Feb 10, 20221 min read

The location of computers, servers, and data centers is a central topic when thinking about the compliance of personal data processing. The obvious reason: laws are different from place to place and to stay compliant one must know which set or rules applies. The European Union with its GDPR has relatively strict laws, but so do other places such as Japan, South Korea, Argentina, or, interestingly, California.

Many jurisdictions, e.g. Russia, stipulate that all or at least certain kind of data must only be processed within its borders. Other jurisdictions, most notably the EU, care not about location per se, but about a certain minimum standard of protection. Hence, the adequacy decisions of the EU Commission. Based on Art. 45 GDPR that enable transfers of personal data to recipients outside the EU.

Sometimes it is not that easy at all to determine at which location exactly a certain act of data processing takes place. For example, access to data is already a processing of those data. The simple act of sending access credentials to a database to a recipient in another country may thus already constitute an act of data processing in that country.