GDPR-Compliant Hosting: Requirements and Pitfalls | Knowledge Base

You have a website with a contact form. Maybe an online shop. Customer data, email addresses, order history. All of it sits on a server somewhere. The moment someone fills in their name and email on your site, you're responsible for what happens to that data.

The General Data Protection Regulation (GDPR) has been in force since 2018. Eight years later, most organisations know the basics. But when it comes to hosting, the devil is in the details. Your hosting provider processes that data on your behalf. That creates obligations many businesses overlook.

Hosting and the GDPR: who's responsible for what?

The GDPR distinguishes two roles: the data controller and the data processor. If you run a website where visitors leave personal data, you're the controller. You decide what data to collect and why. Your hosting provider is the processor: they store and process data on your instructions.

Sounds simple. It isn't. You're responsible for GDPR compliance. Not your provider. If something goes wrong with personal data on your server, the supervisory authority looks at you. Hiring an external party to handle hosting doesn't get you off the hook.

Regulators have become serious about enforcement. In 2024, the Dutch Data Protection Authority fined Uber €290 million for unlawful transfer of driver data to the US. Clearview AI got a €30.5 million fine. Extreme cases, but they show enforcement has teeth.

The data processing agreement: mandatory but often ignored

Article 28 of the GDPR is clear: if you have personal data processed by an external party, you need a data processing agreement (DPA). Both controller and processor are liable if that agreement is missing.

Most hosting providers offer a standard DPA. Usually a PDF somewhere in their website footer. The problem isn't availability. The problem is that they're often unread. And they don't always cover what you need.

A DPA must cover at minimum:

The subject and duration of processing
What types of data and which categories of data subjects
Processing only on your written instructions
Confidentiality obligations for the processor
Appropriate security measures
No sub-processors without your prior consent
The processor helps you respond to data subject rights (access, correction, deletion)
The processor helps you report data breaches

That last point is where things often go wrong in practice.

The 72-hour rule for data breaches

When a data breach involving personal data occurs, you must notify the supervisory authority within 72 hours. That's the legal deadline. The clock starts when you, as the controller, "become aware" of the breach.

But in hosting situations, your provider often spots the breach first. A server intrusion, a misconfiguration, a backup that was accidentally accessible. The question: how fast does your provider inform you? You can only assess whether to notify the authority after you know.

The DPA should state that your provider informs you "without undue delay" about security incidents. But "without undue delay" is vague. Some providers interpret it as 24 hours. Others as "as soon as practically feasible". If your provider takes two days to tell you, damage continues unchecked and you lose valuable investigation time.

Check what your DPA says about this. If there's no concrete timeframe, ask for one.

Data breach: from incident to notification

T+0: Incident

Data breach occurs. Server compromised, data leaked, or misconfiguration discovered by hosting provider.

T+?: Provider informs you

This is the risk. How long does your provider take? "Without undue delay" isn't a number. Check your DPA.

T+?: You become aware → clock starts

The GDPR 72-hour deadline starts here. Assess the risk to data subjects.

T+72 hours: Authority notification deadline

Notify the supervisory authority. If high risk to individuals: inform them directly too.

Art. 33 GDPR · EDPB Guidelines 9/2022 on personal data breach notification

Sub-processors: the hidden chain

Your hosting provider runs your website. But who runs your hosting provider's infrastructure? Many European hosts use an American platform, backup service, or monitoring tool underneath. Every party in that chain with access to personal data is a sub-processor. Sub-processors must meet the same GDPR requirements as your direct provider.

The GDPR requires that your provider doesn't engage sub-processors without your prior consent (Article 28(2)). In practice, this usually works through "general written authorisation": you give consent, but the provider must inform you when a sub-processor is added or changed. You get an objection period.

The problem: some hosting providers have dozens of sub-processors. Cloudflare for CDN, Datadog for monitoring, an American company for DDoS protection. That list changes. If you didn't pay attention during the initial agreement, you may have already consented to sub-processors outside the EU.

