The General Data Protection Regulation (GDPR, Regulation 2016/679) is the EU’s framework for protecting personal data. It replaced the 1995 Data Protection Directive and has been enforceable since May 25, 2018. GDPR applies to any organization that processes personal data of individuals located in the EU, regardless of where the organization itself is based.
GDPR introduced several principles that directly affect how TTS services operate: lawfulness and transparency of processing, purpose limitation, data minimization, storage limitation, and accountability. Organizations must have a legal basis for processing personal data, must not retain it longer than necessary, and must be able to demonstrate compliance.
Why it matters
For TTS implementations, GDPR is the data protection layer that sits alongside the European Accessibility Act. The EAA requires accessible digital services (which often means adding TTS). But the text fed into a TTS engine frequently contains personal data. GDPR governs how that data is handled.
The compliance chain is: the EAA mandates accessibility, accessibility requires TTS, TTS processes text, and text may contain personal data subject to GDPR. A missing DPA or inadequate data retention policy breaks this chain and creates legal exposure for both the customer and the TTS provider.
GDPR requirements for TTS providers
| Requirement | What it means for TTS |
|---|---|
| Signed DPA (Article 28) | Provider must offer a Data Processing Agreement before processing text containing personal data |
| Sub-processor disclosure | Provider must list all third parties that handle the data |
| Data residency options | Provider should offer EU-based processing to avoid Chapter V transfer complications |
| Retention and deletion | Provider must specify how long text and audio are kept, and delete on request |
| Purpose limitation | Text submitted for synthesis cannot be used for model training without separate consent |
| Breach notification | Provider must notify the controller within 72 hours of a data breach |
Evaluating TTS providers for GDPR compliance
When selecting a provider for regulated deployments, verify:
- DPA availability: can you sign a DPA before sending any data?
- Processing location: does the provider offer EU data centers?
- Retention policy: is submitted text deleted immediately after synthesis?
- Training data usage: does the provider use customer text to train models?
- Sub-processor list: who else touches the data?
A provider that deletes all data immediately after synthesis and offers EU data residency presents the lowest compliance risk. See the EAA Voice Guide for a detailed provider evaluation framework.
Frequently Asked Questions
What is GDPR?
GDPR is the General Data Protection Regulation (EU 2016/679), the EU's comprehensive data protection law. It governs how organizations collect, process, store, and transfer personal data of EU residents. It applies regardless of where the organization is headquartered.
How does GDPR affect TTS providers?
Text submitted to a TTS API may contain personal data: names, addresses, medical information, financial details. Under GDPR, any provider processing this data must have a signed Data Processing Agreement (DPA), disclose sub-processors, and offer clear data retention and deletion policies.
What is a DPA under GDPR?
A DPA (Data Processing Agreement) is a legally binding contract required by GDPR Article 28. It defines what personal data is processed, how it is handled, where it is stored, and when it is deleted. TTS providers must offer a DPA to customers whose text content may contain personal data.
Does GDPR require EU data residency for TTS?
GDPR does not mandate EU-only processing, but transferring personal data outside the EU requires additional safeguards under Chapter V. The simplest compliance path for TTS providers is to offer EU-based processing regions so no cross-border data transfer is needed.
What are the penalties for GDPR non-compliance?
GDPR allows fines of up to 20 million EUR or 4% of annual worldwide turnover, whichever is higher. These penalties apply to both data controllers (the company using TTS) and data processors (the TTS provider) who fail to meet their obligations.