GDPR and hosting: where should your European clients' data live?

The GDPR does not force you to store data in the European Union: it forces you to demonstrate that the data is protected and that its transfers rest on a valid basis. Location is therefore not an end in itself — but the longer and more opaque your hosting chain, the more that demonstration costs.
What the regulation actually requires: demonstrable protection
Three blocks of the GDPR frame your hosting choice. The accountability principle (Article 5): you must be able to prove compliance, not merely assert it. Security of processing (Article 32): measures proportionate to the risk — encryption, confidentiality, integrity, availability, regular testing. And Chapter V: as soon as data leaves the European Economic Area, every transfer needs a valid legal basis.
Concretely, you must be able to answer three questions: where is the data — country and data centre, replicas and backups included; who can access it — your host, its sub-processors, its remote support teams; on what basis do the transfers rest. If the answer takes more than a page, your hosting has itself become a compliance risk.
The sub-processor chain: the link everyone forgets
Your host is almost never alone: it relies on a data centre operator, sometimes offshore support, third-party administration tools. Article 28 requires further sub-processing to be authorised in writing and the contractual obligations to flow down the entire chain. Every added link is one more potential access, one more contract to check, one more jurisdiction to assess — we detailed these obligations in the GDPR processor checklist.
The practical reflex: require from any host the exhaustive, up-to-date list of its sub-processors, with their location and role — including support and maintenance, often forgotten even though they hold extensive access.
Standard contractual clauses: necessary, not magic
For transfers outside the EEA, the European Commission's standard contractual clauses (SCCs) are the most widely used instrument. But European case law has made their limits clear: signing the clauses is not enough — you must assess the law of the destination country and, where that law allows disproportionate access to the data, add effective supplementary measures. A contractual promise has never stopped an access that remains technically possible: which is exactly why the next question is decisive.
Encryption and keys: who can technically read your data?
Encryption in transit and at rest is the minimum baseline — but it only protects if you know who holds the keys. If your host can decrypt your data, your real protection depends on its local law, its internal procedures and its good faith. Conversely, encryption whose keys you control — or entrust to a third party independent of the host — is the strongest supplementary measure that can back standard contractual clauses. The concrete trade-offs (application-level encryption, key management and rotation, encrypted backups) are covered in our guide to business data encryption.
When sovereign hosting simplifies the demonstration
Sovereign hosting — an identified physical perimeter, an auditable operator, a short subcontracting chain — does not make you compliant by magic: the Article 32 measures still have to be implemented. But it drastically reduces the cost of proof: fewer transfers to frame, fewer contracts to verify, access logs you can actually obtain. This is the approach SOVALYX applies with its private cloud: the complete access chain fits on one page, which turns an audit into a formality (see our private cloud and SLA method).
This article sets out general principles and is not legal advice: every transfer situation deserves a dedicated analysis — talk to a specialist.
| Hosting option | Transfers to frame | Chain to document | Demonstration effort |
|---|---|---|---|
| Global public cloud, non-EU regions | Systematic (SCCs + supplementary measures) | Long, shifting, barely visible | High and recurring |
| Public cloud, EU region of a non-European provider | Residual (support, remote administration) | Long, multiple sub-processors | Medium, to be reassessed regularly |
| Sovereign private cloud, auditable local operator | Reduced to the strict minimum | Short, documented on one page | Low, stable over time |
How SOVALYX can help
SOVALYX answers this question through architecture: a sovereign private cloud where you know physically where the data lives — replicas and backups included — with an access chain documented on one page. Encryption is deployed with explicit key management, access logs are complete, and 24/7 supervision under SLA provides the security evidence Article 32 requires. Your compliance demonstration becomes a by-product of the infrastructure, not a separate project.
Talk compliance with an engineer🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.
Reviewed and optimised by AI.