Voice Dictation and GDPR: Where Does Your Voice Go?

Q: Are servers in Europe enough to stay beyond the reach of US authorities?

No. The US Cloud Act lets US authorities compel a provider subject to US law to hand over the data it controls, wherever it is stored, including in a datacenter located in the European Union. What matters is therefore not only where the servers are, but which jurisdiction the company operating them is subject to.

Q: Where does Fast Dictate process my data?

Zero data retention on every plan: your audio is transcribed and then immediately deleted, and is never reused to train models. The Pro plan processes your data exclusively in France on ISO 27001-certified servers, outside the scope of the US Cloud Act, with an advanced GDPR data processing agreement. The Free and Standard plans run on fast international infrastructure.

When you dictate an email, a report or a legal brief, you are speaking aloud information that is often confidential: names, amounts, details of a case. The question is not only "is the transcription accurate?", but "where does my voice go, and who can access it?". That is exactly what GDPR governs. This guide explains what the regulation actually requires of a voice dictation tool, why server location is not enough, and how to recognise a compliant, sovereign solution.

Your voice is personal data

First point, often misunderstood: a voice recording is personal data under the GDPR as soon as it makes a person identifiable, directly or indirectly. The voice itself, a name spoken aloud, a client number mentioned out loud: all of it falls under the regulation. GDPR therefore applies to voice dictation the moment a human speaks.

Does that make it "sensitive" data? Not automatically, and the nuance matters. According to the CNIL, the French data protection authority, a voice only becomes biometric data (a sensitive category, covered by Article 9 of the GDPR) when a system uses it to recognise or authenticate a speaker based on their vocal characteristics. A dictation tool does not do this: it turns speech into text, it does not identify anyone by their voice. The practical consequence:

The audio is personal data, but not biometric data, because there is no voice identification.
The dictated content, on the other hand, can be anything but trivial: a medical file mentioned, banking details, a client's name and the nature of their dispute. That is where the real risk sits.

In other words, the danger is not that the tone of your voice could identify you; it is that what you dictate ends up stored, reused, or accessible to a third party. Hence the importance of knowing exactly what the tool does with your audio.

What GDPR actually requires of a voice dictation tool

GDPR is not just a consent banner. For a service that transcribes your voice, six obligations really matter:

A clear purpose and legal basis. Your data is used only to produce your transcription, nothing else.
Data minimisation. The tool should process only what is strictly necessary. The CNIL, in its white paper on voice assistants, even recommends sending to the servers only the data that is indispensable.
Storage limitation. GDPR forbids keeping data longer than necessary. For dictation, the best option is simple: zero retention, the audio is deleted as soon as it is transcribed.
No reuse. Your voice and your text must not be used to train AI models without your consent.
A governed processor. The vendor must offer you a data processing agreement (DPA, Article 28 of the GDPR) that lists its sub-processors and their safeguards.
Security and controlled transfers. Encryption, serious technical measures, and above all a strict framework if data leaves the European Union (Articles 44 and following).

These criteria are verifiable. A serious vendor answers each one in writing. It is precisely the last point, transfers outside the EU, that most often falls short, and it is the most misunderstood.

The real issue is not the server, it is the jurisdiction

Most consumer voice dictation tools are published by US companies, and your audio passes through servers governed by US law. Many highlight datacenters located in Europe to reassure you. That is not enough, and here is why.

The Cloud Act, a 2018 US law, lets the United States authorities compel a provider subject to US law to hand over the data it controls, wherever it is stored, including in a datacenter located in the European Union. As long as a company is American or controlled by a US parent company, it stays within the scope of the Cloud Act. Server location changes nothing: what matters is the legal nationality of the company that operates them.

This is not a theoretical scenario. In June 2025, testifying before the French Senate, the legal director of Microsoft France acknowledged, under oath, that he could not guarantee that the data of French citizens hosted by the company would never be handed over to US authorities without France's consent. A major player, with datacenters in Europe, admits the limit itself. For professions bound by confidentiality, that is a signal beyond debate.

Key takeaway

"Data hosted in Europe" and "data beyond the reach of foreign authorities" are not the same thing. A tool can host in Europe and still be subject to the Cloud Act if its vendor depends on US law.

What about the Data Privacy Framework?

To transfer personal data to the United States legally, US tools generally rely on the Data Privacy Framework (DPF), an adequacy decision adopted by the European Commission on 10 July 2023. A US company self-certifies, and can then receive data from the EU with no further formality. On paper, the transfer is therefore legal.

