Not only the location of the shown server rack in the data center is relevant for good data protection but also where the firm and its offices are located.

Company Headquarters and Server Location - Both Must be Right for Data Protection

Storing data in the EU is not a silver bullet for all data protection requirements. Compliance also depends on who owns the server.

It’s a platitude that data protection is important. Yes: data is the oil of the 21st century, data protection is a compliance task, and a personal data breach can not only significantly damage a company’s reputation among customers and partners but also result in substantial financial losses. Furthermore, companies face the threat of fines – and, in individual cases, even personal liability for those in positions of responsibility. Every company should be fully aware of this.

In practice, however, data protection is often approached not through pragmatic action but by applying bureaucratic rituals. The latter exist primarily on paper – in the form of lists and registers, data processing agreements (DPAs), and emergency plans.

It is, of course, important to maintain an overview of data processing operations and the corresponding contracts. Beyond this, however, data protection is also a task that must be integrated into the fundamental architecture of a company’s IT infrastructure. When companies are asked specifically how this structure is implemented, the response is often that data is stored on servers located within the EU – and that, therefore, everything is in order.

But is this truly sufficient, or does this approach fall short when it comes to effective data protection?

Server location vs. location of the server operator

A server location within the EU is, at the very least, a good start. However, beyond that, it also matters who owns the server on which the data is stored.

If you are utilizing your own dedicated server – whether located in your own data center or within externally managed infrastructure (e.g., colocation) – no particular issues arise initially: you manage your own IT environment, which must be designed – through both technical and organizational measures – to operate in full compliance with data protection regulations.

However, a significant amount of data and many applications are nowadays hosted in the cloud. In this context, “cloud” essentially is nothing other than the use of third-party IT infrastructure. Consequently, the cloud provider processes data on behalf of a company – a classic instance of data processing on behalf of a controller. This process routinely involves the transmission of personal data.

Such data transfer is, in principle, unproblematic provided that it takes place within the EU or in a country for which the EU has issued an adequacy decision. This is because the GDPR does not automatically apply in every country outside the EU.

So, if the server is located in Europe, everything should be fine, right?

Data transfers have many forms

A data transfer to a third country such as the USA is deemed to occur not only when data is actively transmitted, but also when access to such data is enabled from within a third country. A simple example: If a company configures the read permissions for a directory on a server located in the EU in such a way that the data can be accessed from the USA, this already constitutes a data transfer.

Precisely this often happens when data is processed in a cloud operated by a U.S. company, or by a company that is part of a U.S. corporate group. This is because such providers are subject to U.S. law – specifically the Cloud Act, as well as other security-related regulations. These laws may empower U.S. authorities – such as law enforcement or security agencies – to demand access to data, even if that data is stored outside the United States.

In addition to the CLOUD Act, Section 702 of the Foreign Intelligence Surveillance Act (FISA) – which was reauthorized in April 2024 – is also relevant in this context. FISA Section 702 permits US intelligence agencies to access data held by US companies without specific, case-by-case judicial authorization, provided that the data subject is not a US citizen. It was precisely this authority – exercised without judicial oversight – that constituted the primary ground upon which the ECJ declared the predecessor frameworks invalid in the Schrems rulings.

For companies, this means that even if a server is physically located within the EU, access from the USA may be legally permissible – regardless of whether such access would be deemed lawful from a European perspective. This constitutes a central data protection challenge that must be taken into account when selecting cloud providers.

To put it even more clearly: Storing data on a server or in a cloud that is attributable to a US company – even indirectly through a corporate structure – may constitute a transfer of data to the United States.

GDPR and US Cloud Act: contradictions that are not easy to resolve

Such a data transmission cannot always be designed in a legally secure way.

The USA and the EU had tried in two attempts to find a basis for such data transfers, namely in the form of the “Safe Harbor” agreement and later the “Privacy Shield”. However, both instruments were declared invalid by the European Court of Justice (ECJ) in the Schrems I and Schrems II judgments. They can therefore no longer serve as a basis for data transfers.

A third attempt is currently implemented: The EU-US Data Privacy Framework (EU-US DPF), which forms the basis for an adequacy decision of the EU commission. Technically, this enables data transfers to the US without violating the GDPR per se.

However, there are several reasons to be cautious.

First of all, it remains unclear whether the EU-US DPF will endure in the long term. An initial legal challenge against the adequacy decision has already been dismissed by the General Court (GC). The matter is now litigated further before the European Court of Justice (ECJ) – the highest court.

Even more concerning is what is taking place within the United States itself. Since January 2025, the Trump administration has systematically undermined the institutional foundations of the DPF. The three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) have been dismissed. The PCLOB no longer has a quorum and is, in effect, unable to function. Yet this very body was a central element of the adequacy decision: it was tasked with conducting the annual review of the redress mechanism through which EU citizens can challenge unlawful surveillance. If the oversight board ceases to function, then oversight itself ceases to function as well.

At the same time, Executive Order 14086, which made the DPF possible in the first place, is currently under review. A separate Executive Order calls into question the independence of the Federal Trade Commission (FTC), the agency responsible for enforcing DPF principles within the United States.

Since the EU-US DPF closely resembles its predecessors – Safe Harbor and Privacy Shield – in key respects, there remains a risk that this instrument, too, could be declared invalid in the future – particularly in light of past rulings by the ECJ. It would therefore be imprudent to base long-term decisions (such as the installation of a specific software infrastructure) solely on the existence of this framework.

But even if the courts should wave the transfer mechanism through, that does not make the US Cloud Act go away. US authorities will still have access to data, and judging by the past, they will use it. Whoever has sensitive data and trade secrets to protect, or transfers data to and from critical infrastructure, may think twice.

Beyond Data Protection: Cybersecurity as a Second Dimension

Alongside data protection considerations, a further – and more comprehensive – development is taking shape. Under the NIS2 Directive, which has been mandatory for implementation since October 2024, many companies are for the first time legally required to assess the cybersecurity of their supply chains. This requirement extends to cloud providers as well. The CSA2 package, introduced by the EU Commission in January 2026, goes a step further by establishing a framework that enables the exclusion of providers deemed high-risk from critical sectors. Consequently, the choice of a cloud provider is no longer merely a matter of data protection compliance, but also one of cybersecurity compliance.

Result & Recommendation

Storing data on a server located within the EU is not a panacea that automatically satisfies all data protection requirements. Crucially, the company operating the servers or the cloud must also be capable of meeting the requirements governing the processing of personal data on behalf of a controller. In this context, one must consider not only the physical location of the servers but also the registered office of the operating company, as well as its corporate group structure.

Consequently, wherever possible, preference should be given to European providers. This is not a matter of “home bias,” but rather a course of action dictated by the prevailing regulatory framework, the current legal landscape, and a realistic assessment of the political stability of transatlantic data protection agreements. Those planning their infrastructure today should not base their strategy on the mere hope that a politically fragile framework will remain intact tomorrow.

Note: This article was first published in January 2022 and last updated and corrected in June 2026.