GDPR Redaction Requirements: What You Must Know in 2025
A complete guide to when and how to redact personal data under GDPR—and the consequences of getting it wrong.
Since GDPR came into force in 2018, European regulators have issued over €5.88 billion in fines. Many of these penalties stem from improper handling of personal data—including failures in redaction.
Whether you're responding to a data subject access request (DSAR), preparing documents for legal proceedings, or sharing files with third parties, understanding GDPR redaction requirements is essential.
This guide covers everything you need to know: when redaction is required, what personal data must be protected, how to redact properly, and what happens if you don't.
What is Redaction Under GDPR?
Redaction is the permanent removal or obscuring of personal data from documents. Under GDPR, it serves two primary purposes:
- Protecting third-party privacy when disclosing documents (e.g., in DSARs or legal discovery)
- De-identifying data when personal information is no longer needed but documents must be retained
Proper redaction permanently removes data from the document structure. It's not the same as simply drawing black boxes over text, which can often be reversed.
When is Redaction Required Under GDPR?
GDPR doesn't explicitly use the word "redaction," but several articles create clear redaction obligations:
1. Data Subject Access Requests (Article 15)
When individuals exercise their right to access their personal data, you must provide it within one month. However, you cannot disclose personal data about other individuals in the process.
Article 15(4) states that the right to obtain a copy "shall not adversely affect the rights and freedoms of others." This means you must redact:
- Names and identifying information of other individuals
- Personal opinions expressed by others (e.g., in performance reviews)
- Third-party contact information
- Any data that could identify someone other than the requester
2. Data Minimisation (Article 5(1)(c))
Personal data must be "adequate, relevant and limited to what is necessary." When sharing documents for any purpose, you should redact personal data not relevant to that purpose.
3. Storage Limitation (Article 5(1)(e))
Personal data should not be kept longer than necessary. Where documents must be retained but personal data is no longer needed, redaction provides a compliant alternative to deletion.
4. Security (Article 32)
You must implement appropriate technical measures to protect personal data. Redacting documents before external sharing is a key security measure.
What Personal Data Must Be Redacted?
Under GDPR, "personal data" means any information relating to an identified or identifiable natural person. This includes:
| Category | Examples |
|---|---|
| Direct identifiers | Names, photos, signatures |
| Contact information | Addresses, phone numbers, email addresses |
| ID numbers | National ID, passport, driving licence, tax numbers |
| Financial data | Bank accounts, credit card numbers, salary information |
| Online identifiers | IP addresses, cookie IDs, device identifiers |
| Location data | GPS coordinates, travel history |
Special Category Data (Extra Protection Required)
Article 9 data requires additional protection and should almost always be redacted when sharing documents:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
Redaction in DSARs: A Practical Guide
Data Subject Access Requests are where most redaction occurs. Here's how to handle them properly:
Step 1: Identify All Responsive Documents
Search all systems where the individual's data may exist: email, HR systems, CRM, file shares, etc.
Step 2: Review for Third-Party Data
Examine each document for personal data about other individuals. Common examples:
- Email chains with multiple participants
- Meeting notes mentioning other employees
- Documents with multiple signatories
- Forms with witness information
Step 3: Apply Proper Redaction
Use a redaction tool that permanently removes data. Do not simply draw black boxes in Word or a basic PDF editor.
Step 4: Verify Redaction
Check that redacted data cannot be recovered by:
- Selecting and copying the redacted area
- Searching the document for redacted terms
- Checking document metadata
- Opening in a text editor
Step 5: Document Your Process
Maintain records of what was redacted and why. This demonstrates compliance if challenged.
Common Redaction Mistakes (And How to Avoid Them)
Mistake 1: Using Black Boxes Instead of True Redaction
Drawing rectangles over text in Word, PowerPoint, or basic PDF tools leaves the underlying text intact. Anyone can copy the text, use Find & Replace, or open the file in another program to reveal it.
Solution: Use dedicated redaction software that removes text from the document structure entirely.
Mistake 2: Forgetting About Metadata
Documents contain hidden metadata: author names, revision history, comments, and more. Even with visible text redacted, metadata can expose personal information.
Solution: Use tools that scrub metadata as part of the redaction process.
Mistake 3: Inconsistent Redaction
Redacting "John Smith" on page 1 but leaving it visible on page 47. Or redacting a name in the body but leaving it in headers, footers, or file names.
Solution: Use AI-powered tools that detect all instances of personal data throughout a document.
Mistake 4: Over-Redaction
Redacting so much that the document becomes meaningless, or redacting the requester's own data in a DSAR response.
Solution: Only redact third-party personal data. The data subject is entitled to their own information.
Penalties for Getting It Wrong
GDPR violations can result in significant penalties:
- Up to €20 million, or
- 4% of annual global turnover (whichever is higher)
Recent enforcement actions demonstrate regulators' focus on data protection failures:
- €1.2 billion — Meta (2023) for illegal data transfers
- €310 million — LinkedIn (2024) for misuse of user data
- €251 million — Meta (2024) for data breach affecting 29 million accounts
- €30.5 million — Clearview AI (2024) for illegal facial recognition database
While these are extreme examples involving large companies, smaller organisations face penalties too. The Dutch DPA has even explored holding directors personally liable for compliance failures.
GDPR Redaction Checklist
Before sharing any document containing personal data, verify:
- ☐ All third-party names and identifiers are redacted
- ☐ Special category data is redacted unless specifically required
- ☐ Redaction is permanent (not just black boxes)
- ☐ Metadata has been scrubbed
- ☐ Headers, footers, and file names are checked
- ☐ Embedded images are reviewed for personal data
- ☐ The redacted document cannot be reversed
- ☐ Records document what was redacted and why
How SafeRedact Helps with GDPR Compliance
Manual redaction is time-consuming and error-prone. AI-powered redaction tools like SafeRedact help by:
- Automatically detecting personal data — Names, addresses, ID numbers, and other PII are identified throughout documents
- Ensuring permanent redaction — Data is removed from the document structure, not just covered
- Scrubbing metadata — Hidden information is removed automatically
- Processing at scale — Handle DSARs efficiently within the one-month deadline
- Creating audit trails — Document what was redacted for compliance records
Ready to Simplify GDPR Redaction?
AI-powered document redaction for compliance. Start free.
Try SafeRedact Free