GDPR Compliance for Translation Agencies: NDA, DPA, Data Transfers and Cloud Tools¶
A corporate client from Germany sends you an RFP, and buried in the requirements you spot: “GDPR-compliant data processing, DPA required.” You’ve got NDAs signed with your freelancers - so you’re covered, right? Spoiler: no. NDA and DPA are different documents with different legal consequences, and an NDA alone doesn’t get you to GDPR compliance.
Translation agencies handle personal data every single day: names, dates of birth, addresses, passport numbers, medical diagnoses, bank details - it’s all there in the documents you translate. Under GDPR, processing this data without proper safeguards can cost up to 20 million euros or 4% of annual global turnover - whichever is higher.
Let’s break down exactly what you need to do to get your agency into full compliance.
Why Translation Agencies Fall Under GDPR¶
GDPR (General Data Protection Regulation) is the EU regulation governing the processing of personal data. It came into force in May 2018 and applies to any company that processes data of EU residents - regardless of where that company is located.
Your translation agency falls under GDPR if it:
- processes documents from EU clients (passports, certificates, contracts)
- has corporate clients based in the EU
- uses cloud tools with servers in the EU
- employs freelancers or staff in the EU
In practice, this means the vast majority of agencies working with European languages are subject to GDPR. And it doesn’t depend on size - a 3-person agency has the same obligations as a 300-person one.
According to Article 3 of the GDPR:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to such data subjects in the Union.
In plain English: if you translate documents for people or companies in the EU, GDPR applies to you - even if your office is in Kyiv or Tbilisi.
A common misconception: “We don’t collect data, we just translate.” Under GDPR, “processing” covers any action performed on personal data: receiving, storing, reading, transferring to another person (like a freelancer). Translating a document that contains a name and date of birth already counts as personal data processing.
Controller vs Processor: What’s Your Agency’s Role¶
GDPR distinguishes between two key roles:
- Data controller - determines the purposes and means of data processing. That’s your client
- Data processor - processes data on behalf of the controller. That’s your agency
When a corporate client sends you documents for translation, they’re the controller (their employees, their documents). Your agency is the processor, handling that data for a specific purpose (translation).
But here’s the catch. Your agency is also a controller - for its own data:
- client contact information in your CRM
- personal data of your in-house employees
- freelancer data in your database
- email addresses in marketing lists
This means dual responsibility: as a processor, you follow the client-controller’s instructions; as a controller, you bear full responsibility for your own data.
Your freelance translators who receive the documents are sub-processors. They need separate legal arrangements too - more on that below.
NDA vs DPA: The Critical Difference Most Agencies Miss¶
This is the most common compliance gap in the translation industry. Most agencies have NDAs (Non-Disclosure Agreements) signed with their freelancers and assume everything’s covered. But NDA and DPA are fundamentally different documents serving different functions.
NDA (Non-Disclosure Agreement):
- protects confidential information from disclosure to third parties
- governed by general contract law
- has no specific requirements for personal data processing
- doesn’t include GDPR obligations for breach notification, data deletion, or audit rights
DPA (Data Processing Agreement):
- legally required under Article 28 GDPR
- specifically governs personal data processing
- must contain 8 mandatory elements (listed below)
- includes concrete obligations: breach notification, data deletion, audit support
A Data Processing Agreement (DPA) is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data. GDPR Article 28 requires controllers to have a DPA in place with every processor.
Do you still need an NDA? Yes. But an NDA doesn’t replace a DPA. You need both.
8 Mandatory DPA Elements Under Article 28(3)¶
Every DPA between your agency and a client (and between you and freelancers) must include:
| # | Element | What it means for your agency |
|---|---|---|
| 1 | Subject matter and duration of processing | Document translation, contract duration |
| 2 | Nature and purpose of processing | Linguistic processing of text containing personal data |
| 3 | Types of personal data | Names, addresses, dates of birth, medical data, financial data |
| 4 | Categories of data subjects | Client’s employees, their family members, counterparties |
| 5 | Controller’s obligations and rights | Processing instructions, right to audit |
| 6 | Confidentiality | Everyone with data access must maintain confidentiality |
| 7 | Technical and organizational measures | Encryption, access controls, backups |
| 8 | Sub-processor engagement conditions | How you engage freelancers, client consent |
Pro tip: don’t write a DPA from scratch. Use the European Commission’s Standard Contractual Clauses templates as a starting point and adapt them to translation-specific needs. If budget allows, have a lawyer review the final document.
Freelancers as Sub-processors: How to Set Things Up Right¶
If your agency works with external translators (and that’s the vast majority of agencies), every freelancer who gets access to personal data in documents is a sub-processor under GDPR.
Here’s what that means in practice:
1. Written Authorization From Your Client¶
Under Article 28(2) GDPR, a processor can’t engage a sub-processor without written authorization from the controller. Two options:
- Specific authorization - for each freelancer individually (impractical if you work with dozens of translators)
- General authorization - client permits you to engage sub-processors provided you notify them in advance and they can object
Most agencies include general authorization in their master agreement. But the client retains the right to object to a specific sub-processor - and you’re obligated to send that notification before work begins.
