Legal experts and those
working in the Translation and Interpreting sector have set out the guidelines
for compliance with the GDPR, the European Union data protection regulation.

The General Data Protection Regulation, which inspired the LGPD law in Brazil, came into force in 2018. Until that point, no clear rules had been established for the Translation and Interpreting sector (T&I), resulting in controversy with regards compliance, and a lack of consistent guidance from national data protection authorities.

Stefanie Bogaerts, President of the FreeLing Foundation, and John O’Shed, Chairperson of FIT Europe, comment on the European GDPR landscape:
“In the T&I sector, the presence of personal data in translated and interpreted content poses unique challenges. Personal data in this type of content is not structured but ad hoc, almost incidental, and as such challenging to process in a consistent, safe manner. What is more, clients are often unaware or ignorant of their obligations towards safe processing of personal data in the content they send for translation or interpreted content.”

One of the most common ways of protecting against the risk of personal data breaches is to require service providers to sign contracts, whether they are self-employed translators and interpreters or translation companies. Specific contracts are essential in reducing risks, but they do not protect against harm to reputation or the aggravation to which those involved are subject.

In order to create guidelines for compliance with the GDPR in the translation and interpreting profession, the European Commission Directorate-General for Translation funded the TEW – Translating Europe Workshop – a panel of legal and T&I sector experts dedicated to drawing up a set of guidelines focused on the sector’s needs.

The result of this Workshop was a report analyzing six specific areas of the sector:

• Types of personal data handled in the T&I sector
• Language Service Providers’ roles as data controllers and processors
• Contractual agreements between controllers and processors
• The use of sub-processors in the T&I sector
• Issues and solutions around data retention
• Identifying, analyzing, and mitigating risks

This Report (in English) can be found on the EUATC – European Union of Associations of Translation Companies website.

LSPs routinely process two types of personal data: administrative data, and data in translated or interpreted content. Administrative data includes client, supplier, and employee data. These data are not specific for the T&I sector, and in handling these kinds of data, LSPs’ business activities are comparable to any other sector. Handling personal data in translated or interpreted content is very specific to the T&I sector. The challenges around processing personal data in translated or interpreted content focus on the ad hoc, incidental nature of such data, the technical challenges of managing the data, and T&I clients’ and supply chain’s awareness of their obligations under the GDPR.

With regards to the type of personal data processed, LSPs routinely process two types of personal data: administrative data – which includes client, suppliers, and employee data -, and personal data contained in translated or interpreted content. Administrative data, such as names of staff or suppliers, should be processed as in any other industry, but the processing of translated or interpreted data is quite specific to the Translation and Interpreting sector. For example, personal data in a translation of a medical report are information which must be protected, just like any other data related to health, sexual orientation, political and religious affiliations, among others.

The TEW concluded that LSPs are indeed responsible for ensuring that the personal data contained in their translations are processed in full compliance with the GDPR, with certain exceptions only for data contained in public translations, such as sworn or certified translation, which has its own rules such as, for example, being required to keep texts for documentation purposes. On the one hand, the data in sworn translations may pose great risks such as, for example, translation of criminal records, as data regarding criminal convictions are high-risk information under that law.

On the other, the TEW deemed that data contained in interpreted content should not be considered as processing under the GDPR unless the interpretation uses automized support or it is recorded. But if there is a record of the content interpreted, whether through the automatic translation or interpretation tools used or through a verbal record on any media, this content then becomes subject to the law.

Retention period of translations containing personal data

Another important issue to consider is the period for which the personal data contained in translations will be retained. In accordance with the GDPR, such data may not be retained indefinitely. Administrative data, for example, may not be retained for longer than the necessary period, although such retention may be necessary, in accordance with local laws, to enable legal claims to be exercised. Local laws vary from country to country, in particular with regards the retention of sworn translations.
Outside of the European Union, this retention period varies even more. In Brazil, for example, the translator must keep a record of sworn translations for their lifetime, for the purposes of reproduction, if necessary, or in the event the record is required in court.

The LGPD – Brazilian general data protection law, has yet to pronounce specifically on the processing of personal data contained in translations or interpretations, but the work of the European panel can help us with our view of this.

A practice that is very specific to the translation industry is the use of tools such as translation memories, which are kept for long periods. In such cases, the TEW panel recommends using data anonymization tools to mitigate risks but notes that even anonymization does not ensure personal data are completely removed.

Risk Mitigation

According to the panel, there is a range of measures that translation companies should take when processing personal data:

• assess risks from the point of view of the LSP’s own operations;
• identify and mitigate risks specific to the LSP’s unique T&I activities;
• put in place appropriate contractual agreements with the controller, and throughout the supply chain;
• document risk assessments and personal data processing activities and the technical and organizational measures associated with them;
• ensure transfers to third countries are contractually agreed, and appropriately managed;
• put in place, track, and comply with defined data retention periods;
• involve all levels of the supply chain in raising awareness of their obligations, and achieving increased compliance.

Korn Traduções: providing sworn and general translation, subtitling, audio and video transcription, reviewing and post-editing services for 30 years. Dual international certification: ISO 27001 – Information Security Management System and ISO 9001 – Quality Management System.