TikTok found out what happens when you skip this step. In 2023, the Dutch Data Protection Authority fined the company €750,000 - specifically because its privacy notice was available only in English, and Dutch child users couldn’t be expected to understand it. Not for a data breach, not for selling user data. For the language of a document.
That case wasn’t a creative interpretation of the rules. The Dutch DPA applied Article 12(1) of GDPR, which requires information be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” When your users are Dutch-speaking minors, English is not clear and plain language to them. Regulators across the EU are applying this logic consistently.
If you’re running an e-commerce business expanding into Germany, France, Spain, Poland, or any other EU market - your Terms & Conditions and Privacy Policy aren’t boilerplate you drop from a template generator. They’re legally binding documents that must comply with local law. In most EU countries, that means local language. In Germany specifically, it means something much more specific.
This article covers what the legal requirements actually are, what proper legal translation involves versus a DeepL pass, which markets require the most adaptation, what it costs, and the mistakes that turn a €200 translation fee into a €15,000 legal problem.
Why T&C and Privacy Policy Translation Is a Legal Requirement, Not Just Good Practice¶
GDPR and Privacy Policy¶
Article 12(1) of GDPR requires any privacy notice be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” This is a legal standard that supervisory authorities use when evaluating your privacy notice - not a style guide suggestion.
The practical interpretation: if your users are predominantly non-English speakers, an English-only privacy notice doesn’t meet the transparency standard. The maximum GDPR penalty is €20 million or 4% of global annual turnover - whichever is higher. Most enforcement actions for language and transparency violations fall in the €50,000-€2 million range, but the ceiling exists.
As Securiti notes in their analysis of privacy notice language requirements:
“GDPR’s transparency principle, coupled with the requirement for ‘clear and plain language’, effectively means that businesses targeting users in non-English speaking EU countries must provide privacy notices in the language those users can actually understand.”
The TikTok case makes this concrete: the Dutch DPA found that Dutch-speaking minors couldn’t understand an English privacy notice, therefore consent based on that notice was invalid.
Germany: T&C Must Be in German by Law¶
Germany is the EU’s largest e-commerce market - and it has the strictest rules on language for customer-facing legal documents.
Under §305(2) of the German Civil Code (BGB), standard business terms (Allgemeine Geschäftsbedingungen, or AGB - which is what your T&C are) only become part of a contract if the counterparty has had “a reasonable opportunity to take notice” of them. German courts have consistently interpreted this to mean: if your T&C are only available in English and you’re contracting with German consumers, they cannot be considered part of the contract.
The consequences? Without legally effective T&C, the statutory consumer protection rules fill the gap - and German statutory consumer law is highly protective of buyers. You lose your limitation of liability clauses, your returns policy, your dispute resolution terms. Everything that was supposed to protect your business.
On top of that, the Gesetz gegen den unlauteren Wettbewerb (UWG - Germany’s unfair competition law) allows competitors and consumer protection associations to seek injunctions against businesses with improper T&C. Abmahnungen (cease-and-desist letters from competitors) are a thriving cottage industry in Germany. You’ll typically receive one within weeks of going live with non-compliant T&C.
Other EU Markets¶
France requires consumer contracts to be in French under the Loi Toubon. Spain’s consumer protection law similarly requires contracts with Spanish consumers to be in Spanish. Poland, Italy, the Netherlands - each has consumer protection rules that effectively require local-language contracts with local consumers.
The EU E-Commerce Directive (2000/31/EC) and the Omnibus Directive (2019/2161) mandate that consumers receive pre-contractual information “in a clear and comprehensible manner.” Courts across the EU interpret this as the language of the consumer.
Outside the EU: Brazil’s LGPD (Lei Geral de Proteção de Dados) has transparency requirements similar to GDPR. Japan’s APPI similarly requires consumer-understandable privacy notices. Going into any major market without local-language legal documents is regulatory risk you’re consciously taking on.
Translation vs Localization - Why This Distinction Matters for T&C¶
Many e-commerce businesses make the expensive mistake of thinking “translation” and “localization” are interchangeable. For T&C and Privacy Policy, they’re not.
Translation means converting your English text into German (or French, or Polish). The result is text in the target language that accurately represents what the original said.
Legal localization means adapting the document so it actually complies with the laws of the target jurisdiction - which may require removing clauses that are unenforceable there, adding clauses that are required there, restructuring dispute resolution provisions, adjusting liability limitations, and adapting data protection language to match local regulatory requirements.
