Dictation software and GDPR: what really matters
Cloud dictation sends confidential recordings to third-party servers. What that means for law firms and practices, professional secrecy, and when local is better.
In short
{"title":"Dictation software and GDPR: what really matters","description":"Cloud dictation sends confidential recordings to third-party servers. What that means for law firms and practices, what professional secrecy demands, and when local is better.","answer":"With cloud dictation the recording, and with it someone else's confidential secret, leaves your own machine unnoticed. For members of the professions bound by secrecy, two layers apply at once: data-protection law (the GDPR) and criminal-law duties of confidentiality. Cloud dictation is not forbidden, but it is a decision you own. Local dictation that never leaves the machine is the simplest way to avoid the risk.","keywords":["dictation software GDPR","cloud dictation data protection","speech recognition privacy","professional secrecy obligation","local dictation software","on-device speech recognition","dictation law firm GDPR","dictation medical practice privacy","data processing agreement dictation","health data Article 9 GDPR","confidential data third-party transfer","voice recording personal data"],"readingMinutes":8,"body":[{"type":"p","text":"A lawyer dictates a brief in a live case. A physician speaks a diagnosis into the microphone. A tax adviser sums up a client meeting. In all three cases the spoken words carry exactly what the law protects most carefully: someone else's confidential secret. And in many dictation apps that very secret leaves the machine unnoticed before a single word is on paper. This is no reason to panic. But it is a good reason to look closely, just once, at where your own voice actually goes."},{"type":"h2","text":"Where your voice really goes with cloud dictation"},{"type":"p","text":"The mechanics of cloud dictation are convenient, and therefore inconspicuous: you speak, the app records, it sends the recording to the provider's server, there it is turned into text, more and more often by an AI model, and the finished text comes back. It works on any device, with no setup and no thinking. That absence of thinking is precisely the point."},{"type":"p","text":"Because two things travel with the recording that you should keep in view. First, the content, that is, the entrusted secret itself. Second, the voice recording, which is already personal data in its own right. For a physician a third layer is added: the spoken diagnosis is health data and therefore falls under the special categories of Article 9 GDPR, that is, under the highest level of protection the regulation recognises."},{"type":"p","text":"The most invisible data flow is always the one you do not control. For a member of a profession bound by secrecy that is no academic nicety. It is the core question."},{"type":"h2","text":"Professional secrecy: the duty many forget"},{"type":"p","text":"Data protection is one layer. For lawyers, physicians, tax advisers, psychotherapists and other professions bound by confidentiality there is a second one that is older and sharper: the criminal-law duty of professional secrecy. In German law this is Section 203 of the Criminal Code, the breach of private secrets. Anyone who discloses an entrusted secret without authorisation commits a criminal offence, punishable by up to one year's imprisonment or a fine. A cloud provider that processes the recording gets to see this secret in technical terms. Equivalent professional-secrecy duties exist across most jurisdictions, even where the statutory wording differs."},{"type":"p","text":"And now against the panic: since the 2017 reform of this provision, bringing in external IT and cloud service providers is not automatically a criminal offence. The legislator recognised that a law firm or a medical practice can no longer work at all without outside IT. But third-party involvement is permitted only under conditions: the service provider must be bound to confidentiality, the involvement must be necessary for the work, and the selection must be made with due care. A tick-box waved away in the terms of a free app satisfies none of these three conditions."},{"type":"quote","text":"Data-protection law asks: am I even allowed to process this data? Professional-secrecy law asks in addition: is this third party even allowed to see this secret? Two questions, two answers, and both must come out yes."},{"type":"p","text":"This is a classification from auditing practice, not legal advice. For a specific case a specialist lawyer belongs at the table. But the review logic is the same in every law firm and every practice, and you do not need to be a lawyer to apply it."},{"type":"h2","text":"Cloud is not forbidden. But it is a decision."