GDPR in the Context of Cloud Computing Explained

Posted on 9 February 2026

Overview

The General Data Protection Regulation (GDPR) is a European framework that governs the processing of personal data. It aims to enhance individuals’ control and rights over their personal information and to enforce strict obligations for companies processing that information. 

In the cloud computing context, the cloud service provider (CSP) processes data on behalf of its customers and is therefore deemed the data processor or subprocessor. The customer acts either as the data controller or data processor, depending on the customer’s role. Compliance with GDPR is based on a shared responsibility model where the CSPs are responsible for implementing appropriate technical and organizational security measures while the customers remain liable for the data and the lawfulness of the processing. 

Key obligations for Cloud Service Providers

Article 28 of the GDPR lays out the requirements of a data processor who processes data on behalf of the data controller.

1. A written contract: 

The CSP and the customer must sign a data processing agreement which states the rights and obligations of each party concerning the protection of personal data. 

2. Appropriate technical and organizational security measures:

To protect the personal data they process, CSPs must implement, and offer to their customers, appropriate security measures and features. Such measures and features include, inter alia, a robust information security management system (ISMS), business continuity plans, disaster recovery and backup service, encryption (in transit and at rest),  regular vulnerability testing, and constant evaluation of security measures.

3. Assistance obligations 

The CSP must help the customer fulfil their GDPR obligations. This includes assisting with data subject requests, reporting possible data breaches, and providing necessary information to demonstrate compliance with GDPR, including allowing audits.

4. Use of Subprocessors

The CSP may only use subprocessors with the customer’s authorisation and must inform the customer of any intended changes. The CSP is liable for the acts and omissions of its subprocessors as for its own.

5. International Transfers 

Where personal data is transferred outside the European Economic Area (EEA), the CSP must ensure that appropriate safeguards are in place, such as the Standard Contractual Clauses (SCC) approved by the EU Commission. In general, the CSP must maintain full transparency with respect to the location of data.

GDPR compliance at UpCloud

UpCloud is a European cloud infrastructure provider subject to the laws and jurisdiction of the EU. We complywith GDPR and other European legislation on data and digital services, offering  truly sovereign, European cloud. Therefore, our customers can be assured that our service can be used in full compliance with the European regulatory requirements.

The processing of personal data within our services is governed by our Data Processing Agreement (DPA), which forms an integral part of our Terms of Service. The DPA is specifically tailored for cloud computing, establishing a framework for data processing that defines parties’ responsibilities and safeguards for protection of the data.

Our customers retain full control over their data at all times. Through the UpCloud control panel, customers may select the data centre location for storage, delete their virtual servers and the data therein, transfer data to another CSP or to an on-premise solution at any time. UpCloud will never transfer customers’ data from the chosen location without the customer’s explicit instruction.

To protect the confidentiality, integrity and availability of all personal data UpCloud processes, we maintain an ISO 27001 certified information security management system. In addition, we are a member of the CISPE (Cloud Infrastructure Service Providers Europe) and certified to comply with the CISPE Code of Conduct. Both certifications are audited by a third-party auditor on an annual basis. UpCloud’s Information Security Policy is available here,  and our ISO/IEC 27001 certification can be accessed here.

Should you have further queries on GDPR or data sovereignty, reach out to our team and we’d be happy to help.

Try out today!

Start your free 14-day trial today and discover why thousands of businesses trust UpCloud

  • Risk-free trial
  • Optimized performance
  • Scalable infrastructure
  • Top-tier security
  • Global availability

Sign up

See also

See all posts

  • Comparisons
Red colored thumbnail for a blog post about cloud server vs. VPS vs. dedicated servers.

August 27, 2015 8 min read

Cloud Server vs VPS vs Dedicated Server: Which One Is Right for Your Business in 2025?

In this post, we have collected information about different server options to help make the distinction among a broad range of available hosting services and service providers.

Janne Ruostemaa

Editor-in-Chief

  • Announcements
  • Product Updates
Dashboard elements with Kubernetes icon, showing the new and improved UpCloud Managed Kubernetes

April 11, 2025 2 min read

3 ways UpCloud Kubernetes Service just got better.

Kubernetes provides scalable, resilient, and agile application deployment, reshaping modern software development. Yet, for many developers, the reality is a steep learning curve and overwhelming […]

Will Barlow

Senior Product Marketing Manager

  • cloud servers
  • cost optimization
  • European cloud
  • kubernetes
  • Managed Kubernetes
  • UKS
  • Announcements
Introducing UpCloud's new data centre in Frankfurt, Germany.

July 1, 2015 1 min read

New data centre: Frankfurt, Germany!

We’re proud to announce that we have opened up a new data centre in Frankfurt, Germany. DE-FRA1 is our fourth data centre. Frankfurt data centre […]

Antti Vilpponen

Back to top