GDPR-compliant · Servers in Germany
Guide · Privacy

GDPR-compliant user testing: the guide

A user test records the voice, screen and behaviour of real people — legally, that is not a footnote but the core issue. Here are the five duties that matter, with a checklist and primary sources.

Test it Baby editorial team Published July 7, 2026 Reading time approx. 8 minutes All sources ↓

Note: this article explains the fundamentals carefully and with primary sources, but does not replace legal advice. For individual cases — especially involving sensitive data or your own contracts — involve a data protection professional.

Why privacy in user testing is not fine print

A think-aloud test inevitably produces personal data within the meaning of Art. 4(1) GDPR: the tester's voice, often their face, their screen including everything visible on it, and their behaviour. How seriously supervisory authorities treat data flows is shown by the biggest case to date: in 2023, the Irish Data Protection Commission — following a binding decision by the European Data Protection Board — imposed a record fine of €1.2 billion on Meta for unlawful data transfers to the US (violation of Art. 46(1) GDPR).

€1.2 billion — the largest GDPR fine in history — was issued in 2023 not for a hack, but for data transfers to the US without a valid basis.Irish Data Protection Commission (DPC) following an EDPB decision, May 2023

For small and mid-sized companies, the maximum fine (Art. 83(5): up to €20M or 4% of global turnover) is rarely the realistic scenario — complaints by individual testers, warning letters and loss of trust very much are. The good news: GDPR-compliant testing is not rocket science. It is five duties.

Duty 1: obtain consent — before the recording, not after

The legal basis for recordings is practically always informed consent (Art. 6(1)(a) GDPR). Under Art. 7 and the EDPB Guidelines 05/2020, it must be freely given, specific, informed and unambiguous — and demonstrable. Concretely: before starting, the tester learns what is recorded (screen? voice? camera?), for what purpose, how long it is stored and who has access. A checkbox buried in terms is not enough. The clean solution is a recording that technically cannot start until consent has been given — which is exactly how Test it Baby enforces it for every single test.

Duty 2: data minimisation — record only what the test needs

The principle of data minimisation (Art. 5(1)(c) GDPR) translates into three simple questions for user testing: Does the test really need the camera, or are screen + voice enough? Must testers enter real personal data, or can you provide test data? And: is the recording limited to the test task rather than the whole session? Tidying up beforehand reduces both risk and editing work.

Duty 3: regulate processing on your behalf (Art. 28)

As soon as a tool stores or analyses recordings for you, its operator is your processor — and Art. 28 GDPR requires a data processing agreement (DPA) with clear rules on purpose, duration, sub-processors and technical safeguards. Checklist for tool selection: Is there a DPA? Where are the servers? Which sub-processors are listed — and are they located in third countries?

Duty 4: avoid or secure third-country transfers (Chapter V)

This is the biggest pitfall, because many testing tools come from the US: every transfer of personal data to a third country needs a basis under Chapter V GDPR. The Meta case shows how expensive it gets when that basis is missing — and the current mechanism for US transfers (the EU-US Data Privacy Framework) has been under constant legal attack for years, just like “Safe Harbor” and “Privacy Shield” before it, both of which the European Court of Justice struck down. Avoiding transfers altogether — processing exclusively in Germany or the EU, including transcription and AI analysis — makes you independent of that ongoing battle. Our comparison shows how German and US providers differ here.

Duty 5: deletion concept and data subject rights

Testers remain in control of their data: they can request access (Art. 15), withdraw consent (Art. 7(3)) and demand deletion (Art. 17). Practically, you need three things: a fixed, communicated retention period, a defined deletion process (including at your tool provider!), and a contact address named in the consent text.

The checklist for your next test

Before the testConsent text written (what, why, how long, who)? Recording technically impossible before consent? Test data prepared instead of real customer data?
At the tool levelDPA signed? Server location and sub-processors checked? Transcription/AI analysis also EU-based?
After the testRetention period noted and deletion scheduled? Process for withdrawal/access requests defined? Access to recordings limited to the people who need it?

We built Test it Baby from the ground up so this list stays short: consent is technically enforced before every recording, all data — including transcription and AI summary — is processed on servers in Germany, and testers without an account participate via expiring invitation links. Details on the book testers page and in the comparison with US tools.

Frequently asked questions

Are screen recordings from user tests personal data?
As a rule, yes. Voice, face, behavioural patterns and everything testers type or show during a recording can make a person identifiable — which triggers Art. 4(1) GDPR. Processing requires a legal basis, in practice almost always informed consent under Art. 6(1)(a) GDPR.
When must tester consent be obtained?
Before the recording starts — not afterwards. Consent must be informed, freely given, specific and demonstrable (Art. 7 GDPR, specified by EDPB Guidelines 05/2020) and can be withdrawn at any time. A blanket terms-and-conditions checkbox is not enough; the clean solution is a dedicated consent step that technically unlocks the recording.
May I use US testing tools?
Only with a valid transfer basis under Chapter V GDPR — and you carry the risk: the €1.2 billion fine against Meta (2023) was issued precisely for unlawful US data transfers. Legal bases such as the EU-US Data Privacy Framework are also regularly challenged in court. The simplest path is choosing tools that process data exclusively in the EU or in Germany.
How long may I keep test recordings?
As long as the purpose stated when obtaining consent requires — after that, the deletion obligation applies (Art. 17 GDPR). A fixed, communicated retention period (e.g. 12 months) plus a process for testers' access and deletion requests (Art. 15, 17 GDPR) is the practical solution.
What penalties apply for violations?
Up to €20 million or 4% of global annual turnover, whichever is higher (Art. 83(5) GDPR). For smaller companies the everyday risk matters more than the maximum fine: warning letters, complaints by individual testers to the supervisory authority, and the damage to trust.

Sources

  1. Regulation (EU) 2016/679 (GDPR), consolidated text: EUR-Lex — esp. Art. 4, 5, 6, 7, 15, 17, 28, 46, 83.
  2. European Data Protection Board (EDPB): Guidelines 05/2020 on Consent under Regulation 2016/679.
  3. Irish Data Protection Commission (DPC): Decision concerning EU/EEA→US data transfers by Meta Platforms Ireland, May 2023 (€1.2B fine).

Test without bending the rules.

Consent technically enforced, all data on servers in Germany, transcription and AI analysis included — user testing without US data risk.

Try for free Compare with US tools