2. DPA With Every Freelancer¶
Yes, every freelancer needs their own DPA. It can be a standard document that everyone signs during onboarding, but it must exist. An NDA without a DPA is a compliance gap.
3. Freelancer Security Due Diligence¶
You’re obligated to verify that each freelancer has adequate technical and organizational security measures:
- encrypted file transfer (minimum TLS 1.2, preferably SFTP or a secure cloud workspace)
- document storage on a password-protected device
- deletion of client data after project completion
- no use of public Wi-Fi for working with confidential documents
- up-to-date antivirus and OS
As legal portal PLANIT//LEGAL notes:
Self-employed contractors who process personal data on behalf of a company are considered data processors under GDPR. The contracting company must ensure that the freelancer provides sufficient guarantees for data protection.
4. Liability for Breaches¶
If a freelancer causes a data breach, you’re the one answering to the client and the regulator - not the freelancer. You can later recover damages from the freelancer through the DPA (if it’s properly drafted), but primary liability always falls on the processor.
That’s why your DPA with freelancers should include:
- obligation to notify you immediately (within 24 hours) of any security incident
- liability for damages caused by DPA violations
- right to conduct security audits (even remote ones - a questionnaire counts)
Cross-Border Data Transfers Outside the EU¶
If your agency is based outside the EU (say, in Ukraine) and your clients are in the EU, you’re transferring data outside the European Economic Area (EEA). GDPR strictly regulates such transfers through Articles 44-49.
Three Lawful Transfer Mechanisms¶
1. Adequacy Decision
The European Commission recognizes that a country provides an adequate level of data protection. As of 2026, countries with adequacy decisions include: the UK, Japan, South Korea, the USA (via the EU-US Data Privacy Framework), Canada (commercial sector), Argentina, Israel, New Zealand, and several others.
Ukraine doesn’t have an adequacy decision. So transferring data from the EU to Ukraine requires a different mechanism.
2. Standard Contractual Clauses (SCCs)
This is the most common and practical mechanism for countries without adequacy. SCCs are a standardized set of contractual terms approved by the European Commission, included in the agreement between the EU-based controller/processor and the recipient outside the EU.
After the Schrems II ruling (2020), SCCs now require a mandatory Transfer Impact Assessment (TIA) - an evaluation of whether the destination country’s laws could prevent compliance with the SCCs.
For Ukraine, a TIA typically shows an acceptable risk level - but the document needs to be prepared and kept on file.
3. Binding Corporate Rules (BCRs)
Internal rules for large multinational corporations. For most translation agencies, this is too complex and expensive - SCCs are far more practical.
What This Means in Practice¶
If you’re based in Ukraine and work with EU clients:
- Include SCCs in your DPA (ready-made templates are available on the European Commission’s website)
- Conduct a TIA and document it
- Review your TIA annually - legislation changes
The same applies to freelancers outside the EU: if you’re sending documents to a translator in India or Latin America, SCCs + TIA are mandatory for that transfer too.
Cloud Tools: Which Ones Are GDPR-Safe¶
Most translation agencies use cloud-based CAT tools, project management systems, and MT services. Each one processes client data - and each must comply with GDPR.
As the European Commission notes:
Many translation tools store your texts on their servers, sometimes even training AI models on your data. Before using any cloud-based tool, check the terms of service carefully.
Security Comparison of Popular Tools¶
| Tool | GDPR Compliant | Certifications | Text Storage | DPA Available | Servers |
|---|---|---|---|---|---|
| DeepL Pro | Yes | ISO 27001, SOC 2 Type II | Doesn’t store | Yes | EU (Germany) |
| Google Translate (free) | No | - | Used for training | No | Global |
| Google Cloud Translation API | Yes | ISO 27001, SOC 2 | Doesn’t store (default) | Yes | Region choice |
| Smartcat | Yes | ISO 27001 | Stored in TM | Yes | EU + US |
| Phrase (Memsource) | Yes | ISO 27001 | Stored in TM | Yes | EU |
| memoQ Cloud | Yes | ISO 27001 | Stored in TM | Yes | EU |
| ChatGPT / Claude API | Partial | SOC 2 | Depends on plan | Yes (Business/Enterprise) | US + EU |
| SDL Trados (Desktop) | N/A | - | Local | N/A | Local |
Key Rules When Choosing Tools¶
- Sign a DPA with every SaaS provider. This isn’t optional - it’s a legal requirement
- Check where servers are physically located. For EU clients, EU-based servers are preferred
- Confirm the tool doesn’t use your texts to train AI models
- Free versions of MT (Google Translate, free DeepL) are absolutely not for confidential documents
- Desktop solutions (Trados, memoQ Server) are the safest from a GDPR standpoint since data never leaves your infrastructure
A note on AI tools: if you’re using ChatGPT or Claude for post-editing or draft translation, make sure you’re on a business plan with a DPA and that the “train on your data” option is turned off. Free or personal plans usually don’t guarantee confidentiality.