Ask your provider for a current sub-processor list. They're required to maintain one. Check which countries those sub-processors are in. Is any party subject to the CLOUD Act? Then you're back to the jurisdiction problem from our previous article.

Five pitfalls we see in practice

1. No DPA with your email provider

Most organisations think of hosting as their website. But if your business email runs through an external provider, they process personal data too. Every email with a name, address, or complaint counts. Same goes for your CRM, accounting software, and HR tool.

2. Backups in a different location than production

Your website runs in a Dutch data centre. But where are your backups? If your provider stores backups with a party in the US or another non-EU country, you have a transfer of personal data to a third country. That's only allowed with a valid legal basis, such as Standard Contractual Clauses (SCCs) or an adequacy decision.

3. Logging and monitoring data as personal data

IP addresses are personal data under the GDPR. Server logs, access logs, and monitoring tools that record IP addresses fall under the GDPR. If those logs go to an external monitoring service, that's processing. With all the associated obligations.

4. No DPIA conducted

If you process personal data on a large scale, or if you process special categories of data (health, religious, criminal), you must conduct a Data Protection Impact Assessment (DPIA). A DPIA maps privacy risks and documents the measures you take. Many organisations skip this step, even when it's mandatory for certain hosting situations.

5. SSL as the only security measure

An SSL certificate encrypts traffic between browser and server. That's a minimum, not complete security. The GDPR requires "appropriate technical and organisational measures". That includes encryption at rest, access control, regular security testing, and a procedure for restoring availability after incidents.

GDPR-compliant hosting: the checklist

Data Processing Agreement

Signed, read, and complete. Including sub-processors, notification timeframes, and termination protocol.

Encryption

SSL/TLS for data in transit. Encryption at rest for databases and backups with sensitive data.

Data Location

Know where your data sits. Production, backups, and logs. Outside EU? Check legal basis (SCC, adequacy).

Sub-processors

Request current list. Check jurisdiction. Right to object to changes documented?

Breach Procedure

Concrete notification timeframe in the DPA. Who calls whom? Within how many hours? Don't leave it vague.

DPIA

Required for large-scale processing or special categories of data. Document risks and measures.

Retention and Deletion

Retention periods defined. What happens to data after contract ends? Deletion verifiable?

Certifications

ISO 27001, SOC 2. Not mandatory, but strong evidence of appropriate measures.

Based on Art. 28, 32, 33 and 35 GDPR · European Data Protection Board guidelines

Certifications: useful but not required

ISO 27001, SOC 2, HIPAA. They're not legal requirements, but they help. A certification shows that a provider has a systematic approach to information security. Supervisory authorities consider certifications as a strong signal that "appropriate measures" have been taken.

Watch what the certification covers. An ISO 27001 certificate for the data centre says nothing about the managed services around it. Ask specifically about the certification scope. And whether that scope includes the services you use.

What changes with NIS2?

With the EU's NIS2 directive (national implementations expected 2024-2026), requirements for hosting providers are getting stricter. Data centre operators and managed service providers explicitly fall under the law. That means mandatory risk management, incident reporting, and supply chain security.

For you as a customer, something changes too: you must be able to demonstrate that your providers meet these requirements. It's no longer enough to have a DPA and leave it at that. You must actively assess and document your suppliers' security practices.

The bottom line

GDPR-compliant hosting isn't about ticking the right box. It's a chain of responsibilities starting with you and running through to your sub-processor's sub-processor. The DPA is the foundation, but the building stands or falls on what's in it and whether you actually follow it.

Start with the basics: do you have a signed DPA with your hosting provider? Do you know where your data is, including backups? Do you know the sub-processors? And do you have an agreement on how fast you'll be called if something goes wrong?

Hesitating on any of those? That tells you enough.

Want to know if your hosting is GDPR-proof? Request a free scan and get insight into your current setup's risks within 48 hours.