},{"type":"p","text":"None of this means cloud dictation is unlawful. With a clean data-processing agreement under Article 28 GDPR, with servers in the EU, a clear deletion rule and a provider who commits to confidentiality, cloud dictation can be permissible. The point is a different one: you are making a decision, and you carry it. It is not the provider whose name is on the letterhead at the end, it is yours."},{"type":"p","text":"The ground gets shaky the moment the data reaches a third country. Many services process or host in the United States or bring in sub-processors located there. Such a transfer needs its own legal basis, for instance an adequacy decision or standard contractual clauses, and this ground has shifted more than once in recent years. Anyone who rests their professional secret on a political arrangement that the next court case can strike down is building on sand."},{"type":"p","text":"And when the tool does not merely transcribe but summarises, structures or suggests wording, another layer appears: the EU AI Act requires transparency for certain AI-generated outputs (Article 50). These transparency obligations apply from 2 August 2026; for systems already on the market before that date, marking of their content has grace until 2 December 2026. For plain dictation this is rarely the sticking point, but it belongs on the list as soon as speech recognition turns into text production."},{"type":"h2","text":"The questions you should put to every provider"},{"type":"p","text":"You need be neither a lawyer nor a computer scientist to size up a dictation provider. You only need to ask the right questions and get the answers in writing. Whoever answers in writing has thought it through. Whoever dodges has already given you the answer."},{"type":"ul","items":["Where exactly is my recording processed and stored, in which country and on whose servers?","Is there a data-processing agreement under Article 28 GDPR, and who are the sub-processors?","Does the data leave the EU, and on what legal basis does that transfer rest?","Is my recording or my transcript reused to train models or improve the product?","When and how are the recording and transcript deleted, and can that be evidenced?","Does the provider commit contractually to confidentiality in the sense of professional-secrecy law?","Is there an option to process everything locally, with no server at all?"]},{"type":"p","text":"These seven questions are not a vote of no confidence. They are the minimum that anyone should be able to answer if you entrust other people's secrets to them day in, day out."},{"type":"h2","text":"The calmest path: what never leaves the machine"},{"type":"p","text":"There is a shortcut through this whole checklist, and it is astonishingly unspectacular: dictate locally. Modern speech recognition now runs entirely on an ordinary office computer, with no cloud, no account, and without a single syllable leaving the device. What never goes out I do not have to secure. Not by contract, not by a transfer basis, not against the next struck-down adequacy decision. The professional secret stays where it belongs."},{"type":"p","text":"Local has a price: you need a reasonably current machine, and a few cloud comfort features are missing. For most law firms, medical practices and tax offices that is a good trade. Data sovereignty against a little convenience. First sovereignty over the secret, then comfort."},{"type":"h2","text":"The honest closing line"},{"type":"p","text":"Cloud or local is not a matter of belief. It is a trade-off you should make consciously and, in case of doubt, be able to evidence. Convenience is a legitimate argument, but it is never the only one. Whoever manages someone else's secret should be able to say at any time where it currently sits. If the answer to that one question is a shrug, you have not yet understood your tool."},{"type":"sources","items":[{"label":"Section 203 of the German Criminal Code, breach of private secrets (gesetze-im-internet.de)","url":"https://www.gesetze-im-internet.de/stgb/__203.html"},{"label":"Regulation (EU) 2016/679 (GDPR), Art. 9 and Art. 28 (EUR-Lex)","url":"https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679"},{"label":"Regulation (EU) 2024/1689 (EU AI Act), Art. 50 transparency obligations (EUR-Lex)","url":"https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32024R1689"}]}],"faq":[{"q":"Is cloud dictation forbidden for lawyers and physicians?","a":"No, not as a matter of principle. With a data-processing agreement, servers in the EU, clear deletion rules and a contractual confidentiality obligation, cloud dictation can be permissible. But two layers apply at once: data-protection law and professional-secrecy duties. And responsibility for the decision stays with the firm or practice, not with the provider."},{"q":"What does professional secrecy have to do with dictation software?","a":"Professional-secrecy law protects the entrusted secrets of professions bound by confidentiality, such as lawyers, physicians and tax advisers. A cloud provider that processes the recording sees this secret. Since the 2017 reform in Germany, bringing in external IT service providers is not automatically a criminal offence, but only where the provider is bound to confidentiality, the involvement is necessary, and the selection is made with due care."