If you handle PDF files containing personal data about EU residents — names, addresses, medical records, financial data, or any identifying information — GDPR applies. Here's what that means in practice for your PDF workflows.
GDPR applies whenever a PDF contains personal data: any information that identifies or could identify a living individual. This includes contracts with names and addresses, invoices with payment details, medical reports, HR files, and any scanned ID documents.
You must have a lawful basis for processing the personal data in a PDF. You must not retain the data longer than necessary. You must secure it against unauthorised access. If you use a third-party tool to process the PDF, that tool is a data processor under GDPR — subject to strict requirements.
Tip: If you upload a PDF containing personal data to an online editor, that editor becomes a data processor. This requires a Data Processing Agreement (DPA) and compliance with GDPR transfer requirements.
pdfeditor.onl processes all PDFs locally in your browser. Files are never transmitted to any server. This means no third-party processing occurs — eliminating the data processor obligation, the need for a DPA, and the risk of data being stored or leaked on external servers.
When sharing PDFs externally or archiving them, redact unnecessary personal data. Use the Redact or Eraser tool in PDF Studio to permanently cover names, addresses, phone numbers, and other identifiers before sharing.
It can, if the editor uploads personal data to a server without a Data Processing Agreement and adequate safeguards. Using a zero-upload tool like pdfeditor.onl eliminates this risk.
Yes. PDF metadata can contain author names, company names, email addresses, and editing history — all potentially personal data under GDPR.
Since pdfeditor.onl processes no files on any server, it does not act as a data processor under GDPR. No DPA is required.