Table of Contents
Short answer: GDPR doesn't require EU hosting, but it makes compliance much simpler. You need a signed DPA (Article 28), a sub-processor list, EU or adequacy-country data residency, encryption in transit and at rest, documented breach notification, and a clear answer to the Schrems II question if any processor is US-owned. LaunchPad Host runs in Germany, signs a DPA by default, and publishes our sub-processor list.
Key Takeaways
- GDPR doesn't mandate EU hosting — but non-EU hosting triggers Schrems II analysis that most SMBs can't afford to do properly.
- Your host must sign an Article 28 DPA. If they won't, they're not GDPR-ready for commercial use.
- Sub-processors (CDN, backup, monitoring) count. You need a current list and notification of changes.
- Breach notification to the supervisory authority is 72 hours — your host needs to surface incidents fast enough.
- Schrems II killed the US Privacy Shield. US-owned processors now need supplementary measures — usually not worth the legal fees for small sites.
- WHOIS privacy + EU domain registrar + EU host = the simplest defensible posture for a small EU business.
What GDPR Actually Requires From Your Host
The General Data Protection Regulation treats your host as a data processor — they process personal data on your behalf. That imposes specific duties on them, and specific duties on you when you choose them.
From your host you need, at minimum:
- A signed Article 28 Data Processing Agreement
- Documentation of where data is stored and processed
- A current list of sub-processors (Article 28(2))
- Technical and organizational measures (Article 32) — encryption, access control, redundancy
- Breach notification capability fast enough to meet your 72-hour duty (Article 33)
- Support for data subject rights requests (export, delete)
If a host can't check all six boxes, you're taking on compliance risk that should live with them.
The Data Processing Agreement (DPA)
A DPA is a contract between you (controller) and your host (processor) that says: here's what data you're processing, here's what you're allowed to do with it, here's how we handle incidents. Without one, you're technically non-compliant the moment an EU resident uses your site.
Red flags in a DPA:
- Host reserves the right to process data for "service improvement" or "analytics" with no opt-out
- No sub-processor list or it's "available on request" with no update notifications
- Breach notification timeline is "as soon as practical" (should be hours, not days)
- Governing law is a non-adequacy country with no supplementary measures clause
Good DPAs follow the EU Standard Contractual Clauses and spell everything out. Our DPA is one click to download and sign.
Data Residency and Schrems II
Schrems II (2020) invalidated the EU–US Privacy Shield. The practical consequence: if your processor is US-owned or subject to US surveillance law (FISA 702, EO 12333), you need supplementary measures — typically encryption where the processor doesn't hold the key, plus a Transfer Impact Assessment.
For an SMB, the cost of doing Schrems II properly (legal review + technical measures) exceeds the cost of just picking an EU-owned host. Germany and the Netherlands are both safe bets; we run in Germany.
The European Data Protection Board maintains recommendations on supplementary measures if you want to go down that path.
Tired of slow, overcrowded shared hosting?
LaunchPad Host runs on NVMe SSDs + LiteSpeed with free migration, free SSL, daily backups, and crypto payments. 30-day money-back guarantee.
See Hosting PlansSub-Processors and Chain of Custody
Your host has vendors — CDN, DNS, monitoring, backup storage, email relay. Each is a sub-processor of your data. GDPR Article 28(2) says you need to know who they are and get notified when the list changes.
Common sub-processor categories:
- CDN — Cloudflare, BunnyCDN, Fastly. Check where their edge caches EU traffic.
- Backup storage — often S3 or Backblaze B2. Jurisdiction matters.
- Monitoring — Datadog, Grafana Cloud, New Relic. Most are US-owned.
- Transactional email — Postmark, SendGrid. Where do they send from?
Our sub-processor page lists every vendor, jurisdiction, and what data they see. If we add one, existing customers get 30 days notice before it goes live.
Encryption, Backups, and Access Logs
Article 32 requires "appropriate technical and organizational measures." In practice that means:
- TLS everywhere — free Let's Encrypt certificates, HSTS, TLS 1.2+ only
- Encryption at rest — full-disk encryption (LUKS) on the hosting nodes and backup targets
- Access logs — who touched what, kept long enough to investigate an incident
- Principle of least privilege — support staff shouldn't have standing access to customer data
- Backup isolation — backups in a different failure domain, ideally different jurisdiction within the EU
None of this is exotic in 2026. Any host selling to EU businesses should have it. If they don't advertise it, ask.
