PDFly
Back to blog

PDFs and GDPR: what your American tools really aren't telling you

The Cloud Act, Standard Contractual Clauses, Schrems II: why a PDF processed by a US service is never 100% GDPR-compliant, explained simply.

May 06, 20264 min readBy PDFly

If you handle PDFs that contain personal data — employment contracts, client files, invoices with VAT numbers, quotes with bank coordinates — the GDPR compliance question isn't optional.

And the answer is more complex than the "GDPR compliant" badge displayed by every online service. Here's what the American tools generally don't mention in their messaging.

GDPR doesn't apply to where your data is — it applies to who processes it

First common misunderstanding: GDPR applies to any company processing data of European citizens, regardless of where the company is located. iLovePDF, SmallPDF, and Adobe are all required to respect GDPR for their European users.

So yes, they are "GDPR compliant." That's not false — it's just insufficient as soon as there's a data transfer to the United States.

Schrems II: the 2020 ruling that changed everything

In July 2020, the Court of Justice of the European Union invalidated the Privacy Shield, the agreement that framed data transfers between the EU and the United States. Why? Because US surveillance programs (FISA 702, Executive Order 12333) allow US intelligence agencies to access European data hosted on US soil, with no legal recourse for the affected Europeans.

Concretely, Schrems II means that a transfer of personal data to the United States is only legal if:

  1. The recipient offers additional safeguards (end-to-end encryption, prior anonymization, etc.)
  2. The European controller has assessed the risks case-by-case
  3. US authorities can't access the data

No US PDF SaaS service meets these conditions 100%. They use Standard Contractual Clauses (SCC), a fragile legal crutch already challenged by several European supervisory authorities (CNIL, Austria's DSB, etc.).

The CLOUD Act: the cherry on top

Passed in 2018, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) lets any US federal agency require any company under US jurisdiction — including European subsidiaries — to provide data stored anywhere in the world, without informing the user.

Which companies are concerned?

  • iLovePDF (Barcelona HQ, but AWS/CloudFront US infrastructure)
  • Adobe (San Jose, California HQ)
  • SmallPDF (Zurich HQ, but owned by AnyDesk since 2024 — verify regularly)
  • Every service relying on AWS, Google Cloud, or Azure for infrastructure

For a trivial PDF, that's not a real risk. For an HR file, a commercial contract, or a legal document, you're transmitting to a foreign jurisdiction without knowing.

What does the CNIL say?

The French CNIL has been publishing recommendations since 2022 on data transfers to the United States. It explicitly invites public bodies and sensitive sectors (health, finance, legal) to prefer European solutions when possible.

"For high-risk transfers, European digital sovereignty must take precedence over ease of use." — CNIL, 2023

How to know if a service is truly sovereign

Five questions to ask your current PDF tool:

  1. Where is data physically hosted? (country + city if possible)
  2. Is the parent company under US, UK, or other foreign jurisdiction?
  3. What's the cloud subcontractor? AWS, GCP, Azure, OVH, Scaleway, Hetzner?
  4. Is there a reachable, identified European DPO?
  5. What's the exact retention period for uploaded files?

For PDFly, the answers are:

  1. Belgium and the Netherlands (Hostinger servers in EU)
  2. Belgium only (parent company ReDesign)
  3. No US cloud — dedicated VPS hosted on Hostinger NL/BE
  4. Yes — direct contact at info@redesignapp.be
  5. 0 seconds for free tools (nothing is uploaded), immediate after processing for Premium functions

The "browser" argument changes everything

A large portion of PDFly's tools runs entirely in your browser, thanks to modern libraries (pdf-lib, WebAssembly). Your files never leave your machine.

This elegantly resolves the entire GDPR question for those operations: there's no data transfer to protect, so no Cloud Act, no Schrems II, no SCC to invoke. You retain the full processing chain.

This is precisely the model the European Commission promotes through Gaia-X: sovereignty starts with decentralization.

In practice, how to migrate?

If you currently use a US PDF service and want to test the alternative:

  1. Identify your sensitive operations: which PDF tasks process personal or confidential data?
  2. Test the European tool for those tasks first (merge, compress, sign)
  3. Keep the US service for non-sensitive content if needed (a public marketing document)
  4. Document the change in your GDPR processing register

PDFly covers 90% of common needs for free, and Office / OCR / PDF/A conversions on Premium at €4.99/month — cheaper than the US service you're replacing, no commitment, no Cloud Act, no extra-European transfer.

Compare PDFly to competitors in detail or test the free tools now.

Mentioned tools