A concrete example. Your English T&C might say: “All disputes shall be resolved by binding arbitration under AAA rules in Delaware.”
Translate this perfectly into German and it still won’t work. German consumers cannot be forced into foreign arbitration under EU consumer protection law. A German court will simply strike this clause and apply German jurisdiction. If your translated T&C still contains this clause, you’ve created a document that misleads German consumers about their rights - which is itself an unfair commercial practice under UWG.
Or your T&C says: “Returns accepted within 14 days.” EU consumer law gives consumers 14 days minimum - but this starts from receipt of goods, not from purchase. If your English original doesn’t specify this correctly, a direct translation carries the error into German, and you have a non-compliant document.
The pattern repeats across jurisdictions. Common Law assumptions (standard in US/UK T&C) don’t map onto Continental Civil Law systems. What’s enforceable in one jurisdiction may be void in another. What’s required in one market may be absent from your template.
As Glocco’s legal localization guide explains:
“Legal localisation goes beyond mere translation. It requires a thorough understanding of the target country’s legal framework, consumer protection laws, and regulatory environment. A document that is merely translated may still be non-compliant or unenforceable in the target jurisdiction.”
Which Markets Need What - A Country-by-Country Overview¶
| Country | Language Required | T&C Localization Depth | Privacy Policy Localization | Key Non-Compliance Risk |
|---|---|---|---|---|
| Germany | German (mandatory) | High - many clauses follow statutory wording | High - DSGVO + BDSG specifics | Abmahnungen, contract voidance, fines |
| France | French (mandatory) | Medium-High - Loi Hamon + CNIL | High - CNIL requirements | Consumer protection fines, contract claims |
| Spain | Spanish (mandatory) | Medium - Ley de Consumidores | Medium-High - AEPD requirements | LSSI-CE fines, AEPD enforcement |
| Poland | Polish (mandatory) | Medium | Medium | UODO fines, consumer claims |
| Brazil | Portuguese (mandatory) | High - CDC has very strong consumer rights | High - LGPD differs significantly from GDPR | ANPD fines, CDC enforcement |
| USA | English (primary) | Low, but CCPA applies in California | High - state privacy laws vary widely | FTC enforcement, class actions |
| Japan | Japanese (increasingly required) | Medium | High - APPI requirements | PIHPC enforcement |
Germany in Detail¶
The German T&C checklist goes beyond just being “in German”:
- Right of withdrawal (Widerrufsrecht): must follow the exact statutory wording set out in Anlage 1 to the EGBGB - a mistranslation or paraphrase doesn’t count
- Impressum: a mandatory legal notice page with full company details, trade register number, and contact information is required by law for any commercial website in Germany
- Liability limitations: BGB §309 voids clauses that limit liability for personal injury or death, regardless of how they’re worded
- Dispute resolution: under §36 VSBG, you must either reference an approved consumer ADR body or state that you’re not obligated to participate in one
- Delivery terms: German consumers expect INCOTERMS-aligned delivery terms, not vague “shipped within a few days” language
Brazil in Detail¶
Brazil’s CDC (Código de Defesa do Consumidor) is notably more protective of consumers than its EU counterparts in several areas:
- Cooling-off period is 7 days (not 14 days as in the EU)
- The LGPD’s legal bases for processing differ from GDPR - “consent” and “legitimate interest” have different definitions
- ANPD (Brazil’s data protection authority) has been issuing new regulatory guidance since 2023 that changes specific disclosure requirements
- Consumer contracts in Brazil must be in Portuguese and must not contain “abusive clauses” as defined by the CDC - a list of prohibited terms that’s more specific than EU equivalents
Three Options for Translating Your T&C and Privacy Policy¶
Option 1: Local Law Firm in the Target Country¶
You hire an e-commerce-specialized law firm in Germany (or France, Brazil, etc.) that translates and reviews your documents for local compliance.
Cost: €500-2,000 per document per country. Law firm hourly rates in Germany typically run €200-500/hour; a Privacy Policy review plus translation from an established firm rarely comes in under €800. Timeline: 1-3 weeks per country. Legal validity: Highest - the lawyer creating the document is professionally liable for its compliance. Best for: High-volume markets where you expect significant transaction volume, or where you already work with local legal counsel for other business reasons.
Option 2: Specialist Legal Translation Agency¶
A translation agency that specializes in legal documents - with legal translators who are native speakers of the target language AND have legal training or work with in-house legal reviewers.