GDPR Compliance Checklist for Translation Agencies¶
A practical action list from most critical to nice-to-have:
Critical (without these, you’re not compliant)¶
| # | Action | Details |
|---|---|---|
| 1 | Prepare a DPA template for clients | Based on EU Commission SCCs, adapted for translation |
| 2 | Prepare a DPA template for freelancers | With security requirements, liability, data deletion terms |
| 3 | Sign DPAs with every cloud tool | DeepL, Smartcat, Phrase - all have ready DPAs on their websites |
| 4 | Create a Record of Processing Activities (ROPA) | What data, from whom, why, who you share with, when you delete |
| 5 | Develop a breach notification procedure | 72 hours to notify the regulator (Article 33 GDPR) |
| 6 | Include SCCs in contracts (if you’re outside the EU) | Templates available on the European Commission’s website |
Important (raise your protection level)¶
| # | Action | Details |
|---|---|---|
| 7 | Update the Privacy Policy on your website | What info you collect, why, how long you store it |
| 8 | Train staff and freelancers | Basic rules for handling personal data |
| 9 | Implement encrypted file transfers | Minimum TLS 1.2, preferably SFTP or a secure portal |
| 10 | Set retention periods and deletion procedures | Don’t store data longer than needed for the project |
| 11 | Prepare a TIA for transfers outside the EU | Document your risk assessment of your country’s legislation |
Nice to have (competitive advantage)¶
| # | Action | Details |
|---|---|---|
| 12 | Appoint a DPO or data protection lead | Mandatory if you process lots of medical/legal data |
| 13 | Get ISO 27001 certification | Information security standard, builds Enterprise client trust |
| 14 | Conduct annual process audits | Review DPAs, TIAs, and security procedures for currency |
About the 72-hour rule: if a personal data breach occurs (freelancer loses a laptop, email gets hacked, document goes to the wrong recipient), you must notify the supervisory authority within 72 hours of discovery. If the breach poses a risk to data subjects’ rights, you must notify them too.
Pro tip: prepare a breach notification template in advance. In the middle of a crisis, you won’t be able to think clearly and formulate legally correct statements.
Fines and Real-World Risks¶
Maximum GDPR fines sound terrifying: up to 20 million euros or 4% of global turnover. In practice, fines for small and medium businesses typically range from 5,000 to 100,000 euros - according to the GDPR Enforcement Tracker, which monitors all public penalties.
But fines aren’t the scariest part. The real risks for your agency:
- Lost clients. Enterprise companies require GDPR compliance as a tender condition. No DPA means no contract. This can cost far more than any fine
- Reputational damage. A client data breach is news that travels fast, especially in the tight-knit translation community
- Incident response costs. Lawyers, auditors, regulator notifications, affected party notifications - even a small incident can cost 10,000-30,000 euros
For a small agency with 100,000-200,000 euros in annual revenue, even the minimum 5,000 euro fine stings. And losing a major corporate client because you didn’t have a DPA in place stings even more.
The good news: basic GDPR compliance for a small agency isn’t rocket science. The real cost of implementation is 2-4 weeks of work plus 500-2,000 euros for a lawyer to review your documents. Compared to the potential losses, it’s an investment that pays for itself with a single corporate contract.
FAQ¶
Does a translation agency need a DPO (Data Protection Officer)?¶
A DPO is mandatory if your agency systematically processes large volumes of data or works with special categories of data (medical, legal). In practice, most small agencies (under 20 people) can designate an internal data protection lead instead of a full DPO. But if you regularly translate medical records or court documents, a DPO is worth serious consideration.
Is an NDA with a freelancer enough for GDPR compliance?¶
No. An NDA protects confidentiality but doesn’t regulate personal data processing under GDPR. You need a separate DPA (Data Processing Agreement) with every freelancer who accesses documents containing personal data. The right combination is: NDA (confidentiality) + DPA (data processing).
What do I do if a freelancer loses a document with personal data?¶
This qualifies as a data breach under Article 4(12) GDPR. Your actions: (1) document the incident, (2) notify the supervisory authority within 72 hours, (3) assess the risk to data subjects, (4) notify the client. Your DPA with the freelancer should obligate them to notify you immediately (within 24 hours) of any security incident.
Can I use free Google Translate for client documents?¶
No. Free Google Translate isn’t suitable for confidential documents. Google states in its Terms of Service that it may use entered text to improve its services. For work involving personal data, use either paid services with a DPA (DeepL Pro, Google Cloud Translation API), or desktop tools (Trados, memoQ) where data never leaves your computer.
How long does it take to implement GDPR compliance?¶
For a small agency (under 10 people), basic compliance can be implemented in 2-4 weeks: prepare DPA templates, update client and freelancer agreements, create a ROPA, conduct training, set up secure file transfers. Full compliance with audits, TIA, and possible ISO certification takes 2-3 months.
Does GDPR apply to agencies based in Ukraine?¶
Yes, if you process data of EU residents or provide services to EU-based companies. Your agency’s physical location doesn’t matter - what matters is whose data you process and who you provide services to. This is explicitly stated in Article 3 GDPR - the so-called extraterritorial principle.