{"id":16,"date":"2026-02-09T10:09:39","date_gmt":"2026-02-09T08:09:39","guid":{"rendered":"https:\/\/upcloud.com\/global\/us\/2026\/02\/09\/gdpr-context-cloud-computing-explained\/"},"modified":"2026-02-09T10:09:39","modified_gmt":"2026-02-09T08:09:39","slug":"gdpr-context-cloud-computing-explained","status":"publish","type":"post","link":"https:\/\/upcloud.com\/global\/blog\/gdpr-context-cloud-computing-explained\/","title":{"rendered":"GDPR in the Context of Cloud Computing Explained"},"content":{"rendered":"\n

Overview<\/strong><\/h2>\n\n\n\n

The General Data Protection Regulation (GDPR)<\/strong><\/a> is a European framework that governs the processing of personal data. It aims to enhance individuals’ control and rights over their personal information and to enforce strict obligations for companies processing that information. <\/p>\n\n\n\n

In the cloud computing context, the cloud service provider (CSP) processes data on behalf of its customers and is therefore deemed the data processor <\/em>or subprocessor.<\/em> The customer acts either as the data controller or data processor, <\/em>depending on the customer\u2019s role. Compliance with GDPR is based on a shared responsibility model where the CSPs are responsible for implementing appropriate technical and organizational security measures while the customers remain liable for the data and the lawfulness of the processing. <\/p>\n\n\n\n

Key obligations for Cloud Service Providers<\/strong><\/h2>\n\n\n\n

Article 28 of the GDPR lays out the requirements of a data processor who processes data on behalf of the data controller.<\/p>\n\n\n\n

1. A written contract: <\/strong><\/p>\n\n\n\n

The CSP and the customer must sign a data processing agreement which states the rights and obligations of each party concerning the protection of personal data. <\/p>\n\n\n\n

2. Appropriate technical and organizational security measures:<\/strong><\/p>\n\n\n\n

To protect the personal data they process, CSPs must implement, and offer to their customers, appropriate security measures and features. Such measures and features include, inter alia<\/em>, a robust information security management system (ISMS), business continuity plans, disaster recovery and backup service, encryption (in transit and at rest),  regular vulnerability testing, and constant evaluation of security measures.<\/p>\n\n\n\n

3. Assistance obligations <\/strong><\/p>\n\n\n\n

The CSP must help the customer fulfil their GDPR obligations. This includes assisting with data subject requests, reporting possible data breaches, and providing necessary information to demonstrate compliance with GDPR, including allowing audits.<\/p>\n\n\n\n

4. Use of Subprocessors<\/strong><\/p>\n\n\n\n

The CSP may only use subprocessors with the customer\u2019s authorisation and must inform the customer of any intended changes. The CSP is liable for the acts and omissions of its subprocessors as for its own.<\/p>\n\n\n\n

5. International Transfers<\/strong> <\/p>\n\n\n\n

Where personal data is transferred outside the European Economic Area (EEA), the CSP must ensure that appropriate safeguards are in place, such as the Standard Contractual Clauses (SCC) approved by the EU Commission. In general, the CSP must maintain full transparency with respect to the location of data.<\/p>\n\n\n\n

GDPR compliance at UpCloud<\/strong><\/h2>\n\n\n\n

UpCloud is a European cloud infrastructure provider subject to the laws and jurisdiction of the EU. We complywith GDPR and other European legislation on data and digital services, offering  truly sovereign, European cloud. Therefore, our customers can be assured that our service can be used in full compliance with the European regulatory requirements.<\/p>\n\n\n\n

The processing of personal data within our services is governed by our Data Processing Agreement (DPA)<\/a>, which forms an integral part of our Terms of Service.<\/a> The DPA is specifically tailored for cloud computing, establishing a framework for data processing that defines parties\u2019 responsibilities and safeguards for protection of the data.<\/p>\n\n\n\n

Our customers retain full control over their data at all times. Through the UpCloud control panel, customers may select the data centre location for storage, delete their virtual servers and the data therein, transfer data to another CSP or to an on-premise solution at any time. UpCloud will never transfer customers\u2019 data from the chosen location without the customer\u2019s explicit instruction.<\/p>\n\n\n\n

To protect the confidentiality, integrity and availability of all personal data UpCloud processes, we maintain an ISO 27001 certified information security management system. In addition, we are a member of the CISPE (Cloud Infrastructure Service Providers Europe) and certified to comply with the CISPE Code of Conduct<\/a>. Both certifications are audited by a third-party auditor on an annual basis. UpCloud\u2019s Information Security Policy is available here<\/a>,  and our ISO\/IEC 27001 certification can be accessed here<\/a>.<\/p>\n\n\n\n

Should you have further queries on GDPR or data sovereignty, reach out to our team<\/a> and we\u2019d be happy to help.<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Overview The General Data Protection Regulation (GDPR) is a European framework that governs the processing of personal data. It aims to enhance individuals’ control and […]<\/p>\n","protected":false},"author":109,"featured_media":73130,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"817,208,823,565,250,193","_relevanssi_noindex_reason":"Blocked by a filter function","footnotes":""},"categories":[16,10,13],"tags":[],"class_list":["post-16","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-upcloud-insights","category-data-security","category-data-sovereignty"],"acf":[],"_links":{"self":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/posts\/16","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/users\/109"}],"replies":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/comments?post=16"}],"version-history":[{"count":0,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/posts\/16\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/media?parent=16"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/categories?post=16"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/upcloud.com\/global\/wp-json\/wp\/v2\/tags?post=16"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}