies have access to the data)
- Data breach notification procedure (72 hours under GDPR)
- The controller’s right to audit
Who provides a DPA:
| Service | DPA available? | How to get it |
|---|---|---|
| DeepL Pro | Yes | Automatically with subscription, downloadable from site |
| ChatGPT Enterprise / API | Yes | Through OpenAI portal |
| Google Cloud Translation | Yes | Through Google Cloud Console |
| Azure Translator | Yes | Through Azure Terms of Service |
| Claude API | Yes | Through Anthropic Privacy Center |
| Free versions (all) | No | DPA not provided |
Notice the last row. No free AI translator provides a DPA. This means: if you’re using free DeepL, Google Translate, or ChatGPT Free for documents containing personal data - you’re automatically violating GDPR, even without a breach.
For a deeper look at what happens to your text in each service - we covered that in a separate article.
Comparing AI Tools by GDPR Compliance¶
| Criterion | DeepL Pro | ChatGPT API | Google Cloud Translation | Azure Translator | Claude API |
|---|---|---|---|---|---|
| DPA | ✅ | ✅ | ✅ | ✅ | ✅ |
| ISO 27001 | ✅ | ✅ | ✅ | ✅ | ✅ |
| SOC 2 Type II | ✅ | ✅ | ✅ | ✅ | ✅ |
| EU data centers | ✅ (DE, FI) | ❌ (US) | ✅ (configurable) | ✅ (configurable) | ✅ (via AWS/GCP) |
| No-Trace | ✅ | ❌ (logs 30 days) | ✅ | ✅ | ❌ (logs 7 days) |
| Trains on data | ❌ | ❌ | ❌ | ❌ | ❌ |
| HIPAA | ✅ | ✅ (Enterprise) | ✅ | ✅ | ❌ |
| Price from | $8.74/mo | $0.002/1K tokens | $20/1M chars | $10/1M chars | $3/1M tokens |
Let’s break down each one.
DeepL Pro: The Easiest Path to Compliance¶
DeepL is a German company headquartered in Cologne. Data is processed in the EU (Germany, Finland), and the company falls directly under European law - no additional cross-border transfer agreements needed.
Certifications: ISO 27001, SOC 2 Type II, BSI C5 Type 2 (a German government standard for cloud services). DPA is automatically included with your subscription. Text is deleted immediately after translation - no logs, no training.
Downside: DeepL is NMT (neural machine translation), not an LLM. It’s great for standard documents. For complex texts that need style adaptation or context awareness - LLM models have the edge.
ChatGPT API / Enterprise: Powerful, But With Caveats¶
OpenAI received a €15 million fine from Italy’s Garante for GDPR violations during model training. That doesn’t mean the API version is unsafe - but it means the company has already been on regulators’ radar.
Through the API, data isn’t used for training. It’s stored in logs for 30 days for abuse monitoring. The Enterprise tier has Zero Data Retention (ZDR) - text isn’t stored at all. DPA is available.
The main issue: data centers are in the US. Transferring data from the EU requires the EU-US Data Privacy Framework. OpenAI claims compliance, but after Privacy Shield (2020) and Safe Harbor (2015) were both struck down, transatlantic data transfers remain legally unstable.
If you’re already working with ChatGPT - there are specific prompts and approaches for document translation that help you get better results.
Google Cloud Translation API¶
Google Cloud offers regional endpoints - you can choose exactly where your data gets processed. There are European endpoints available for the EU, which eliminates cross-border transfer concerns. DPA is included in Google Cloud Terms. Certifications: the full set - ISO, SOC, CSA STAR.
Text isn’t stored after translation and isn’t used for training. But that only applies to the Cloud API. Free Google Translate is a completely different story: we compared it with DeepL and transparency around data handling is much weaker there.
Azure Translator: No-Trace as the Default¶
Microsoft Azure Translator is the only major service with a No-Trace policy by default across all tiers, including the free one. Text is never written to persistent storage - not before, not after translation.
Certifications: ISO 27001, SOC 1/2/3, HIPAA, FedRAMP, CSA STAR. DPA through Azure Terms. Data centers can be selected by region, with multiple European locations available.
For businesses handling medical, legal, or financial documents who want to minimize risk - Azure Translator is objectively the safest choice on formal criteria. Downside: integration is more complex than DeepL and requires technical expertise.
Claude API (Anthropic)¶
As of March 2026, Anthropic announced full security certifications for Claude, including SOC 2 and ISO 27001. DPA is available through the Anthropic Privacy Center. API data isn’t used for training, and logs are deleted after 7 days.
For EU data residency: Claude is available through AWS Bedrock in Frankfurt or Google Vertex AI in Frankfurt. This keeps data physically in the EU and significantly simplifies GDPR compliance.
Claude as an LLM handles context-heavy translations exceptionally well. If you’re looking for the best quality AI translator - Claude is one of the leaders.
