GDPR and File Conversion: What You Need to Know
Why File Conversion Is a GDPR Concern at All
Most people think of GDPR in the context of email marketing lists or cookie banners. File conversion sits in a quieter corner of data handling, which is exactly why it tends to get overlooked — and why it can become a compliance problem without anyone noticing. When you upload a file to a conversion service, you are transferring data to a third-party processor. Under GDPR Article 4(8), any entity that processes personal data on behalf of a controller is a data processor. That means the conversion service, not just your own organisation, falls within the regulatory framework. If the file you upload contains personal data — a PDF with client names and addresses, a spreadsheet with employee salaries, a Word document containing medical notes — you have just initiated a cross-boundary data transfer that GDPR has opinions about. The regulation defines personal data broadly: any information relating to an identified or identifiable natural person. A scanned invoice with a customer's name and postcode qualifies. An audio file of a recorded call qualifies. Even metadata embedded in a DOCX file — author name, revision history, tracked changes — can qualify if it identifies someone. The practical implication is that 'I just needed to convert a file' is not a defence under GDPR. The purpose of the processing doesn't change whether personal data is involved. If a file contains personal data and you upload it to an external service, you need a lawful basis for that transfer, and you need some assurance about what happens to that data on the other end.
What GDPR Actually Requires When You Use a Third-Party Processor
GDPR Article 28 is the key provision for anyone using an external service to process personal data. It requires that controllers only use processors who provide 'sufficient guarantees' about their technical and organisational security measures. More concretely, it requires a Data Processing Agreement (DPA) to be in place between the controller and the processor before any processing begins. A DPA must cover specific things: the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data involved, the categories of data subjects, and the obligations and rights of the controller. It must also require the processor to delete or return all personal data at the end of the service relationship, and to assist the controller in meeting obligations around data subject rights and breach notification. For a file conversion service, this translates into concrete questions you should be asking before you upload anything sensitive: Does the service offer a DPA? Where are the servers located? Is data processed in the EU/EEA, or transferred elsewhere? If transferred elsewhere, under what mechanism — Standard Contractual Clauses, an adequacy decision, Binding Corporate Rules? CocoConvert provides a DPA on request for business users, and processing is handled on servers within the EU. For individual users converting personal documents, the Terms of Service and Privacy Policy govern the relationship, which is standard practice — but it means individual users should read those documents rather than assume. We'll be direct: if your organisation converts files containing special category data (health records, biometric data, data revealing racial or ethnic origin) at any meaningful volume, a one-size consumer tool is probably not the right instrument. You need a formal processor agreement and likely a Data Protection Impact Assessment under Article 35.
File Retention: The Detail That Catches Most People Out
One of the most practically important questions about any file conversion service is: how long does it keep your files? This matters enormously under GDPR's storage limitation principle (Article 5(1)(e)), which requires that personal data be kept no longer than necessary for the purpose for which it was collected. Practices vary significantly across the industry. Some services retain uploaded files indefinitely unless the user manually deletes them. Others retain them for 24 hours. Others process entirely in-memory and retain nothing server-side at all. The difference is not trivial if the file contains personal data. CocoConvert automatically deletes uploaded files and converted output files within one hour of the conversion being completed. This is not a marketing claim — it is a technical policy enforced at the infrastructure level, and it is documented in the Privacy Policy. Users do not need to manually trigger deletion, though a manual delete option is available immediately after conversion if you want the file removed before the automatic window closes. To use it: after your conversion completes, click the trash icon next to the output file on the results screen. The file is removed from storage within seconds. Where CocoConvert is honest about its limits: we do not currently offer a zero-retention, in-browser-only processing mode for all file types. Some conversions require server-side processing because the computational load is too high for client-side execution. For users handling highly sensitive documents — legal discovery files, HR records, patient data — that distinction matters. In those cases, you should either use a locally installed conversion tool (LibreOffice, for example, handles many format conversions entirely offline) or ensure you have a formal DPA in place before uploading.
Metadata Stripping: The Hidden Personal Data Problem
A converted file is not necessarily a clean file. One of the less obvious GDPR risks in file conversion is metadata — the invisible layer of information embedded in many file formats that can contain personal data entirely separate from the visible content. Microsoft Office formats (DOCX, XLSX, PPTX) routinely embed the author's name, the names of anyone who has edited the document, revision history, comments, and sometimes the organisation name from the software licence. PDF files can carry similar information: creator name, software used, date of creation, and if the PDF was exported from a Word document, sometimes the original author's username. Image files in JPEG format carry EXIF data, which can include GPS coordinates, camera serial numbers, and timestamps — GPS coordinates being potentially sensitive if the image was taken at a private address. From a GDPR perspective, this metadata is personal data if it identifies or could identify a natural person. Sharing a converted file without stripping this metadata can constitute an unintended disclosure. CocoConvert strips standard document metadata (author fields, revision history, comments) during conversion for Office-to-PDF and Office-to-Office conversions. EXIF data is stripped from JPEG files when converting to PDF or other image formats. However, we do not currently offer a standalone metadata-stripping tool, and we cannot guarantee removal of all custom metadata fields that some enterprise software embeds. If you need verified metadata removal as a compliance step, tools like ExifTool (command-line, free, open source) or Adobe Acrobat's 'Sanitize Document' function (Acrobat Pro > Tools > Redact > Sanitize Document) provide more granular control and audit trails. Use CocoConvert for the format conversion, then pass the output through a dedicated sanitisation step if your compliance requirements demand it.
