GDPR-Compliant Hosting: What You Need to Know About Server Location

EUR 20M fines, CLOUD Act, Schrems III. Why an EU data center at a US provider is not enough, which EU hosts are worth it, and what your DPA must include.

Your hosting provider runs a Frankfurt data center. Your SSL certificate is green. Your cookie banner dutifully annoys every visitor. And yet you could get a letter from a data protection authority tomorrow – because your host is a US corporation, and the CLOUD Act allows the FBI to access your customer data regardless of where the servers physically sit.

GDPR-compliant hosting is more than server location. It involves data processing agreements, subprocessors, third-country transfers, and technical safeguards. This post covers what matters – with specific providers, real fines, and a DPA checklist you can use right away.

What the GDPR says about server location

The GDPR does not mandate EU server locations. Articles 44 ff. GDPR require an adequate level of protection for personal data. As long as your hosting provider processes data within the EU/EEA, that level of protection is met automatically. No additional measures, no Standard Contractual Clauses, no case-by-case assessment.

The moment data flows to a third country – outside the EU/EEA – you need one of the following legal bases:

• Adequacy decision by the EU Commission (e.g., the EU-US Data Privacy Framework)
• Standard Contractual Clauses (SCCs) with a supplementary Transfer Impact Assessment
• Binding Corporate Rules (BCRs) – practically relevant only for large corporations

For SMBs, the takeaway is clear: an EU/EEA-based host eliminates the entire third-country complexity. You skip Transfer Impact Assessments, SCCs, and the question of whether the next adequacy decision survives the CJEU. For performance and cost breakdowns of different hosting models, see our hosting comparison.

CLOUD Act: why an EU data center at a US provider is not enough

AWS Frankfurt, Google Cloud Frankfurt, Azure Germany – sounds like EU hosting. Technically, the servers sit in Germany. Legally, the picture is different.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) of 2018 compels US companies to hand over data upon request from US authorities – regardless of where that data is physically stored. A Frankfurt server owned by a US parent company falls under US jurisdiction. The GDPR explicitly prohibits such disclosures without an EU-law legal basis (Art. 48 GDPR).

Think of it like a rental apartment: you live in Germany, German tenancy law applies. But your landlord is in the US – and US law enforcement can force them to unlock your door without a German court ever being involved.

Criterion	EU-based host	US cloud with EU DC
Server location	Germany	Germany
Parent company	DE / EU	USA
CLOUD Act	Not applicable	Applicable
GDPR Art. 48 conflict	No conflict	Potential conflict
DPA under EU law	Standard	Often US law as basis
Legal certainty post Schrems III	Not affected	Directly affected

For SMBs without an in-house legal team, the safe choice is a hosting provider with no US corporate ties. Not because US cloud services are insecure – but because you avoid a legal risk you cannot control.

DPF and Schrems III: the sword of Damocles

Since July 2023, the EU-US Data Privacy Framework (DPF) has been in effect. It permits data transfers to DPF-certified US companies – including AWS, Google, Microsoft, and Cloudflare. For many SMBs, this is the current legal basis for using US services.

The problem: NOYB (Max Schrems' organization) has filed a challenge. A case before the CJEU – informally called "Schrems III" – is likely. The track record speaks for itself: Safe Harbor (Schrems I, struck down 2015) and Privacy Shield (Schrems II, struck down 2020) were structurally identical predecessors.

Adding to the concern, structural changes to the US Privacy and Civil Liberties Oversight Board undermine the foundation of the DPF. The Board was supposed to ensure that US intelligence agencies do not disproportionately surveil EU citizens' data. Without a functioning Board, the basis for the adequacy decision erodes.

If the DPF falls, the same thing happens that followed Schrems II: every data transfer to US companies loses its legal basis. Companies must switch to SCCs plus Transfer Impact Assessments – or change providers. Those already on an EU-based host have no problem. Those on AWS or Google Cloud have a migration project.

EU-based hosting providers compared

For SMBs that want to stay on the safe side, there are solid hosting options from European companies with European data centers. No US corporate ties, no CLOUD Act exposure, DPAs under EU law.

Provider	From / month	Server location	DPA
Hetzner	EUR 3.49 (VPS)	Nuremberg, Falkenstein, Helsinki	Online
netcup	EUR 3.49	Karlsruhe	Online
IONOS	EUR 6	Germany	Online
all-inkl	~EUR 5	Germany	On request
dogado	~EUR 5	Germany	Online

Hetzner and netcup are priced on par with entry-level AWS offerings – without the legal complexity. For technical differences between shared, managed, and VPS hosting, see our hosting comparison.

