← Все статьи

GDPR and PDF tools: what European users need to know

·4 мин чтения

If you're in the EU and you upload a document containing personal data to an online PDF tool, you may have just triggered concerns under the General Data Protection Regulation — even for something as mundane as merging two files. Most people never think about it. Here's what's actually at stake and how to stay on the right side of it.

This is general information, not legal advice. For specific compliance questions, consult a qualified professional.

Why a PDF upload is a GDPR matter

GDPR governs the processing of personal data — any information relating to an identifiable person. A surprising share of everyday PDFs qualify: employee contracts, customer invoices, CVs, medical letters, ID scans, anything with names and details.

The moment you upload such a file to a third-party tool, that tool becomes a data processor acting on your behalf, and several obligations come into play. If you're handling the data of others (employees, clients, patients), you are the controller and you're responsible for where it ends up.

The three things to check

1. Data residency — where does the file go?

GDPR doesn't forbid sending data outside the EU, but it adds requirements when you do. A tool that processes your file on servers in a jurisdiction without adequate protections introduces legal complexity and risk. The cleanest answer is to know — and ideally control — where processing happens.

The cleanest answer of all is processing that happens in your own browser, because then there's no transfer at all. A file that never leaves your machine never crosses a border.

2. Retention — how long is it kept?

GDPR's storage-limitation principle says personal data shouldn't be kept longer than necessary. "We delete uploads after an hour" is the kind of policy you want — but it's a promise you can't independently verify. The shorter and clearer the retention, the lower your exposure. A tool that's vague about retention is a tool you can't assess.

3. Right to erasure — can it actually be deleted?

Data subjects have the right to have their personal data erased. If a tool has copied your file into backups, logs, and subprocessor systems, honoring an erasure request becomes genuinely hard to guarantee. Fewer copies in fewer places makes this tractable — and again, the file that was never uploaded needs no erasure.

The local-processing advantage

This is where in-browser tools change the calculation. When a PDF operation runs locally via WebAssembly:

  • No transfer — the file never leaves the EU, or your device, at all.
  • No retention — there's no server-side copy to retain or forget to delete.
  • Nothing to erase — no copies exist beyond your own machine.

For controllers, that dramatically simplifies the compliance story for routine tasks. PlinyPDF runs its everyday tools — merge, split, compress, rotate, watermark, password, and editing — entirely in the browser for exactly this reason.

When processing is unavoidable, what good looks like

Some tasks genuinely need a server — high-fidelity Word conversion, AI summarization. That's allowed under GDPR; it just has to be done properly. The markers of a responsible processor:

  • Clear, short retention (e.g. deletion within 24 hours).
  • A defined region for processing and storage.
  • No secondary use — your documents aren't used to train models or build datasets.
  • Honesty — cloud features are labeled, so you can make an informed choice file by file.

When PlinyPDF needs a server for PDF to Word or AI summaries, the file is sent over an encrypted connection, deleted within 24 hours, and never used for training — and it's clearly marked as a cloud tool so you always know.

A practical checklist

Before you upload a PDF with personal data, ask:

  1. Does this even need a server? If not, use a local tool and skip the whole question.
  2. Where would the file be processed? Prefer known, adequate jurisdictions.
  3. What's the retention? Short and specific beats vague.
  4. Could it be deleted on request? Fewer copies, fewer problems.
  5. Is it used for anything else? "Never used for training" should be explicit.

The takeaway

GDPR compliance for PDF tools comes down to a simple instinct: minimize where personal data travels. For most tasks, browser-based processing means it travels nowhere — the strongest position you can be in. Reserve uploads for the few operations that truly need them, and choose a processor that's clear about residency, retention, and erasure.