Where Your Data Physically Lives - And Why It’s Critical¶
GDPR restricts transferring personal data outside the EU (Articles 44-49). If you’re translating a client’s document from Berlin through a server in California - that’s a cross-border transfer, and it needs legal justification.
| Mechanism | Status in 2026 | Risk |
|---|---|---|
| EU-US Data Privacy Framework | Active since 2023 | Could be struck down (like the two previous frameworks) |
| Standard Contractual Clauses (SCC) | Active | Requires Transfer Impact Assessment (TIA) |
| EU-based data center | Most reliable option | Depends on service capabilities |
Practical recommendation: choose services with EU data centers. DeepL (Germany - automatic), Azure Translator (pick an EU region), Google Cloud (EU endpoint), Claude via AWS/GCP Frankfurt. It’s the simplest way to avoid cross-border transfer headaches.
EU AI Act: The Second Regulatory Wave Hits August 2, 2026¶
GDPR isn’t the only law affecting AI translation. The EU AI Act adds another layer of requirements. Key date: August 2, 2026 - rules for high-risk AI systems take effect.
According to Slator (2024), two-thirds of language service providers already use AI tools regularly. That means AI Act requirements will hit most businesses in the industry.
What’s changing:
- AI Literacy (Article 4): everyone using AI must have adequate AI literacy. This requirement has been active since February 2025.
- Transparency: if you’re using AI for translation - clients have a right to know. In some cases, AI-generated content must be labeled.
- Risk management: businesses using AI in areas affecting people’s rights (legal documents, medical reports) may face heightened requirements.
GDPR fines you for data processing violations. The AI Act will add fines for improper use of AI systems. This dual regulatory burden is the reality you need to prepare for now.
By the way, AI translation risks go beyond data. AI hallucinations in legal translations are a separate threat with their own legal consequences.
Checklist: Making Your Translation Business GDPR-Compliant¶
1. Switch to paid versions for documents with personal data¶
Free AI translators don’t have DPAs and often use your text for training. The minimum investment is $8-10/month for DeepL Pro or a few dollars per API call. Compare that to a potential fine of up to €10 million.
2. Sign a DPA with every AI service you use¶
Download and store DPAs from DeepL, OpenAI, Google, Microsoft, or Anthropic - depending on what you use. These should be in your compliance documentation folder, ready for audit.
3. Pick services with EU data centers¶
DeepL (automatically in Germany), Azure Translator (pick an EU region), Google Cloud (EU endpoint), Claude via AWS Bedrock Frankfurt. This way you avoid the complex questions around cross-border data transfers.
4. Document your data processing activities¶
Create a Record of Processing Activities (ROPA). Specify: what data you process, through which tools, on what legal basis, how long you retain it. This is an Article 30 GDPR requirement, and auditors will ask for it first.
5. Anonymize documents before AI translation¶
Replace names, addresses, account numbers with placeholders: [NAME], [ADDRESS], [NUMBER]. After translation, swap the real data back in. It’s an extra step, but for sensitive documents it dramatically cuts risk. The right translation prompts also help you keep control over what the model does with your text.
6. Inform your clients¶
Add a clause to your client contract about AI tool usage. Specify which services you use and what security measures you apply. Transparency builds trust and protects you legally.
7. Audit your sub-processors¶
Every AI service has its own sub-processors - cloud providers, CDN networks, monitoring services. Make sure this information is accessible and that sub-processors are also GDPR-compliant.
8. Prepare for the AI Act¶
Get your team up to speed on AI literacy (Article 4 of the AI Act is already in effect). Document which AI systems you use and for what purpose. Full compliance deadline for high-risk systems: August 2, 2026.
FAQ¶
Can I use free DeepL for translating client documents?¶
If the documents contain personal data (names, addresses, numbers) - no. Free DeepL doesn’t provide a DPA and uses texts to train its models. DeepL itself explicitly prohibits this in the free version’s terms of use. DeepL Pro (from $8.74/month) solves the problem: DPA included, texts deleted immediately after translation.
What’s a DPA and why is it mandatory?¶
A Data Processing Agreement is a contract between you (data controller) and the AI service (data processor) that governs personal data processing. Article 28 GDPR makes it mandatory. Without a DPA, using any cloud tool for documents with personal data is a legal violation. Fine: up to €10 million or 2% of annual turnover.
Which AI translator is safest for EU business?¶
Looking at the full picture (DPA, certifications, data residency, No-Trace) - Azure Translator and DeepL Pro lead the pack. Azure has No-Trace by default on all tiers. DeepL is a European company with a complete set of certifications and automatic EU data storage. For LLM-quality translation - Claude API via AWS Bedrock Frankfurt.
How will the EU AI Act affect translation businesses?¶
The AI Act adds new requirements on top of GDPR. Since February 2025, AI Literacy is already required - everyone working with AI must understand the basics of the technology. From August 2026, rules for high-risk systems kick in. For translation agencies this means: documenting AI tools, transparency with clients, and potentially heightened requirements for legal and medical translations.
Do I need a DPA if I’m a freelancer, not an agency?¶
Yes. GDPR makes no exceptions for business size. If you process personal data of EU residents - the rules apply to you equally. A freelancer using ChatGPT to translate contracts carries the same legal responsibility as a large translation bureau.