GDPR & cloud: what is really important

24 June, 2026

Cloud and GDPR - What really matters
Nadine Kustos
Nadine Kustos
Marketing Manager

Nadine unterstützt seit Mai 2025 das NETWAYS Managed Service Team. Als Marketing Managerin kümmert sie sich um die Planung, Durchführung und Kontrolle von Marketingaktivitäten, um die Produkte optimal am Markt zu positionieren. Auch in ihrer Freizeit darf der kreative Ausgleich nicht fehlen: Neben der Fotografie und dem Tanzen, zählen auch das Malen, Basteln und Sport zu ihren Hobbies.

by | Jun 24, 2026

Blog Cloud General 

The use of cloud technologies has long since become the standard in today’s world. At the same time, however, the responsibility to protect personal data is growing. This is precisely where the General Data Protection Regulation (GDPR) comes into play. It defines clear rules on how data must be processed, stored and protected. The GDPR also applies to the cloud with precisely these points.

In this article, you will find out in detail what really matters when combining the cloud and GDPR, what pitfalls you should avoid and how to make your cloud usage secure.

What is personal data in the cloud?

The GDPR applies to all personal data. This includes, among other things:

  • Names, e-mail addresses and telephone numbers
  • IP addresses and location data
  • Customer data, employee data or applicant information.

As soon as such information is stored or processed in the cloud, the GDPR applies. Regardless of whether you use a simple SaaS solution or operate complex cloud infrastructures.

What are the data protection challenges in the cloud?

Using the cloud brings numerous advantages, but also presents you as a company with major challenges, especially when it comes to data protection. In particular, the processing of personal data must be GDPR-compliant so that you do not run the risk of violating applicable law. The most important aspects include

Legal conformity

You must ensure that the processing of personal data in the cloud is lawful and that you retain control over this data (data sovereignty). In order to be GDPR-compliant, clear agreements must be made with the cloud provider regarding data processing and storage. This includes, for example, a secure storage location. In addition, data subjects must be able to exercise their rights easily. This requires transparent erasure concepts as well as technical and organizational measures such as encryption and strict access controls that prevent unauthorized access.

State of the art (TOMs)

The GDPR requires that technical and organizational measures (TOM) correspond to the current state of the art to ensure the security of the processed data. TOMs include, for example

  • Encryption of data (at rest and in transit)
  • Access controls and role management
  • Logging and monitoring
  • Regular security updates
  • Backup and recovery concepts

It’s important to note that you don’t have to implement everything yourself, but you do need to ensure that your cloud provider takes these measures.

Privacy by design

Data protection should already be taken into account during the development of new technologies (privacy by design). The aim is to automatically protect users from possible infringements of their rights and freedoms without them having to actively do anything themselves. Security and data protection requirements must therefore play a central role in the design and programming of software, hardware and digital applications. This ensures that personal data is comprehensively protected from the outset.

Privacy by default

In addition to privacy by design, the GDPR also requires privacy by default. This means that the default settings of data processing technologies must be designed to be data protection-friendly. For example, applications must be configured by default so that only the information required for the respective purpose is collected and processed.

Accountability and verification

You are obliged to demonstrate compliance with the GDPR. This requires comprehensive documentation of the data processing processes and, if necessary, the implementation of data protection impact assessments.

In concrete terms, this means for you:

  • You must document which data you process.
  • You need to know where this data is located.
  • You must have processes for deleting and correcting data.

This can quickly become complex in the cloud. That’s why you should rely on providers that offer you transparent insights and reporting functions.

Order processing

When using a cloud service, a GDPR-compliant data processing agreement (DPA) is required in which the obligations of the cloud provider are defined.

The following points are particularly important:

  • Subcontractors: The cloud provider must disclose which subcontractors it uses. You also have the right to object to any changes, which allows you to withdraw from the contract.
  • Control rights: You must be able to exercise your control rights in accordance with the GDPR. If an on-site inspection is not possible, the provider can also prove compliance with the GDPR through appropriate audits or certificates.
  • Data erasure: The cloud provider must erase or hand over personal data once the commissioned processing has ended.
  • Purpose and duration of data processing: The contract must clearly state the specific purpose and duration of data processing.
  • Type of data and data subjects: It must also be clear to you what type of data is stored and which persons are affected.
  • Security measures of the provider: The security measures also play a major role. These must be disclosed to you by the provider.

Encryption

One of the most effective measures in the cloud environment is encryption. Ideally, data:

  • End-to-end encrypted so that only authorized persons have access.
  • Secured with keys managed by the customer(Customer Managed Keys).

The more control you have over the keys, the better you can protect your data from unauthorized access – even from the cloud provider itself.

Backup & Recovery

Although backups are essential for data security, they can also become a GDPR trap. Because:

  • Data in backups must also be protected.
  • Deletion requirements must be taken into account.
  • Access must be controlled and documented.

A good cloud backup concept takes data protection into account from the outset and integrates clear deletion and recovery processes.

Location of data in the EU and third countries

The storage location of your data is a particularly sensitive point. If your data is processed exclusively within the EU, you benefit from a uniform level of data protection. This makes compliance with the GDPR much easier.