Two caveats, however, that every professional should know:

This framework is legally fragile. It is the third of its kind. The two previous ones, Safe Harbor and then the Privacy Shield, were struck down by the Court of Justice of the European Union (the Schrems I ruling in 2015 and Schrems II in 2020), on the grounds that US surveillance did not sufficiently protect Europeans. The DPF survived a first challenge (dismissed by the EU General Court in September 2025), but that decision is under appeal before the CJEU since late October 2025. Building your confidentiality on a framework already invalidated twice is a gamble.
The DPF does not neutralise the Cloud Act. These are two separate matters: the DPF makes the commercial transfer legal; the Cloud Act concerns access by US authorities. A tool can be perfectly DPF-certified and still be compelled by a US order. The compliance of the transfer does not protect you from the access.

The only way to rule out this risk is not to better regulate the transfer to the United States: it is to not depend on US law at all.

Professions bound by confidentiality: lawyers, notaries, accountants

For a lawyer, a notary or a chartered accountant, GDPR comes with an even stricter obligation: professional secrecy. Dictating a client's name and the nature of their case into a tool that could be compelled to disclose that data means exposing information covered by professional privilege.

The French National Bar Council (CNB) made this clear in its ethics guide on artificial intelligence: the use of AI tools can never justify lifting professional secrecy, and you must never entrust data covered by it to a consumer generative AI. The guide also stresses that solutions hosted in the European Union, which do not reuse queries to train their models, present a markedly lower risk profile than consumer tools.

That is exactly the test to apply to a dictation tool: processing in the EU, zero retention, no reuse, and a vendor that is not subject to extraterritorial legislation. We go into this in detail for law firms in our dedicated guide on voice dictation for lawyers.

5 questions to ask before choosing a voice dictation tool

A simple way to decide: ask any vendor these five questions. The answers should be clear and in writing.

Do you keep my audio and my transcriptions? The right answer is: no, immediate deletion after transcription.
Is my data used to train your models? The right answer is: no.
Where is my data processed, and by which company? Look for processing in the EU by a European company, not just a "datacenter in Europe".
Are you subject to the Cloud Act or another extraterritorial law? A European vendor not owned by a US parent company can answer no.
Do you offer a DPA compliant with Article 28 of the GDPR? Essential for professional use.

The strictest option: 100% local

Let's be honest: if you want the absolute guarantee that your voice never leaves your computer, the most protective solution is not the cloud, it is 100% local processing. Nothing goes online: neither GDPR nor the Cloud Act is even in play, since no data is sent to a third party. Open source tools like Handy (free, open source licensed, for Windows, macOS and Linux) run the transcription directly on your machine, with nothing sent to a server.

The trade-off is real, and we cover it in our comparison local vs cloud voice dictation: 100% local most often comes down to a raw transcript, without AI cleanup or formatting, and it demands a fairly powerful machine. For many professionals, the challenge is therefore to regain the comfort of the cloud, clean text, in any application and on any computer, without giving up sovereignty. That is exactly what Fast Dictate aims for.

The Fast Dictate approach

Fast Dictate is a European alternative built to answer these questions head-on:

Zero data retention on every plan. Your audio is transcribed and then immediately deleted, and is never reused to train models.
Pro plan: processing exclusively in France, on ISO/IEC 27001-certified servers, outside the scope of the US Cloud Act, with an advanced GDPR DPA. Designed for lawyers, notaries and anyone handling confidential files.
Free and Standard plans: fast international infrastructure, still with zero data retention.
Works everywhere: Word, Gmail, Notion, your browser, any text field, with a single shortcut on Windows and Mac.
Free plan: 2,000 words per week, no credit card.

Privacy should not be a paid option that nobody explains.

On every plan, nothing is kept. And when the work is confidential, the Pro plan keeps your data in France, under European law alone. You keep the speed of the cloud without giving up sovereignty. See the details on our Security page and our pricing.

Frequently asked questions

Is voice dictation GDPR compliant?

It can be. A voice recording is personal data, so GDPR applies. A compliant tool rests on a clear purpose, data minimisation, limited storage (ideally zero retention), a processor governed by a DPA, security measures, and a strict framework for transfers outside the EU. Compliance depends on the vendor, not on the technology itself.

Is the voice sensitive data under GDPR?

A voice recording is always personal data. It only becomes sensitive (biometric) when it is used to recognise or authenticate a person from their voice. A dictation tool simply transcribes: it does no biometric identification. The dictated content, however, can be highly confidential.

Are servers in Europe enough to stay beyond the reach of US authorities?

No. The Cloud Act lets US authorities compel a provider subject to US law to hand over the data it controls, wherever it is stored, including in a datacenter in the EU. What matters is not only where the servers are, but which jurisdiction the company operating them is subject to.

Where does Fast Dictate process my data?

Zero data retention on every plan: the audio is transcribed and then immediately deleted, never reused for training. The Pro plan processes your data exclusively in France on ISO 27001 servers, outside the scope of the Cloud Act, with an advanced GDPR DPA. The Free and Standard plans run on fast international infrastructure.

Voice dictation and GDPR: where does your voice go?