DPA checklist: what must be included

Your hosting provider is a data processor under Art. 28 GDPR. You need a Data Processing Agreement (DPA) – no exceptions. Missing a DPA can result in fines up to EUR 10 million or 2% of annual turnover.

A DPA is not a free-form document your host drafts at will. Art. 28(3) GDPR prescribes specific mandatory contents. Here is the checklist:

• Subject matter and duration of processing (what is hosted, for how long)
• Nature and purpose of processing (web hosting, email, database)
• Data categories (personal data of your website visitors, customers, newsletter subscribers)
• Categories of data subjects (customers, prospects, employees)
• Instruction binding – the host may only process data based on your instructions
• Confidentiality – all host employees with data access must be bound to confidentiality
• TOMs (technical and organizational measures) – named specifically, not "appropriate measures." What type of encryption? What access controls exactly?
• Subprocessor regulation – which subprocessors does the host use, how are you notified, do you have the right to object?
• Assistance with data subject rights (access, deletion, rectification)
• Deletion or return of all data at contract end
• Audit rights – you may inspect the host or have them inspected

Most EU-based hosts offer the DPA as a ready-made document for download. Still verify that all points are covered. A prefab DPA missing TOMs is worthless.

Hidden third-country transfers: CDN, email, analytics

Your server is in Germany. Your host is German. The DPA is signed. Your website can still send personal data to the US – through services you might not immediately think of.

Every subprocessor that handles visitor data is a potential third-country transfer:

• CDN – Cloudflare is DPF-certified but US-based. If the DPF falls, you have a problem. EU alternatives: BunnyCDN (Slovenia), KeyCDN (Switzerland, with adequacy decision).
• Email delivery – Mailchimp, SendGrid, Mailgun: all US. Brevo has EU servers but is a French company with US infrastructure. Check the subprocessor list.
• Analytics – Google Analytics transfers data to Google LLC in the US. Consent Mode v2 does not change this – it controls whether data is collected, not where it goes. More on this in our post on GA4 Consent Mode v2.
• Fonts & embeds – Google Fonts from googleapis.com = third-country transfer on every page load. Self-hosting eliminates the problem.
• Comment plugins, chat widgets, contact form services – any external service processing IP addresses or form data.

Build a subprocessor inventory for your website. Go through every external resource loaded on page view. The browser DevTools (Network tab) show you every connection to external servers. Each connection is a potential transfer that must be documented and secured.

Technical measures under Art. 32 GDPR

Art. 32 GDPR requires technical and organizational measures appropriate to the risk. For web hosting, that means specifically:

• Encryption in transit – TLS 1.2+ for all connections, HSTS headers enabled
• Encryption at rest – disk encryption (AES-256) on the server
• Access controls – SSH keys instead of passwords, two-factor for admin panels, no root logins
• Backup strategy – regular backups with a documented recovery plan. Backup locations must also be within the EU/EEA.
• Pseudonymization where possible – e.g., truncating IP addresses in logs
• Monitoring – intrusion detection, log analysis, automated alerts for anomalies

These measures also appear in your DPA under "TOMs." Make sure they contain concrete specifications, not placeholders. For a deeper dive into server security, our post on WordPress Security 2026 covers the most common attack vectors and countermeasures.

Fine exposure: what SMBs actually face

The maximum fines of EUR 20 million or 4% of global annual turnover sound like a big-corporation problem. In practice, fines hit SMBs too – and supervisory authorities are becoming more active.

The reality for SMBs: fines in the five- to six-figure range for missing DPAs, unsecured third-country transfers, or insufficient TOMs. On top of that, cease-and-desist risks from competitors and data subjects – a growing trend since 2024.

Conclusion: GDPR-compliant hosting in three steps

GDPR-compliant hosting is not rocket science if you get three things right:

1. Choose an EU-based host with no US corporate ties – eliminates CLOUD Act, third-country transfer, and Schrems III risk in one move
2. Review and sign your DPA – all mandatory contents per Art. 28 GDPR, concrete TOMs, subprocessor list
3. Audit your subprocessors – CDN, analytics, email, fonts. Every external service processing visitor data needs a legal basis.

Get this right, and you have a setup that holds up even after a potential Schrems III ruling – without a panicked migration under time pressure.