Cross-Border Transfers: Where the Files Actually Go
GDPR Chapter V restricts transfers of personal data to countries outside the European Economic Area unless specific conditions are met. This is not abstract: when you upload a file to a web service, the data travels to wherever that service's servers are physically located. If those servers are in the United States, you have made an international transfer. If they are in India or Singapore, same situation. The mechanisms that make such transfers lawful include: adequacy decisions (the European Commission has decided that the destination country offers adequate protection — the UK, Japan, South Korea, and a handful of others qualify), Standard Contractual Clauses (SCCs, the most common mechanism for US-based services), and Binding Corporate Rules (used by large multinationals for intra-group transfers). For a file conversion service, the relevant question is where the processing actually happens. 'Our company is based in Germany' does not necessarily mean processing happens in Germany if the infrastructure runs on a US cloud provider's servers. After the Schrems II ruling in 2020 invalidated the EU-US Privacy Shield, the legal basis for many US transfers collapsed, and organisations that had been relying on it without noticing were suddenly non-compliant. The EU-US Data Privacy Framework, adopted in 2023, restored an adequacy mechanism for certified US organisations, but it remains subject to legal challenge. CocoConvert's file processing infrastructure runs on servers located in Frankfurt, Germany, within the EU. This means no cross-border transfer occurs for the file content itself. Account data for registered users is handled separately and the relevant data flows are described in the Privacy Policy. If you are evaluating any file conversion service for business use, ask specifically: where are the processing servers? Not where is the company registered, but where does the file go when I click upload.
Practical Steps for Compliant File Conversion at Work
If you are responsible for data protection at an organisation — whether as a DPO, a compliance officer, or an IT manager who has inherited the role — here is a concrete checklist for making file conversion workflows GDPR-compliant. First, audit what your teams are actually converting. Shadow IT is real: employees routinely use consumer tools for work tasks because they are faster or more convenient than approved software. A quick survey or network traffic analysis often reveals that staff are uploading files containing personal data to services that have never been reviewed by legal or IT. Identify those services before you can govern them. Second, for any service you approve for use with personal data, obtain a DPA. This is non-negotiable under Article 28. If a service won't provide one, it cannot be used for processing personal data, full stop. Keep a register of approved processors and their DPAs — this is part of the Records of Processing Activities (ROPA) that Article 30 requires for organisations with more than 250 employees, and good practice regardless of size. Third, apply data minimisation before uploading. If you need to convert a contract that contains the counterparty's personal details, consider whether you can redact those details before conversion, convert the redacted version, and reinsert the details afterwards. This reduces the personal data exposure during the conversion step. Adobe Acrobat, LibreOffice Draw, and several free tools support PDF redaction. Fourth, document your decisions. If you have assessed a conversion service and concluded it is appropriate for a given use case, write that assessment down. A brief record noting the service, the data types involved, the legal basis, and the retention policy provides evidence of accountability under Article 5(2) if you are ever asked to demonstrate compliance. Fifth, train staff. The most robust technical controls are undermined if employees don't understand why they exist. A 20-minute training session explaining what personal data is, why file uploads to external services matter, and which tools are approved for which purposes goes a long way.
What to Do If Something Goes Wrong
Despite precautions, things go wrong. A file containing personal data gets uploaded to an unapproved service. A converted file gets shared with the wrong recipient. A service you rely on reports a data breach. GDPR has specific requirements for each scenario, and the timelines are tight. Under Article 33, a personal data breach must be reported to the relevant supervisory authority within 72 hours of the controller becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of natural persons. 'Becoming aware' means when you have a reasonable degree of certainty that a breach has occurred — not when you have fully investigated it. The 72-hour clock starts at awareness, not at confirmation. For a file conversion context, a reportable breach might look like: you discover that a service you used retained files beyond their stated retention period and those files have been accessed without authorisation. Or: you uploaded a file to the wrong service — one without a DPA and with servers outside the EEA — and that constitutes an unlawful transfer that rises to the level of a breach depending on the sensitivity of the data. If you are using CocoConvert and believe something has gone wrong with your data, the first step is to contact privacy@cococonvert.com. We will respond within 24 hours with information about what data we hold, when it was processed, and whether it has been deleted. If a breach has occurred on our infrastructure, we will notify affected controllers within 24 hours of our own awareness, which gives you time within the 72-hour window to assess and report to your supervisory authority if required. The broader point is that GDPR compliance in file conversion is not a one-time configuration. It requires ongoing attention: reviewing processor relationships annually, staying current on adequacy decisions and SCCs, and maintaining incident response procedures that actually work when tested. File conversion is a small piece of that picture, but it is a piece that is easy to overlook and relatively straightforward to get right.