Cost: $0.15-0.35 per word + legal review fee. For a typical T&C (2,000-3,000 words) and Privacy Policy (1,500-2,500 words), budget $500-1,200 per language pair. Timeline: 5-10 business days standard, 2-3 days for rush orders at a 30-50% surcharge. Legal validity: High for translation quality; compliance review quality varies between agencies. Always ask specifically whether they include jurisdiction-specific compliance review, not just linguistic translation. Best for: Mid-stage businesses entering 2-5 markets. Look for agencies that specialize in legal translation and explicitly offer compliance review for target jurisdictions.
Option 3: AI-Assisted Translation with Human Legal Review¶
Use an AI translation tool for the initial draft, then have a qualified lawyer or legal translator review and adapt the output for jurisdiction compliance. Services like ChatsControl combine AI translation with professional review - you get the translation speed of AI with human legal oversight for accuracy.
Cost: $50-150 for AI translation + $200-600 for legal review per document. Total per language: $250-750. Timeline: AI translation in 1-2 days + legal review in 3-7 days. Legal validity: Depends entirely on the quality of the human legal review. The AI draft reduces cost and time; the human review is what makes the document legally valid. Best for: Cost-conscious businesses that understand where to invest in human expertise (the legal review) versus where technology speeds up the process (the initial translation).
What doesn’t work: Running your T&C through Google Translate or ChatGPT and calling it done. The output will be linguistically questionable AND jurisdictionally non-compliant. If a German consumer association or DPA ever looks at your documents, they’ll spot it immediately.
Cost Comparison¶
| Option | Cost per language | Timeline | Legal Compliance Risk | Best for |
|---|---|---|---|---|
| Local law firm | €500-2,000/doc | 1-3 weeks | Very low | High-volume markets |
| Specialist legal agency | $500-1,200/doc | 5-10 days | Low-medium | Standard market entry |
| AI + human legal review | $250-750/doc | 4-9 days | Low-medium | Cost-conscious, 3+ languages |
| DIY machine translation | $0-50 | 1 day | High | Not recommended |
Common Mistakes That Turn Into Legal Problems¶
Mistake 1: Translating but Not Localizing¶
A UK-based e-commerce company had its T&C professionally translated into German. The translation was linguistically accurate. But the T&C contained a clause limiting liability to “direct damages only” - standard in UK contracts. Under BGB §309 No. 7, liability limitations for personal injury are void in Germany. The German translation faithfully reproduced an unenforceable clause.
When a German customer was injured and claimed damages, the company had no liability limitation to rely on. The translation was accurate; the localization was absent.
Mistake 2: Using a One-Time Translation Without a Review Schedule¶
Laws change. GDPR supervisory authorities publish new guidance. Germany’s consumer protection rules evolve. Brazil’s ANPD has been issuing regulatory guidance at a steady pace since 2023.
A Privacy Policy compliant in 2023 may not be compliant in 2026. If you translated once and never revisited, you’re running on an outdated document. Schedule annual reviews of all localized legal documents - at minimum.
Mistake 3: Forgetting Cookie Notices¶
Your cookie banner and cookie policy are separate from the Privacy Policy but equally subject to GDPR and ePrivacy Regulation requirements. They need to be in the local language, and the consent mechanism must comply with local DPA guidance. Germany, France, and Spain have each issued DPA guidance on acceptable cookie consent - and it differs between countries.
Mistake 4: Treating “GDPR-Compliant” as “EU-Compliant”¶
GDPR applies directly across the EU, but member states have used GDPR’s “opening clauses” to add national-specific requirements. Germany’s BDSG, France’s loi informatique et libertés as amended, Austria’s DSG - each adds requirements on top of GDPR. “We comply with GDPR” doesn’t mean you comply with German, French, or Austrian data protection law.
Mistake 5: Not Updating Translations When You Add New Data Processing¶
If you add a new analytics tool, a CRM integration, or start using AI for product recommendations, your Privacy Policy needs to reflect this - in every language version, not just English. Data subjects must be informed about what you’re doing with their data. A German DPA audit that finds you’re running behavioral analytics tools not mentioned in your German-language Privacy Policy is an immediate violation.
As IAPP has noted in their analysis of GDPR translation challenges:
“The translation of data protection documents must be treated as a living process, not a one-time task. Privacy notices that accurately reflected processing activities in 2019 may now omit significant data flows added as businesses adopted new technologies.”
