GDPR and Video Files: What European Businesses Need to Know

April 2026 · 9 min read · Compliance

Video files that contain identifiable people are personal data under GDPR. That is not a technicality — it is Article 4 of the regulation, which defines personal data as "any information relating to an identified or identifiable natural person." A video of a person's face, voice, or distinctive movement is personal data. This means any processing of such footage — including trimming, editing, or sharing — must comply with EU data protection law. And uploading that footage to an online video editor triggers a chain of compliance obligations that most businesses are not prepared for.

Uploading video to a cloud editor = data transfer to a processor

Under GDPR, when you hand your data to a third-party service to process on your behalf, that service becomes a data processor. Article 28 of GDPR requires that you have a written Data Processing Agreement (DPA) with every processor you use. The DPA must specify what data is processed, for what purposes, with what security measures, and with what obligations around sub-processors, breach notification, and data deletion.

Most consumer online video editors — Clideo, Kapwing, VEED, and their peers — do not offer DPAs. They are consumer products, not enterprise services designed for GDPR compliance. When you upload a video of a client, employee, or patient to one of these services, you are transferring personal data to an unapproved processor without the required contractual framework. That is a GDPR violation, irrespective of what happens to the footage afterward.

Which categories of business video are affected

The scope is broader than most people realize:

Employee recordings: Job interviews, performance reviews, training sessions, disciplinary hearings, remote work monitoring — all contain personal data of employees.
Customer recordings: Customer service video calls, onboarding recordings, product demos with clients present.
Patient recordings: Healthcare providers' video consultations, therapy sessions, physical assessments — these may also qualify as special category data under Article 9 (health data).
CCTV and access control footage: Any footage that captures identifiable individuals in a workplace or commercial premises.
Event recordings: Conferences, training events, or team meetings where individuals are captured on video.

The key test is whether individuals in the footage are identifiable — directly (face visible) or indirectly (distinctive features, context, voice). If yes, the footage is personal data.

Special category data: the higher bar

GDPR Article 9 identifies special categories of personal data that receive heightened protection: health data, biometric data, data revealing racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and more. Video footage can easily fall into multiple special categories simultaneously.

A video of a patient in a medical setting is health data. A video using facial recognition or gait analysis to identify individuals is biometric data. A recording of a trade union meeting contains data about trade union membership. Processing special category data requires not just a lawful basis under Article 6 but also a specific exemption under Article 9(2) — a higher standard that is difficult to meet for casual cloud processing.

Data transfers outside the EU

Many online video editors use cloud infrastructure in the United States (AWS, Google Cloud, Azure). Under GDPR, transferring personal data outside the EU/EEA requires additional legal mechanisms: either an adequacy decision for the destination country, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other approved safeguards.

The EU-US Data Privacy Framework (replacing Privacy Shield 2.0) provides some basis for transfers to certified US companies. But consumer video editors are rarely DPF certified, and even if they were, the underlying transfer mechanism requires verification. "We use SSL" is not a GDPR-compliant basis for international data transfer.

Retention and deletion obligations

GDPR Article 5(1)(e) requires that personal data is kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed. This is the storage limitation principle.

When you upload video to a cloud editor, you lose direct control over the retention of that footage. The service's retention policy governs how long your file is stored — and that policy may not align with your GDPR obligations. If the service claims to delete files after 24 hours but retains backups for 30 days, your footage remains on their infrastructure for 30 days, not 24 hours.

Client-side processing eliminates the retention problem entirely. If the video is never uploaded, there is nothing to retain and nothing to delete.

Data subject rights and video footage

GDPR grants data subjects a range of rights: access, rectification, erasure (the "right to be forgotten"), restriction of processing, portability, and objection. If you upload a client's or employee's footage to a cloud video editor, you must be able to respond to their data subject access request by accounting for all copies of their data — including any copies held by your processors.

If your processor has no DPA with you, you have no contractual basis to demand they provide or delete data on your behalf. The DSAR response chain breaks down at the point of the unapproved processor.

The simple solution: process video locally

If video is processed entirely on the device where it originates — using a client-side tool like TrimPrivate — then no data transfer to a processor occurs. There is no processor relationship to manage, no DPA to negotiate, no international transfer to justify, and no third-party retention to track. The GDPR compliance profile of local processing is dramatically simpler than cloud processing.

This is not a workaround — it is the architecturally correct solution. GDPR's principle of data minimisation (Article 5(1)(c)) requires that personal data processing be adequate, relevant, and limited to what is necessary. Uploading video to an external service when local processing is available is not data minimisation — it is creating unnecessary data exposure.

What to do if you currently use cloud video editors

Audit which video footage you process. Identify all footage containing identifiable individuals.
Review your current tools. Check whether your cloud video editor offers a DPA. If not, it is an unapproved processor.
Assess the risk. High-risk footage (health data, employee data, customer data) should be prioritised for migration to local processing tools.
Switch to client-side tools for sensitive footage. TrimPrivate handles trimming entirely in the browser. No upload, no processor relationship, no GDPR exposure.
Document your processing activities. Your GDPR records of processing activities (Article 30) should reflect any changes you make.

FAQ

Does GDPR apply to video of my own employees?
Yes. Employee data is personal data under GDPR. The employment relationship provides a lawful basis for collecting and processing employee footage in appropriate contexts, but does not grant unlimited rights to share that footage with third-party processors without a DPA.

What if the video editor is in the EU?
A cloud video editor hosted in the EU still requires a DPA if it processes personal data on your behalf. Being EU-based affects the international transfer question but does not eliminate the processor relationship obligations.

Is TrimPrivate GDPR compliant?
TrimPrivate processes no personal video data — your footage never reaches our servers. We collect only anonymised usage data (hashed IPs for rate limiting). This makes TrimPrivate compliant by design for video processing. Consult your DPO for advice specific to your organisation's circumstances.

GDPR-safe video trimming — by design, not by policy

Your footage never leaves your browser · No data transfer · No processor relationship

Try TrimPrivate Free →