GDPR-Compliant Cloud Hosting in Germany: What to Look For?

GDPR-compliant does not automatically mean a German location, and a German location does not automatically mean GDPR-compliant. These are two separate questions that must be answered together. The GDPR governs how personal data may be processed, who is responsible for it and what rights data subjects have. Cloud hosting means an external provider stores and processes this data for you in its data centre. The provider thereby becomes a data processor, and you as the customer remain the controller.

Compliance becomes verifiable on three levels. First, the legal level: is there a data processing agreement under Article 28 GDPR, and is the provider itself bound by the GDPR? Second, the organisational level: are processes, access rights and deletion concepts documented and auditable? Third, the technical level: where is the data physically located, how is it encrypted, and who has access to the infrastructure? Only when all three levels are sound is hosting genuinely GDPR-compliant.

An important point for decision-makers: responsibility cannot be fully outsourced. Even with a perfect provider, you remain responsible for the selection, the instructions and the oversight. A good provider makes these obligations easy by supplying contracts, evidence and processes proactively. This is precisely how you recognise a reputable partner.

A physical location in Germany is a necessary but not sufficient condition. What matters in addition is who can legally access the data. A data centre in Frankfurt is of little use if the operator belongs to a US corporation, because US laws such as the CLOUD Act oblige US companies to hand over data even when it is stored on servers outside the United States. This potential access conflicts with the requirements of the GDPR.

The consequence for your due diligence: do not only ask about the location of the servers, but about the ownership and control structure of the provider. An owner-managed German service provider without a US parent company is subject solely to German and European law. Data processed here is effectively shielded from access by third countries, provided there are no technical back doors via subprocessors.

A second point concerns data flows during operation. Even with a German primary location, backups, monitoring, support tools or content delivery networks can cause data to flow abroad. Have it confirmed in writing that these secondary processes also stay within Germany or the EU. ITS AG, for example, operates two of its own data centres in Frankfurt am Main, about ten kilometres apart and redundantly coupled via multiple 100-gigabit links, with the data remaining in Germany throughout.

The most important contract is the data processing agreement, or DPA, under Article 28 GDPR. It governs what the provider may do with your data, which technical and organisational measures it takes and how subprocessors are handled. Without a signed DPA, using a cloud provider for personal data is formally not permissible. Check whether the DPA is already available in standardised form; this saves time and shows that the provider takes data protection seriously.

In the DPA, pay particular attention to the annex listing the technical and organisational measures, or TOMs. This sets out specifically how access, entry, transfer, encryption and availability are secured. Blanket wording is a warning sign. Good signs are comprehensible, verifiable details, for instance on encryption methods, access logging and deletion periods. Also ask for the list of subprocessors and a commitment to a procedure that informs you of any changes.

When it comes to certificates, ISO 27001 is the established standard for information security. An operation certified to ISO 27001 demonstrates that security processes are documented, practised and externally audited. Depending on the industry, further evidence may be required, for example for healthcare or the financial sector. It is important that the certificate covers the specific location and service that runs your data, not just the corporate headquarters.

Data location refers not only to where the production data sits, but also to where copies and backups end up. Backups are a common blind spot: many incidents arise because the backup is stored in another region or with a third-party provider. Have it guaranteed that backups too are stored exclusively in Germany. For geo-redundancy, a second German location is sufficient; a data centre cluster within Germany delivers failover resilience without leaving the national data space.

With encryption, data should be encrypted both in transit and at rest. The more important question for decision-makers, however, is key management. Whoever holds the key can read the data. Clarify whether you can manage your own keys and whether the provider is technically prevented from accessing plaintext data without your involvement. This is a key lever for staying protected even in the face of third-party access demands.

For backups, the principle of immutability applies in addition. Backups that can subsequently be deleted or overwritten do not protect against ransomware. Modern methods such as Object Lock or WORM storage make backups immutable for a defined period. Also demand regular, documented restore tests. A backup that has never been restored is an unknown risk when it really counts.

For management, liability, predictability and contractual clarity come first. Check whether the DPA is in place, whether data residency is guaranteed in writing and whether the provider's ownership structure is free of third-country access. Also clarify response times for incidents, availability commitments and how you regain access to your data in an emergency. A documented exit process belongs in every reputable contract so that no lock-in arises.

For IT leadership, the technical details matter: which virtualisation, which storage classes, how the network between locations is designed, how patch windows and monitoring work. The question of the point of contact is also important. A dedicated technical contact who knows your specific environment is worth more in day-to-day operations than an anonymous hotline. ITS AG works with dedicated contacts here and usually responds to incidents in under 30 minutes on business days.

Both roles should jointly think through a migration and contingency path. How does the data get in, how does it get out again if needed, and what happens if the provider fails? A step-by-step migration without a big bang, with a pilot phase and a fallback scenario, considerably reduces the risk. Document these paths in writing and test them before any production data is moved.

The most common mistake is relying on marketing claims alone. Terms such as German cloud or GDPR-ready are not protected. Always demand written, verifiable evidence instead of advertising promises. A second widespread mistake is overlooking subprocessors. If the provider itself uses hyperscalers or foreign tools in the background, the appealing German location can become worthless at that point.

A third mistake concerns the cost structure. Consumption-based models from large platforms are hard to plan across many dimensions and often lead to surprises on the invoice. For mid-market firms, a transparent, predictable pricing structure is usually the better choice because it makes budgeting and controlling easier. Calculate different scenarios and have the assumptions provided in writing.

The fourth mistake is a lack of practice for emergencies. Restore tests, contingency plans and escalation paths are often defined on paper but never actually rehearsed. In a real incident it then turns out that recovery times are far longer than assumed. Anchor regular tests in the contract and have the results reported to you. This turns a promise into reliable protection.