It becomes more complex when data is stored or processed outside the EU, for example in the USA. Additional requirements apply here, for example:

  • Adequacy decisions of the EU Commission
  • Standard Contractual Clauses (SCCs)
  • Additional protective measures

Laws such as the Cloud Act in particular can give authorities access to data, even if it is physically located in Europe. It is therefore important to know exactly where and how your data is processed.

The distribution of roles: Who is responsible for what?

A central point of the GDPR is the clear allocation of roles.

You as the controller: As the controller, you decide why and how personal data is processed. This means that you bear the main responsibility for data protection.

Cloud provider as processor: The cloud provider processes data on your behalf. It is obliged to implement suitable technical and organizational measures, but may only use the data in accordance with your instructions.

This allocation of roles is crucial because it influences all other requirements, in particular the contract for commissioned processing.

What makes a cloud service GDPR-compliant?

To ensure that a cloud service meets the strict requirements of the GDPR, companies should pay attention to the following features:

Tested safety: certificates and verification

Corresponding certificates prove the GDPR compliance of cloud services. Look out for relevant certifications that explicitly guarantee a high level of security and high standards. One example would be ISO/IEC-27001 or the Trusted Cloud seal.

Data centers at secure locations

According to the GDPR, personal data may only be processed within the EU or in countries with a comparable level of data protection. Cloud services with data centers within the EU are subject to the GDPR and are therefore usually unproblematic. However, if the server location is outside the EU, additional protective measures are required. Therefore, make sure that you choose a suitable provider.

Technical factors

A GDPR-compliant cloud service must comprehensively protect your personal data from unauthorized access. This not only includes regularly updating firewalls and antivirus programs, but also strong data encryption.

Access control and authentication

It is also important to set up strong access controls such as multi-factor authentication (MFA) and role-based access rights and to review these at regular intervals. This means that only authorized persons can access sensitive information, which minimizes security risks.

Transparency and terms of use

The terms of use of your cloud provider must be made available to you. They describe in detail how they process and protect personal data. To comply with the GDPR, these terms should be easily accessible and understandable for you.

Questions you can ask

  1. Where are the servers physically located?
  2. Is there a signed GCU?
  3. Is the data encrypted end-to-end and cannot be viewed by the provider?
  4. Is the cloud provider a US company?

You can take these measures

Compliance

Depending on the industry, other guidelines may apply in addition to the GDPR. You should therefore clarify in advance where your company stands and which regulations you have to comply with.

Risk assessment

An early risk assessment helps you to determine the protection requirements of the data. The more sensitive the data collected or to be processed, the more elaborate the protective measures need to be.

Technical measures

Technical measures are crucial to prevent unauthorized access to your sensitive data. These include:

  • Firewalls and antivirus software: Protect your data from unauthorized access.
  • Password protection: Use secure passwords.
  • Encryption: Encrypt your data securely.
  • Backups: Create regular backups.

Organizational measures

In addition to technical precautions, organizational measures are also required. These include

  • Access controls: The fewer people who have access to your sensitive data, the lower the risk of accidental or deliberate data breaches or data loss.
  • Employee sensitization: Regular training courses help you to raise employee awareness of data protection measures in the company.
  • Deletion: Have a deletion concept and delete your unnecessary data.
  • Documentation of data processing: Keep a log of who processed which data when and where. This makes it easier for you to track modifications.
  • Protection of particularly sensitive documents: You should store particularly confidential information such as customer, patient or client files securely.
  • Server location EU/Germany: The safest option is to choose cloud providers with data centers within the EU or in Germany.

What advantages do GDPR-compliant cloud solutions offer?

GDPR-compliant cloud solutions offer companies numerous advantages that go beyond mere compliance with legal regulations:

Legal certainty

With a GDPR-compliant cloud solution, you meet the legal requirements and avoid severe penalties.

Current security technologies

Providers of GDPR-compliant cloud solutions continuously invest in security measures. This means you automatically benefit from the latest security standards.

Data sovereignty

Data centers in the EU, whose operators are also based in the EU, offer more control over the data as they are not subject to the US CLOUD Act or other laws of third countries. This strengthens the data sovereignty of companies and reduces the risk of data breaches.

Transparency and verifiability

GDPR-compliant cloud providers are obliged to provide you with transparent information about data processing. This makes it easier for companies to meet their own accountability obligations and minimize the risk of data protection violations.

Certifications as proof of quality

Providers of GDPR-compliant cloud services can prove their security standards through independent certifications. This also makes it easier for you to withstand any audits.

Strengthening image and trust

By relying on a GDPR-compliant cloud, you signal to your customers and partners that you take data protection and data security seriously.

Conclusion

If you want to use the cloud to outsource your data and infrastructure or that of customers, employees or business partners, you should select the provider carefully. In particular, make sure that they provide you with an AV contract that meets the requirements of the GDPR.

Also check the cloud provider’s terms of use and privacy policy. You are on the safe side with a cloud provider whose servers are located in Germany or the EU. Legally compliant use must always be guaranteed.

Our portfolio

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

How did you like our article?

Read more from Nadine Kustos