Uploading a document to a free online converter feels harmless. For most personal files it is. But if that document contains a client's data, a patient record, or a European resident's personal information, the upload itself can trigger obligations under GDPR, HIPAA, or your firm's confidentiality rules. This post walks through when those obligations kick in — and how using a browser-based tool like Zro7 keeps you clear of them.
The rule that catches everyone off guard
GDPR, HIPAA, and most enterprise data-protection policies share one idea: processing personal data is regulated, and "processing" is defined so broadly that uploading a file to a converter counts. The moment your file leaves your device, a third party is processing personal data on your behalf. Unless there's a written contract in place with that third party, you've likely violated policy — sometimes law.
GDPR: the Data Processing Agreement problem
Under GDPR Article 28, if a service processes personal data on your behalf they are a "processor" and you must have a Data Processing Agreement (DPA) with them. Free online converters do not sign DPAs with individual users. So when a European lawyer uploads a client contract to a free PDF splitter, three GDPR problems appear at once:
- No DPA with the processor (Article 28).
- No lawful basis to transfer the client's data to that processor (Article 6).
- If the converter is in the US, a cross-border transfer with no safeguards (Chapter V).
Fines aside, the client can file a complaint with a supervisory authority. This has happened.
HIPAA: the BAA problem
In US healthcare, any vendor that processes Protected Health Information (PHI) is a "business associate" and needs a signed Business Associate Agreement (BAA). No consumer file converter offers a BAA. Uploading a patient PDF to convert it is a HIPAA breach on the day you do it — the size of the file doesn't matter, and "but they promise to delete it in an hour" doesn't help.
The categories of file you should never upload
- Signed contracts, NDAs, and settlement agreements
- Passports, ID cards, driver's licenses
- Patient records, lab results, medical imaging
- Client account statements and financial disclosures
- Anything marked confidential, privileged, or under seal
- Any file whose name contains a client identifier
Why browser-based tools avoid the whole problem
When a Zro7 tool runs the conversion in your browser, no third party processes your data — because there is no third party. GDPR Article 28 does not apply, because there is no processor. HIPAA does not apply, because there is no business associate. Your firm's DLP policy does not flag anything, because nothing left the endpoint. You can audit this yourself: open the tool, open DevTools → Network, run the conversion, and verify that no request carries your file's bytes off the device.
A safer default workflow
- For anything containing a client's data, use a browser-based tool. Merge PDF, Compress PDF, Lock PDF, and 90+ more run in the browser.
- For workloads too big for one machine (rendering a two-hour 4K video), use a cloud service you have a DPA / BAA with — not the first free converter that Google returns.
- Never paste a client file into a chat assistant unless your firm has a signed data-handling agreement with that assistant's vendor.
The one exception where cloud is fine
If the file contains no personal data — a marketing PDF, a stock image, an open-source dataset — cloud converters are legally fine. The rules exist to protect the identifiable, sensitive, or confidential subset. Recognize the subset, treat it differently.
Zro7