The General Data Protection Regulation applies to every business that collects or processes personal data from people in the European Union. It does not matter where your business is based. If an EU resident visits your site and you collect their data, GDPR applies to you.
Your hosting setup is a core part of your GDPR compliance. Where your data is stored, who can access it, how it is protected, and what happens in a breach all depend on decisions made at the hosting level.
This guide covers exactly what your server setup must include to support GDPR compliance, and what to confirm with any hosting provider before you store a single byte of EU personal data.
What GDPR Says About Hosting
The full regulation is published at gdpr.eu. The sections most relevant to hosting are Articles 5, 24, 25, 28, 32, and 33.
Here is what they require in plain terms:
| GDPR Article | What It Covers | Hosting Implication |
|---|---|---|
| Article 5 | Data must be processed lawfully, fairly, and securely | Server security must be adequate for the data you hold |
| Article 24 | Controllers must implement appropriate technical measures | Your hosting setup must reflect data protection by design |
| Article 25 | Privacy by design and by default | Systems must minimise data exposure from the ground up |
| Article 28 | Processor requirements | Your host is a data processor and must sign a DPA |
| Article 32 | Security of processing | Encryption, access controls, and resilience are required |
| Article 33 | Breach notification | You must detect and report breaches within 72 hours |
Your hosting provider is classified as a data processor under Article 28. That means they handle your data on your behalf. They must sign a Data Processing Agreement with you. Without one, your GDPR compliance is incomplete regardless of how well your own systems are configured.
Step 1: Data Processing Agreement With Your Host
Before you do anything else, confirm that your hosting provider will sign a Data Processing Agreement.
A DPA is a legal contract between you (the data controller) and your host (the data processor). It defines:
- What data is being processed and for what purpose
- How long data is retained
- What security measures the processor maintains
- What happens in a breach
- The processor’s obligations if you issue a data deletion request
- Whether the processor uses sub-processors and under what conditions
Most reputable hosting providers have a standard DPA ready to sign. Some make it available as a self-service document in their legal or compliance section. Others require a formal request.
What to do:
- Ask for the DPA before you sign up, not after
- Read it before signing, particularly the sub-processor clause and the breach notification timescale
- Keep a copy with your compliance documentation
If a host refuses to sign a DPA or cannot provide one, they are not suitable for any EU personal data regardless of their other features.
Step 2: Data Location and Transfer Compliance
GDPR restricts where personal data can be stored and transferred. Under Article 44 to 46, personal data can only leave the EU or EEA if adequate protections are in place.
Your hosting setup must address this.
Option 1: Store data within the EU or EEA Choose a hosting provider with data centers in EU or EEA countries. Confirm in writing that your data will not be transferred outside that region without your knowledge and appropriate safeguards.
Option 2: Use an approved transfer mechanism for non-EU storage If your host stores or processes data outside the EU, they must use one of these mechanisms:
- Standard Contractual Clauses approved by the European Commission
- An adequacy decision covering the destination country
- Binding Corporate Rules for intra-group transfers
The European Commission maintains a list of countries with adequacy decisions. The United States does not currently have a blanket adequacy decision. Transfers to US-based hosting providers require Standard Contractual Clauses to be in place.
What to confirm with any host:
- Where are your data centers located?
- If data is transferred outside the EU, what legal mechanism applies?
- Will you confirm data residency in writing as part of the DPA?
Step 3: Encryption Requirements
Article 32 of GDPR specifically names encryption as an appropriate technical measure for securing personal data.
Your hosting setup must include encryption in two places.
Encryption in transit All data moving between your visitors and your server must be encrypted. This is handled by your SSL certificate. TLS 1.2 or higher is required. TLS 1.0 and 1.1 are outdated and should not be in use.
Most managed hosting providers handle this automatically. Confirm that your SSL is active, that HTTP automatically redirects to HTTPS, and that older TLS versions are disabled on your server.
Read our explanation of what an SSL certificate does and why it matters.
Encryption at rest Personal data stored on your server, including your database, log files, and backup files, should be encrypted at rest.
This is less universally implemented than transit encryption. Ask your host specifically:
- Is data encrypted at rest on the server?
- Are database files encrypted?
- Are backup files encrypted separately from the main server?
Some hosts include encryption at rest as standard. Others offer it only on higher-tier plans. Some do not offer it at all.
Step 4: Access Controls and Authentication
GDPR requires that access to personal data is restricted to authorised individuals only. At the hosting level, this means:
Two-factor authentication on all hosting accounts Your hosting control panel, your SSH access, and any admin interfaces should require two-factor authentication. A compromised password alone should not be enough to access your server or your data.
Our step-by-step guide on setting up two-factor authentication for your hosting account covers the setup process.
Principle of least privilege Only accounts that need access to personal data should have it. On your server, this means:
- Database users should have only the permissions required for their function
- SSH keys should be specific to individual users, not shared
- File permissions should restrict access appropriately
- Hosting account access should be reviewed when team members leave
Audit logging You should be able to see who accessed what and when. This supports both internal monitoring and your ability to demonstrate compliance to a supervisory authority.
Ask your host: Do you provide access logs? How long are logs retained? Can I access logs directly or must I request them from support?
Step 5: Security Measures Required Under Article 32
Article 32 requires appropriate technical and organisational measures to ensure a level of security appropriate to the risk. For hosting, this includes:
Web Application Firewall A WAF filters malicious traffic before it reaches your site and database. It protects against SQL injection, cross-site scripting, and other attacks that could expose personal data.
Read our web hosting firewall guide for what to look for.
DDoS Protection A DDoS attack that takes your site offline affects the availability of personal data, which GDPR requires you to maintain. Always-on DDoS mitigation is part of your security posture.
