Skip to main content
All articles
Compliance
8 min read

GDPR and Document Metadata: What Compliance Teams Miss

Under GDPR, metadata containing personal data is subject to the same rules as document content. Author names, GPS coordinates, and device IDs all count.

Metadata is personal data under GDPR

The General Data Protection Regulation defines personal data broadly. Article 4(1) states that personal data means "any information relating to an identified or identifiable natural person." This definition does not distinguish between data that is visible in a document and data that is embedded in its metadata.

An author name in a Word document's properties panel is personal data. A GPS coordinate in a photo's EXIF header is personal data. A device serial number that can be linked to a specific individual is personal data. A "Last Modified By" field showing an employee's name is personal data.

If your organization shares documents externally and those documents contain metadata with personal data, you are transferring personal data — whether you intended to or not.

Which metadata fields trigger GDPR

Author and contributor names

The "Author," "Last Modified By," and "Manager" fields in Microsoft Office documents contain the names of individuals. These are straightforwardly personal data. When you email a contract to a client, the Author field transmits an employee's name as part of the file.

If the employee has not been informed that their name is being shared in document metadata (as required by Articles 13-14), and if there is no lawful basis for sharing their name with the recipient, this transfer may violate GDPR.

GPS coordinates

Photos embedded in documents or shared as standalone files may contain GPS coordinates in their EXIF metadata. GPS data, especially when combined with timestamps, can identify an individual's location at a specific time. The Article 29 Working Party (now the European Data Protection Board) has confirmed that location data is personal data when it relates to an identifiable individual.

For organizations operating in the EU, sharing employee photos that contain GPS data — even internally — constitutes processing of personal location data.

Device identifiers

Camera serial numbers, computer hostnames, and printer identifiers embedded in document and image metadata can serve as unique identifiers. Under GDPR, unique identifiers that can be linked to a natural person are personal data (Recital 30). A camera serial number in EXIF data may be linkable to the camera's owner through purchase records, insurance documentation, or other photos taken with the same device.

Email addresses and usernames

Some document formats embed the email address of the creator or modifier in metadata fields. PDF files may contain the email address in the Author field if the PDF software is configured with the user's email. OOXML documents may contain the user's Windows login name, which in many enterprise environments is the employee's email prefix.

The data minimization principle

Article 5(1)(c) of GDPR establishes the data minimization principle: personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."

When you share a contract with a counterparty, the purpose is to communicate the contractual terms. The author's name, the last modifier's name, the GPS coordinates of the office where it was drafted, and the camera serial number of the phone used to take an embedded photo are not necessary for that purpose.

Metadata that contains personal data but serves no purpose in the document's intended use is, by definition, not minimized. A compliance team that focuses only on the visible content of documents and ignores metadata is failing to apply data minimization to a significant category of personal data.

What regulators have said

UK ICO guidance

The UK Information Commissioner's Office has published specific guidance noting that document metadata can contain personal data and that organizations should consider metadata when conducting data protection impact assessments. The ICO's guidance on data sharing explicitly mentions metadata as a risk factor.

German DPAs

Several German Data Protection Authorities have addressed metadata in enforcement actions. In one case, a public authority was found to have inadequately anonymized documents because metadata fields still contained the names of the individuals involved. The documents had been redacted at the content level but not at the metadata level.

EDPB guidelines

The European Data Protection Board's guidelines on data protection by design and by default (Guidelines 4/2019) emphasize that data minimization applies to all processing operations, including those that are automated or incidental. Metadata embedded automatically by software falls within this scope.

What a metadata audit looks like

A GDPR-compliant metadata audit follows these steps:

1. Inventory your document flows

Identify every category of document that leaves your organization: contracts, proposals, reports, invoices, marketing materials, photos, presentations. For each category, identify the file formats used and the metadata fields those formats support.

2. Sample and scan

Take a representative sample of documents from each category and scan them for metadata. Look specifically for:

  • Author and contributor names
  • Company and organization names
  • File system paths (which may reveal internal directory structures)
  • GPS coordinates in embedded images
  • Device identifiers
  • Email addresses and usernames
  • Timestamps (which may reveal work patterns)

3. Assess necessity

For each metadata field found, apply the data minimization test: is this personal data necessary for the purpose of sharing this document? In most cases, the answer is no. The recipient of a contract does not need to know which employee last modified it. The recipient of a report does not need GPS coordinates from embedded photos.

4. Implement systematic removal

Manual metadata removal does not scale and is error-prone. Compliance-grade metadata handling requires automated scanning and removal integrated into document workflows — either as a step in the document management process or as a final check before external sharing.

5. Verify and document

GDPR's accountability principle (Article 5(2)) requires that you can demonstrate compliance. This means verifying that metadata has been removed (not just asserting it) and maintaining records of the process. A scan-clean-verify workflow that produces a report for each document satisfies both requirements.

Practical steps for compliance teams

  1. Add metadata to your DPIA template. When assessing a new processing activity that involves document sharing, include metadata as a data category.

  2. Update your data processing records. Article 30 records should reflect that document metadata is a category of personal data your organization processes.

  3. Include metadata in staff training. Most employees are unaware that documents contain metadata. Training should cover what metadata is, why it matters under GDPR, and what the organizational process is for removing it.

  4. Implement automated cleaning. Relying on individual employees to manually check and clean metadata is a control that will fail. Automate metadata removal as part of the document sharing workflow.

  5. Audit periodically. Sample outgoing documents quarterly to verify that metadata removal is working as intended.

Purgit scans documents for personal data in metadata fields — author names, GPS coordinates, device identifiers — and removes it systematically. Each cleaned file comes with a verification report for your compliance records.

[Scan a File Free]

Scan before you share.

Try Purgit free — no account required.

Scan a File Free