Is AI transcription GDPR-compliant?

As soon as your audio contains the voices of identifiable people — which is nearly always — you're processing personal data under GDPR. Add speaker diarization and you're processing biometric data (GDPR Art. 4(14)), which ratchets requirements higher.

What GDPR compliance concretely requires:

1. Legal basis. Usually consent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f)) after balancing. In employment contexts, often a works-council agreement (§26 BDSG combined with GDPR Art. 88).

2. Data Processing Agreement (DPA). Anyone using an external transcription service must sign a DPA under GDPR Art. 28(3). The contract must spell out subject, duration, nature and purpose, data categories, and the obligations and rights of both parties.

3. EU data residency. Data must stay in the EU or in countries with an adequacy decision. US providers have been precarious since Schrems II — the 2023 EU-US Data Privacy Framework is still under legal scrutiny. Safer path: providers with servers in Germany or the EU.

4. No-training clause. The contract must explicitly prohibit using your audio or text to train the provider's AI models. Most US cloud APIs do not guarantee this in their standard terms.

5. Deletion timelines. Audio should be deleted after transcription completes; text after a defined retention period. The GDPR storage-limitation principle (Art. 5(1)(e)) requires keeping no more data than needed.

6. TOMs (technical and organizational measures). Encryption at-rest and in-transit, access controls, audit logs, ISO 27001-certified data center — standard under GDPR Art. 32.

7. Data subject rights. Access, deletion, portability must be technically implemented. With US providers this is often a practical problem.

DeepScript meets all of these: DPA template available online, infrastructure exclusively on our own servers in German data centers (Hetzner Falkenstein/Nuremberg), zero training on customer data, audio deleted after processing, ISO 27001-certified infrastructure.

Important: "GDPR-compliant" isn't a certification — it's a property that emerges from contract, technology, and process working together. If you're serious, read the DPA, the sub-processor list, and the security documentation — not just the marketing banner.