Is GDPR compliance the same as being safe for file conversion?

GDPR creates legal obligations and accountability. But a GDPR-compliant converter still collects and processes your file on its servers within a legal framework. Local-first conversion is more privacy-protective than GDPR compliance alone.

← Back to Editorial

Compliance Guide · April 2026

GDPR, HIPAA, and File Converters: What Professionals Need to Know

Q: Do I need a DPA to use ConvertPrivately for personal data?

For the 120+ tools that process files entirely in your browser, no DPA is needed - no personal data reaches our servers. For OCR tools, we recommend reviewing our privacy policy to determine whether a DPA is appropriate for your use case.

Published: March 23, 2026 · ~10 min read

File conversion is a routine task — and for most professionals it stays that way. But when the document being converted contains patient data, client records, employee information, or financial details, the choice of conversion tool becomes a compliance decision. GDPR and HIPAA each impose specific requirements on how personal and health data is processed. Upload-first converters create data processing relationships that those frameworks regulate. Client-side converters largely bypass that complexity.

The compliance shortcut

A browser-based converter that processes files locally does not create a GDPR data processor relationship or a HIPAA business associate relationship, because no regulated data leaves the user's device. This simplifies compliance considerably — and is now technically feasible for most common conversion jobs.

Convert sensitive documents locally

No upload, no data processor chain, no BAA or DPA required for client-side tools.

PDF to Word Merge PDFs Image to Text

GDPR and file conversion: the key concepts

GDPR applies when personal data about EU residents is processed. File converters that handle uploaded documents often qualify as data processors.

Data controller vs data processor

Under GDPR, the organization that decides why data is processed is the controller. The converter is the processor — acting on behalf of the controller. Article 28 requires a written Data Processing Agreement (DPA) between them.

Lawful basis for processing

Upload-first converters typically process personal data under 'contract performance' or 'legitimate interest'. The legal basis must be documented before processing begins, not retrofitted afterward.

International data transfers

If a converter routes files through servers outside the EU/EEA (e.g., US-based cloud storage), Standard Contractual Clauses (SCCs) or another adequacy mechanism must cover the transfer.

Right to erasure

Data subjects can request deletion of their personal data. Most converters handle this via a support ticket, not an automated self-service flow — meaning a deletion request requires manual action.

HIPAA and file conversion: the key requirements

HIPAA applies to covered entities (healthcare providers, insurers, clearinghouses) and their business associates handling PHI.

Business Associate Agreement (BAA)

Any vendor that handles Protected Health Information (PHI) on behalf of a covered entity must sign a BAA. Without one, the covered entity is in violation. Most general-purpose converters do not offer a BAA.

Minimum necessary standard

HIPAA requires that only the minimum necessary amount of PHI be disclosed. Uploading a full patient document to process a formatting change may exceed what is 'minimum necessary'.

Encryption at rest

PHI in cloud storage must be encrypted at rest. The covered entity must verify that the converter's infrastructure meets this requirement — marketing claims are not sufficient.

Access logging and audit trails

HIPAA requires detailed audit trails of PHI access. A converter's standard server logs may not capture the granularity required under the Security Rule.

Why client-side converters simplify compliance

When the processing stays in the browser, the compliance chain is much shorter.

No DPA required under GDPR

If personal data never leaves the user's device, there is no data processor in the GDPR sense. The Article 28 DPA requirement does not apply to in-browser processing.

No BAA required under HIPAA

PHI that never reaches an external server is not 'disclosed' to a business associate. The BAA requirement is triggered by transmission of PHI to an outside party.

Simpler data subject request handling

If no personal data was collected or stored, a GDPR right-of-access or right-of-erasure request is trivially satisfied: there is nothing to disclose or delete.

No cross-border transfer analysis

In-browser processing does not involve a data transfer in the GDPR sense. The SCC and adequacy framework analyses become irrelevant.

Practical scenarios by professional role

Compliance requirements vary by the type of data and the applicable framework. These scenarios illustrate the practical difference.

Healthcare administrator

File: Patient intake form (PDF)

Risk: PHI. An upload-first converter requires a BAA from the provider. Most free converters do not offer one.

Recommended approach: Use a client-side PDF tool. No BAA needed. The PHI stays on the device.

Lawyer

File: Client contract (DOCX)

Risk: Attorney-client privileged information. Unauthorized disclosure could waive privilege.

Recommended approach: Client-side conversion is the cleanest path. If a server-side tool is required, consider whether privilege analysis applies in your jurisdiction.

HR professional

File: Employee records scan (JPEG → text)

Risk: Personal data under GDPR. A DPA is required if an upload-first converter processes EU employee data.

Recommended approach: Where OCR is needed, use a converter that offers a signed DPA and processes in the EU. For image-to-image conversion, a client-side tool eliminates the requirement.

Accountant

File: Tax return PDF → Excel

Risk: Financial data and personally identifiable information. GDPR applies in the EU; state-level privacy laws may apply in the US.

Recommended approach: Client-side conversion removes the data processor chain. For OCR-backed extraction, verify the converter's DPA and jurisdiction.

Important disclaimer

This article is an informational overview of how GDPR, HIPAA, and file converter choices interact. It is not legal advice. Compliance requirements vary by jurisdiction, organizational context, and the specific nature of the data being processed. If your organization handles regulated personal data or protected health information, consult a qualified legal or compliance professional before establishing a file processing workflow.

FAQ

Do I need a DPA to use ConvertPrivately for personal data?

All tools — including OCR — process files in your browser by default, so no DPA is needed. If you choose the optional server-side OCR fallback for tools like PDF to Word or Image to Text, your file is sent to our backend and we recommend reviewing our privacy policy to determine whether a DPA is appropriate for your use case.

Can I use any browser-based converter for HIPAA-covered data?

If the processing is genuinely client-side and no PHI is transmitted to an external server, the BAA requirement is not triggered. That said, HIPAA compliance involves more than file handling — consult your compliance officer before establishing a workflow for PHI.

Is GDPR the same as being 'safe' for file conversion?

GDPR creates legal obligations and accountability, which is valuable. But a GDPR-compliant converter still collects and processes your file on its servers — it just does so within a legal framework. Local-first conversion is more privacy-protective than GDPR compliance alone.

What should I do if my organization's IT policy prohibits uploading files to third-party services?

Client-side converters are the right choice. Because the file never leaves the browser, no upload to a third-party service occurs. This is compatible with most 'no external upload' policies, though your IT and legal teams should review the specific policy language.