Practical Checklist Before Going Live in a New Market¶
Privacy Policy - per language/market: - [ ] Available in the official language of the market - [ ] References the correct supervisory authority (e.g., BfDI/LDI in Germany, CNIL in France, AEPD in Spain) - [ ] Correct legal basis for each data processing activity under local law - [ ] Current list of data processors and sub-processors - [ ] Correct contact details for data subject requests - [ ] Cookie consent mechanism compliant with local DPA guidance - [ ] Reviewed after any significant change to data processing activities
T&C - per language/market: - [ ] Available in the official language before contract conclusion - [ ] Right of withdrawal/cancellation period matches statutory minimum (14 days in EU from receipt of goods; 7 days in Brazil) - [ ] Liability limitations are enforceable under local law - not just translated from a Common Law template - [ ] Dispute resolution clause references an ADR body approved in the target jurisdiction - [ ] Delivery and payment terms comply with local consumer expectations and law - [ ] For Germany: Impressum-compliant business identification information - [ ] For Germany: Widerrufsbelehrung (withdrawal notice) follows exact statutory wording - [ ] Reviewed annually and after any significant product or service change
FAQ¶
Do T&C and Privacy Policy require certified or sworn translation?¶
For consumer-facing e-commerce documents - generally no. They need to be in the local language and legally compliant, but they don’t require the same certification as documents submitted to courts or government agencies. What they need is legal accuracy and jurisdiction compliance, which is a different quality bar from sworn certification. The exception: if your documents are ever used as evidence in litigation or a regulatory proceeding, having a translator’s declaration of accuracy becomes valuable.
Can we use DeepL as a starting point and have a lawyer check it?¶
DeepL is significantly better than Google Translate for legal text, and using it as a first draft that gets reviewed by a qualified lawyer is a workable approach. The key: the lawyer’s review must cover legal compliance (are these clauses enforceable in this jurisdiction?) not just linguistic accuracy (is the German readable?). If the lawyer is reviewing for language only, you’re still missing the compliance step. ChatGPT outputs need more careful review than DeepL - the model sometimes introduces confident-sounding but legally problematic formulations.
How often do we need to update the translations?¶
At minimum: annually. In practice, update when the law in a target jurisdiction changes in a way that affects your documents; when you add new data processing activities or change how you use existing ones; when you change your product or service offering significantly; or when a supervisory authority issues new guidance. Subscribe to data protection newsletters for your key markets - DPAs in Germany, France, and Spain publish guidance updates regularly.
Our T&C are 5,000 words - does the entire document need professional translation?¶
Yes. Regulators and courts look at the document as a whole. Selectively translating “important” sections leaves clauses that are confusing, misleading, or simply absent from the consumer’s point of view. Prioritize: Germany and France first (largest EU e-commerce markets), then Poland, Spain, the Netherlands. For each market, do the whole document properly.
What’s the difference between a Privacy Policy and a Data Processing Agreement?¶
A Privacy Policy is addressed to your end users - it tells customers what data you collect, why, and what their rights are. A Data Processing Agreement (DPA) is a B2B contract between you (as data controller) and your vendors (as data processors) - required by GDPR Article 28 whenever you share customer data with third parties (analytics providers, email platforms, CRMs, etc.). Both need to be in the appropriate language for the parties they bind. For B2B DPAs, the working language is often agreed by the parties - English is common even within the EU for B2B contracts. For consumer-facing Privacy Policies, local language applies.
Is a language toggle on the T&C page enough?¶
Technically, making the document available in the user’s language satisfies the minimum. But from both UX and legal perspectives, you should default to showing T&C in the user’s language based on their browser language or geo-location, not require them to actively find a language toggle. German consumer protection associations have successfully challenged businesses where the German-language T&C existed but wasn’t the default shown to German users.
What’s an Abmahnung and how do we avoid it?¶
An Abmahnung is a formal cease-and-desist letter, typically from a competitor or a consumer protection association, claiming your T&C violate German law. It’s a thriving industry in Germany - specialized law firms send these as a business model. The typical demand: sign a cease-and-desist declaration (Unterlassungserklärung) and pay €1,000-3,000 in legal costs. If you don’t respond or your T&C stay non-compliant, the next step is a court injunction. The solution is prevention: have your German T&C reviewed by a German lawyer who specializes in e-commerce law before you go live.