},{"q":"Are voice recordings personal data?","a":"Yes. Both the spoken content and the voice itself are personal data. For physicians and psychotherapists there is the added point that the content is health data and therefore falls under the special categories of Article 9 GDPR, that is, the highest level of protection."},{"q":"What is the simplest way to avoid the data-protection risk?","a":"Dictate locally. If the speech recognition runs entirely on your own machine, no recording leaves the device. Then you need no third-country transfer, no transfer basis and no contract about data that never goes out."},{"q":"Is a data-processing agreement with the provider enough?","a":"The data-processing agreement under Article 28 GDPR is necessary, but for professions bound by secrecy it is not sufficient. In addition, the third-country transfer must be resolved and a confidentiality obligation in the sense of professional-secrecy law must be agreed. Data protection and professional secrecy are two separate reviews."}]}
Auf Deutsch lesen: deutsche Fassung
A lawyer dictates a brief in a live case. A physician speaks a diagnosis into the microphone. A tax adviser sums up a client meeting. In all three cases the spoken words carry exactly what the law protects most carefully: someone else's confidential secret. And in many dictation apps that very secret leaves the machine unnoticed before a single word is on paper. This is no reason to panic. But it is a good reason to look closely, just once, at where your own voice actually goes.
Where your voice really goes with cloud dictation
The mechanics of cloud dictation are convenient, and therefore inconspicuous: you speak, the app records, it sends the recording to the provider's server, there it is turned into text, more and more often by an AI model, and the finished text comes back. It works on any device, with no setup and no thinking. That absence of thinking is precisely the point.
Because two things travel with the recording that you should keep in view. First, the content, that is, the entrusted secret itself. Second, the voice recording, which is already personal data in its own right. For a physician a third layer is added: the spoken diagnosis is health data and therefore falls under the special categories of Article 9 GDPR, that is, under the highest level of protection the regulation recognises.
The most invisible data flow is always the one you do not control. For a member of a profession bound by secrecy that is no academic nicety. It is the core question.
Professional secrecy: the duty many forget
Data protection is one layer. For lawyers, physicians, tax advisers, psychotherapists and other professions bound by confidentiality there is a second one that is older and sharper: the criminal-law duty of professional secrecy. In German law this is Section 203 of the Criminal Code, the breach of private secrets. Anyone who discloses an entrusted secret without authorisation commits a criminal offence, punishable by up to one year's imprisonment or a fine. A cloud provider that processes the recording gets to see this secret in technical terms. Equivalent professional-secrecy duties exist across most jurisdictions, even where the statutory wording differs.
And now against the panic: since the 2017 reform of this provision, bringing in external IT and cloud service providers is not automatically a criminal offence. The legislator recognised that a law firm or a medical practice can no longer work at all without outside IT. But third-party involvement is permitted only under conditions: the service provider must be bound to confidentiality, the involvement must be necessary for the work, and the selection must be made with due care. A tick-box waved away in the terms of a free app satisfies none of these three conditions.
Data-protection law asks: am I even allowed to process this data? Professional-secrecy law asks in addition: is this third party even allowed to see this secret? Two questions, two answers, and both must come out yes.
This is a classification from auditing practice, not legal advice. For a specific case a specialist lawyer belongs at the table. But the review logic is the same in every law firm and every practice, and you do not need to be a lawyer to apply it.
Cloud is not forbidden. But it is a decision.
None of this means cloud dictation is unlawful. With a clean data-processing agreement under Article 28 GDPR, with servers in the EU, a clear deletion rule and a provider who commits to confidentiality, cloud dictation can be permissible. The point is a different one: you are making a decision, and you carry it. It is not the provider whose name is on the letterhead at the end, it is yours.
