SYSTEM
SYSTEM
Tech Insight

GDPR-Compliant Hosting: What Matters for German Clients

US cloud hosting is convenient but brings GDPR risks. What really counts when choosing hosting and how I handle it in projects.

By Robin Herbeck··5 min read
GDPRHostingPrivacyServerGermany
GDPR-Compliant Hosting: What Matters for German Clients

This post is for freelancers, agencies, and decision-makers building websites for German clients. Not legal advice, but a practical take from project work. For legal questions, consult a privacy lawyer or data protection officer.

What Often Gets Overlooked

Many German business websites run on cloud platforms with a US parent company: AWS, Google Cloud, Vercel, Netlify. That's not automatically a problem, but it does require effort if you want to set things up GDPR-compliant.

Since the Schrems II ruling by the European Court of Justice in 2020, data transfers to the US have been considered tricky. The EU-US Data Privacy Framework from July 2023 created a new framework, currently classified as adequate. Several legal challenges (including from NOYB) are pending. The legal situation could shift again.

Anyone with German end customers should understand the risks and decide consciously.

What's Relevant for Website Operators

On every page load, data is transferred: IP address, browser data, sometimes more. If that data is processed on US servers or external US services are embedded, it's GDPR-relevant.

Common pitfalls:

  • Google Fonts loaded externally. Every page load sends the IP to Google. After a 2022 ruling by the Munich Regional Court, there was a wave of legal warnings in Germany. Self-hosting solves this.
  • US cloud hosting without proper configuration. Even with an EU data center, the provider remains subject to the US CLOUD Act. Not necessarily a no-go, but it requires a data processing agreement, a clean concept, and usually additional technical measures.
  • Google Analytics without consent. Several European data protection authorities (Austria, Italy, France) have flagged this. With cookie consent it's possible, without it isn't.
  • Contact forms via US services. Data ends up outside the EU, often without the client realizing.

My Default Setup

For most client projects I use a dedicated Linux server with a German hosting provider: data center in Germany, German company, German jurisdiction. It's not the only path to GDPR compliance, but for me it's the most convenient with the least explanation work for clients.

What that means in practice:

  • Data stays in Germany. No transatlantic transfer.
  • Data processing agreement with the host is standard, not a special case.
  • Full control over what runs on the server and where data is stored.
  • No vendor lock-in. Switching is always possible.

Anyone who doesn't want to manage their own server can get just as far with European providers like Hetzner Cloud, IONOS Cloud, OVH, or Scaleway. The selection has grown significantly.

What I Check on Every Project

Before a website goes live, I run through this checklist:

  • Fonts: Self-hosted, no external requests to Google or other third parties
  • Maps: Static images or OpenStreetMap instead of Google Maps with active tracking
  • Analytics: Privacy-friendly alternatives like Plausible or Matomo, or Google Analytics only with working cookie consent
  • Contact form: Data processed on the own server, no external services without DPA
  • Email: Server with the German host or a GDPR-compliant provider like Mailbox.org or Posteo. Running your own mail server only pays off in rare cases
  • CDN: If needed at all, a European provider like BunnyCDN
  • Cookies: Only technically necessary ones without consent, everything else with real opt-in

When US Services Still Make Sense

I'm not a hardliner. There are scenarios where US services are the right call, even for German clients:

  • CDN for purely static assets without personal data
  • Development tools like GitHub, Vercel previews, or Sentry, as long as production data stays in Germany
  • SaaS that doesn't process end-customer data

Microsoft has rolled out the EU Data Boundary for many 365 services, AWS and Google have EU subsidiaries with their own contractual structures. With proper configuration, GDPR-compliant work is possible there too.

My rule of thumb: As soon as personal data of end customers is processed regularly, the German or European solution is the simpler path for me. For pure developer tools I'm more relaxed.

GDPR as a Trust Advantage

Many see GDPR as a burden. In client conversations it's often the opposite: an argument.

"Your website runs on a German server, all data stays in Germany, no US services in the background." That's a clear plus in B2B, in regulated industries, or with privacy-sensitive clients. For consumer-facing sites it sometimes matters less, but it never hurts.

Bottom Line

GDPR-compliant hosting is doable and not as complicated as it sounds. It's not about banning US services, but about consciously deciding where which data is processed.

Own server in Germany or a European cloud provider, self-hosted fonts, privacy-friendly tools, no unnecessary tracking. That covers most cases.

With Hetzner, IONOS, or similar providers, it's often even cheaper than AWS or Vercel. For very specific workloads it can be different, but for classic websites the math usually works out.

Back to Blog
GDPR-Compliant Hosting: What Matters for German Clients | Robin Herbeck