Read about DDoS protection in hosting.
Malware Scanning Malware on your server can exfiltrate personal data without any visible sign that something is wrong. Regular automated scanning with active remediation is required as part of your technical measures.
Intrusion Detection Your hosting environment should monitor for unusual access patterns and alert you to potential breaches. This supports the 72-hour breach notification requirement under Article 33.
Read our complete secure hosting features guide for the full technical security checklist.
Step 6: Backup Policy and Data Retention
GDPR requires that personal data is not kept longer than necessary. Your backup policy creates a compliance challenge because backups contain historical personal data, including data you may have already deleted from your live system.
Your hosting backup setup must address:
Retention period How long are backups kept? 30 days is common. Longer retention means older personal data stays in your backup files even after you have deleted it from your live database.
Backup encryption Backup files containing personal data must be encrypted. Confirm that your host encrypts backup files and that they are stored separately from the main server.
Sub-processor chain Where does your host store backups? If backups are stored on a third-party service, that service is a sub-processor under GDPR. It should be listed in your host’s DPA.
Deletion requests and backups When a member exercises their right to erasure under Article 17, you delete their data from your live system. But their data remains in your backups for as long as those backups are retained.
Your compliance documentation should acknowledge this and explain your approach. The UK Information Commissioner’s Office guidance on erasure covers this specifically, including the position that technical impossibility of immediate backup deletion is an accepted limitation with appropriate documentation.
Step 7: Breach Detection and 72-Hour Notification
Article 33 requires that you report a personal data breach to the relevant supervisory authority within 72 hours of becoming aware of it.
At the hosting level, this requires:
Active monitoring You cannot report a breach you do not know about. Your hosting environment must include monitoring that can detect and alert you to a breach quickly. Real-time alerts, not weekly report summaries.
Defined incident response process You need a clear process for what happens when your host alerts you to a potential breach. Who is notified internally? Who assesses the severity? Who files the report with the supervisory authority?
Host notification obligations Under Article 33(2), a data processor (your host) must notify you of a breach without undue delay. Ask your host what their breach notification process is and how quickly they will contact you.
What to confirm with your host:
- How do you detect security incidents affecting customer data?
- What is your process for notifying customers of a breach?
- What is your average time from detection to customer notification?
The GDPR Hosting Checklist
Use this before signing up with any hosting provider for a site processing EU personal data.
| Requirement | What to Confirm | Status |
|---|---|---|
| Data Processing Agreement | Provider will sign a DPA before you go live | Must have |
| Data location | Data centers in EU or EEA, or SCCs in place for non-EU | Must have |
| SSL and TLS configuration | TLS 1.2 or higher, automatic HTTPS redirect | Must have |
| Encryption at rest | Database and backup files encrypted | Strongly recommended |
| Two-factor authentication | Available on control panel and SSH | Must have |
| Web application firewall | Active by default, WordPress-aware rulesets | Must have |
| DDoS protection | Always-on, not reactive | Must have |
| Malware scanning | Daily automated scans with active remediation | Must have |
| Audit logging | Access logs available and retained for sufficient period | Recommended |
| Backup encryption | Backup files encrypted at rest | Must have |
| Backup retention policy | Documented and included in DPA sub-processor chain | Must have |
| Breach notification process | Host notifies you within defined timeframe | Must have |
Hosting Types and GDPR Suitability
Not every hosting type is equally suited to GDPR compliance.
| Hosting Type | GDPR Suitability | Key Consideration |
|---|---|---|
| Shared Hosting | Limited | Physical isolation absent, limited security controls |
| VPS Hosting | Good | Isolated resources, configurable security |
| Cloud Hosting | Strong | EU region selection, enterprise security available |
| Managed WordPress | Good for WP sites | Check DPA availability and data location |
| Dedicated Server | Strongest | Full physical isolation, maximum control |
Shared hosting is the weakest option for GDPR compliance. Physical resources are shared with other customers and security controls are limited. For sites collecting personal data beyond basic analytics, shared hosting creates compliance gaps that cannot be fully addressed at the application level.
Read our types of web hosting guide to understand the step-up options and what each one provides in terms of isolation and control.
Questions to Ask Any Host Before Going Live With EU Personal Data
- Will you sign a Data Processing Agreement?
- Where exactly are my data stored and processed?
- Do you use sub-processors? Who are they and where are they located?
- Is data encrypted in transit and at rest?
- What is your breach detection and notification process?
- How long are backups retained and are they encrypted?
- Are your data centers in the EU or EEA? If not, what transfer mechanism applies?
- Do you hold any certifications relevant to data protection such as ISO 27001 or SOC 2?
A Note on Ongoing Compliance
Getting your hosting setup right is the start, not the finish.
GDPR compliance requires ongoing attention. Data protection law evolves. Supervisory authority guidance changes. Your hosting provider may update their sub-processor list, change data center locations, or revise their DPA. You should review your hosting compliance posture at least annually.
The European Data Protection Board publishes guidelines and opinions that affect how GDPR is interpreted in practice. Monitoring these helps you stay ahead of changes before they become compliance issues.
Final Thoughts
GDPR-compliant hosting is not a product you buy. It is a configuration you build and a relationship you establish with a provider who takes data protection seriously.
The checklist in this guide gives you the minimum requirements. The questions give you the means to evaluate any provider honestly before you commit.
A hosting provider that cannot answer these questions clearly is not ready to be your data processor under GDPR. A provider that answers them confidently, in writing, and includes the right terms in their DPA is one worth trusting with your users data.
Browse our hosting reviews to compare how major providers approach data protection, DPA availability, and EU data center options before making your decision.
