GDPR-Compliant Transcription for EU Teams: A 2026 Buying Guide

Short answer: a transcription service is GDPR-compliant for an EU team when (1) it offers a Data Processing Agreement, (2) it discloses every subprocessor that touches your audio, (3) it gives you control over retention, and (4) it handles cross-border transfers via SCCs or processes your data inside the EU/EEA. Most consumer transcription services fail at least one of these.

This guide gives you a practical checklist for evaluating any transcription vendor against GDPR — plus a list of concrete questions you can email a vendor before you upload anything.

Why audio is special under GDPR

Audio recordings of people speaking are personal data under Article 4(1) of the GDPR. When the speech contains identifying information — names, locations, health details, opinions, anything traceable to a natural person — it can also qualify as a special category (Article 9) requiring stricter handling.

Researchers transcribing interviews, lawyers handling depositions, journalists with source recordings, and clinicians with patient consultations all need to think carefully about which transcription vendor sees that audio and where it goes.

The five-point GDPR checklist

Before uploading EU personal data to any transcription service, verify:

1. A signed DPA

Article 28 requires a written contract between you (the controller) and the vendor (the processor). Most reputable vendors publish a Data Processing Agreement you can sign electronically — check for a public DPA URL on their /privacy or /trust page. No DPA = the vendor isn't a viable processor for personal data.

2. Disclosed subprocessors

You need to know who else sees the audio. A transcription service almost always uses a downstream AI provider (OpenAI, AWS, Google), a hosting provider (Vercel, AWS), and storage (R2, S3). Every one of those is a subprocessor under GDPR Article 28(4), and you have the right to be told.

Look for a public subprocessor list. If the vendor won't name them, that's a red flag — you can't document a chain of custody you can't see.

3. Cross-border transfer mechanism

If any subprocessor is outside the EU/EEA, the vendor needs a lawful transfer mechanism: Standard Contractual Clauses (SCCs), an adequacy decision (e.g. EU–US Data Privacy Framework), or Binding Corporate Rules. SCCs are the most common.

For sensitive data, EU-only processing is the safest path — but availability is limited. Most consumer transcription services run on US infrastructure with SCCs. That's acceptable for many use cases but not all.

4. Retention controls

GDPR Article 5(1)(e) requires personal data to be kept “no longer than necessary.” In practice this means you should be able to delete your audio whenever you want, and the vendor should auto-delete after a defined window.

The strongest signal: a per-file retention picker that lets you choose anything from “delete on completion” up to a defined maximum. The weakest signal: indefinite retention with manual deletion only.

5. AI-training carve-out

Many AI providers reserve the right to train on user input unless the customer pays for or explicitly opts into a no-training tier. Confirm in writing that your audio and transcripts will not be used for model training. This is usually documented in the AI provider's API agreement (e.g. OpenAI's API agreement excludes API traffic from training by default), but the transcription vendor should confirm it applies to your traffic specifically.

Questions to email a vendor before uploading

Copy-paste these. If a vendor can't answer all five, find another.

1. Can you share a link to your DPA, and is electronic signature available without requiring an enterprise contract?
2. What is your full subprocessor list (vendor name, region, function)? Do you publish it and notify customers when it changes?
3. Where is uploaded audio stored at rest, and where is it processed? If anything leaves the EU/EEA, what transfer mechanism is in place?
4. Can I configure or override the audio retention window per file? What is the default and the maximum? When the window elapses, is deletion verified or best-effort?
5. Will my audio or transcripts be used to train any AI model, including the downstream provider's? Is this guarantee in the DPA, the privacy policy, or neither?

A note on US AI providers

Most modern transcription services route audio through OpenAI, Anthropic, Google, or AWS. All are US-based. For an EU controller, this means cross-border transfer — and SCCs are the lawful mechanism in nearly all cases.

The EU–US Data Privacy Framework (DPF) was adopted in July 2023 and provides an alternative adequacy basis for US transfers. As of May 2026, the DPF remains in force but is being challenged at the Court of Justice of the European Union. SCCs remain the safest fallback regardless of how that case resolves.

Where TranscribeCat stands

In the spirit of the questions above, here's exactly where TranscribeCat sits against the same checklist (full details on our /trust page):

• DPA — available on request via /contact. We'll publish a self-serve version soon.
• Subprocessors — full list with regions and DPA links on /trust. Updated whenever we add or change a vendor.
• Cross-border transfers — storage, database, hosting, auth, email, and analytics are EU. Two subprocessors (Modal compute, OpenAI transcription) are US-based; SCCs in place for those transfers. Reach out before uploading sensitive data if your case requires zero US transit.
• Retention — per-file retention picker on /upload. Choose from “delete right after transcription” up to one year, with 90 days as the default.
• Training opt-out— OpenAI's API agreement excludes API traffic from training by default; we don't fine-tune any model on user data. Confirmed in our privacy policy.

What we're not

We don't hold SOC 2, ISO 27001, or HIPAA BAA. Two of our subprocessors (Modal compute, OpenAI transcription) are still US-based, so we don't offer zero-US-transit processing today. If your use case requires any of those, we're not the right vendor — and we'll tell you so before you upload.

The bottom line

GDPR doesn't prohibit AI transcription. It requires that you know what happens to the audio, who sees it, where it goes, and how long it stays. The five-question checklist above gets you most of the way there. Anything a vendor won't answer in writing is a vendor you can't document, and a vendor you can't document isn't one you should upload personal data to.