You're a small UK firm processing client PDFs that contain personal data. Every online PDF tool you use is a processor of that data under GDPR. Which ones can you use without breaching your obligations?
What GDPR considers
Under GDPR, personal data is any information relating to an identifiable natural person. Most business PDFs contain personal data — client names, addresses, employee identifiers, customer transactions.
When you process personal data via a third-party tool, the tool's operator is a processor under Article 28. You (the controller) must have a written agreement (a DPA) covering security, sub-processors, breach notification and data subject rights.
Article 28 essentials
A compliant DPA must require the processor to:
- Process only on documented controller instructions. - Ensure confidentiality of staff. - Apply appropriate technical and organisational measures (Article 32). - Engage sub-processors only with controller consent. - Assist with data subject rights. - Notify breaches without undue delay. - Delete or return data at end of processing. - Submit to audits.
Reputable PDF tool providers publish a standard DPA. Smaller providers may not — that's a compliance gap.
Browser-side tools and GDPR
If a PDF tool processes entirely in your browser (no upload to their servers), the picture changes. The provider isn't processing personal data — *you* are, on your own device.
Flint is browser-based. The provider doesn't see your file content. This significantly reduces the third-party processing scope under GDPR. You may still need to document use of the tool, but the processor relationship is lighter.
Data residency
For UK/EU clients, processors handling data should be in the UK/EEA or in a country with an adequacy decision. Many US-based tools rely on Standard Contractual Clauses (SCCs) post-Schrems II.
For sensitive material, check the processor's data residency. EU-based or browser-side tools simplify the analysis.
Practical checklist
Before using an online PDF tool for personal data:
1. Does it publish a DPA you can review? 2. Is data residency acceptable for your client base? 3. What sub-processors does it use? 4. How long are files retained? 5. Is processing browser-side or server-side?
If you can't answer these, the tool may not be compliant for your use case.
FAQ
Does Flint have a DPA?
Flint processes in your browser — no personal data is sent to Flint's servers, so the traditional processor relationship is reduced. Check the privacy policy for the current statement.
Is using a US-based PDF tool a GDPR breach?
Not automatically — but you need SCCs in place, document the transfer, and assess the risk under Schrems II. Browser-side tools sidestep most of this.
What if a client uploads a file with personal data to a tool I recommended?
You're not the processor here — the client is the controller. But your recommendation carries some responsibility; recommend tools you've vetted.
Do I need to update my privacy notice to list PDF tools?
Yes if they're processors of personal data on your behalf. Browser-side tools may not need listing in the same way.
GDPR makes 'free PDF tool from Google search' a compliance question. Use a browser-based tool and minimise the processor footprint.