The ground gets shaky the moment the data reaches a third country. Many services process or host in the United States or bring in sub-processors located there. Such a transfer needs its own legal basis, for instance an adequacy decision or standard contractual clauses, and this ground has shifted more than once in recent years. Anyone who rests their professional secret on a political arrangement that the next court case can strike down is building on sand.
And when the tool does not merely transcribe but summarises, structures or suggests wording, another layer appears: the EU AI Act requires transparency for certain AI-generated outputs (Article 50). These transparency obligations apply from 2 August 2026; for systems already on the market before that date, marking of their content has grace until 2 December 2026. For plain dictation this is rarely the sticking point, but it belongs on the list as soon as speech recognition turns into text production.
The questions you should put to every provider
You need be neither a lawyer nor a computer scientist to size up a dictation provider. You only need to ask the right questions and get the answers in writing. Whoever answers in writing has thought it through. Whoever dodges has already given you the answer.
- Where exactly is my recording processed and stored, in which country and on whose servers?
- Is there a data-processing agreement under Article 28 GDPR, and who are the sub-processors?
- Does the data leave the EU, and on what legal basis does that transfer rest?
- Is my recording or my transcript reused to train models or improve the product?
- When and how are the recording and transcript deleted, and can that be evidenced?
- Does the provider commit contractually to confidentiality in the sense of professional-secrecy law?
- Is there an option to process everything locally, with no server at all?
These seven questions are not a vote of no confidence. They are the minimum that anyone should be able to answer if you entrust other people's secrets to them day in, day out.
The calmest path: what never leaves the machine
There is a shortcut through this whole checklist, and it is astonishingly unspectacular: dictate locally. Modern speech recognition now runs entirely on an ordinary office computer, with no cloud, no account, and without a single syllable leaving the device. What never goes out I do not have to secure. Not by contract, not by a transfer basis, not against the next struck-down adequacy decision. The professional secret stays where it belongs.
Local has a price: you need a reasonably current machine, and a few cloud comfort features are missing. For most law firms, medical practices and tax offices that is a good trade. Data sovereignty against a little convenience. First sovereignty over the secret, then comfort.
The honest closing line
Cloud or local is not a matter of belief. It is a trade-off you should make consciously and, in case of doubt, be able to evidence. Convenience is a legitimate argument, but it is never the only one. Whoever manages someone else's secret should be able to say at any time where it currently sits. If the answer to that one question is a shrug, you have not yet understood your tool.
Primary sources
Frequently asked questions
Is cloud dictation forbidden for lawyers and physicians?+
No, not as a matter of principle. With a data-processing agreement, servers in the EU, clear deletion rules and a contractual confidentiality obligation, cloud dictation can be permissible. But two layers apply at once: data-protection law and professional-secrecy duties. And responsibility for the decision stays with the firm or practice, not with the provider.
What does professional secrecy have to do with dictation software?+
Professional-secrecy law protects the entrusted secrets of professions bound by confidentiality, such as lawyers, physicians and tax advisers. A cloud provider that processes the recording sees this secret. Since the 2017 reform in Germany, bringing in external IT service providers is not automatically a criminal offence, but only where the provider is bound to confidentiality, the involvement is necessary, and the selection is made with due care.
Are voice recordings personal data?+
Yes. Both the spoken content and the voice itself are personal data. For physicians and psychotherapists there is the added point that the content is health data and therefore falls under the special categories of Article 9 GDPR, that is, the highest level of protection.
What is the simplest way to avoid the data-protection risk?+
Dictate locally. If the speech recognition runs entirely on your own machine, no recording leaves the device. Then you need no third-country transfer, no transfer basis and no contract about data that never goes out.
Is a data-processing agreement with the provider enough?+
The data-processing agreement under Article 28 GDPR is necessary, but for professions bound by secrecy it is not sufficient. In addition, the third-country transfer must be resolved and a confidentiality obligation in the sense of professional-secrecy law must be agreed. Data protection and professional secrecy are two separate reviews.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer · ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB)
Last updated: 16 July 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.