Breach Notification (The 72-Hour Rule)
If there's a personal-data breach, you have 72 hours to notify your supervisory authority. That clock is tight — it includes weekends.
For you to meet that deadline, your host has to notify you much faster. Our DPA requires notification within 24 hours of confirmed incident. That leaves you 48 hours to assess scope, draft the notification, and file it.
Ask a prospective host: "What's your incident response SLA under the DPA?" If the answer is vague, that's your answer.
The Full Checklist
Print this, take it to your host, require check marks:
- Article 28 DPA signed and counter-signed
- Not "available" — actually executed.
- Data residency documented
- Primary: EU or adequacy country. Backups: same or explicit cross-border SCC.
- Sub-processor list published
- With jurisdiction for each and change-notification mechanism.
- TLS + at-rest encryption
- TLS 1.2+, HSTS, LUKS or equivalent on all storage.
- Access controls documented
- SSO, MFA for staff, least-privilege, audit log.
- Breach notification SLA ≤ 24h
- Written into the DPA, not a vague promise.
- Backup tested + restorable
- A backup you can't restore isn't a backup.
- Data subject rights supported
- Export, delete, portability — your host should give you tools, not manual tickets.
- Transparency report published
- Annual numbers on lawful access requests and how they were handled.
Nine checks. Most hosts fail three or more. The ones that pass all nine are the ones you can sell to enterprise EU customers without a 6-month legal review.
Frequently Asked Questions
No — GDPR is jurisdiction-agnostic. But EU hosting dramatically simplifies the Schrems II analysis and avoids the need for supplementary measures on personal data transfers. For most small businesses, EU hosting is the cheap option.
For EU-to-EU transfers, the DPA is enough. For EU-to-non-adequacy-country transfers, you need SCCs plus a Transfer Impact Assessment plus (usually) supplementary measures. That's why most small businesses just pick an EU host.
Countries the European Commission has formally determined provide adequate data protection — currently includes Switzerland, UK, Canada (commercial), Japan, South Korea, Israel, and a few others. The <a href="https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en" target="_blank" rel="noopener">current list is on the EC website</a>.
Not automatically. Cloudflare is a sub-processor; you need them on your sub-processor list, and you need to understand their data handling. Their EU-only traffic option reduces the Schrems II surface area. Many GDPR-compliant sites use Cloudflare; just document it.
Post-Schrems II, several EU data protection authorities have ruled default Google Analytics configurations unlawful. Use self-hosted alternatives (<a href="https://plausible.io/" target="_blank" rel="noopener">Plausible</a>, <a href="https://matomo.org/" target="_blank" rel="noopener">Matomo</a>) or configure GA4 with strict data-minimization and IP truncation and consult counsel.
Usually no. A Data Protection Officer is required only for public authorities, large-scale systematic monitoring, or large-scale processing of special-category data. A 500-visitor-a-day blog doesn't trigger it.
That's a DPA violation. You'd have grounds to terminate and potentially sue. More importantly, pick a host whose breach-notification SLA is contractually short — 24 hours — so you don't end up in that position.
If they contain personal data, yes — or you need SCCs + supplementary measures for the transfer. Our backups are in a second German datacenter in a different failure domain.
Ready for hosting that just works?
NVMe + LiteSpeed hosting with free migration, crypto payments accepted, and a 30-day money-back guarantee.
See Hosting PlansRelated tools, articles & authoritative sources
Hand-picked internal pages and external references from sources Google itself considers authoritative on this topic.
Related free tools
- WHOIS Lookup Registrar, creation date, expiry, nameservers, DNSSEC status — for any domain.
- DNS Lookup & Records Checker All DNS records (A, AAAA, MX, NS, TXT, CAA, SPF, DMARC) for any domain.
Offshore & privacy hosting
- Anonymous-Friendly Hosting Email-only signup, crypto checkout, free WHOIS privacy
- Offshore Hosting EU jurisdiction, privacy-first, from $3.99/mo
- Crypto Hosting BTC, Lightning, Monero via self-hosted BTCPay