GDPR Data Residency: Where European Personal Data Can and Cannot Live
Country Manager, Sweden
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
GDPR Data Residency: Where European Personal Data Can and Cannot Live
"Data residency" is a phrase GDPR does not actually use. The regulation talks about international transfers in Chapter V (Articles 44-50), and the question of where personal data physically sits is only relevant insofar as it triggers a transfer regime. But the operational question every CISO and cloud architect actually asks — "can we store this customer data in this region of this hyperscaler?" — has become the dominant practical question two years after the EDPB's June 2023 guidelines on Article 3 territorial scope and three years after the European Commission's adequacy decision for the EU-US Data Privacy Framework in July 2023.
This piece is for cloud architects and CISOs running EU workloads on AWS, Azure, GCP, or sovereign-cloud alternatives. It maps where European personal data can sit lawfully, what the Schrems II transfer impact assessment actually requires, and where the EU sovereign-cloud strategy is heading in 2026.
The Article 44 Default Rule
Article 44 prohibits transfer of personal data to a third country or international organisation unless one of the Chapter V mechanisms applies. The mechanisms are layered:
- Adequacy decision (Article 45) — the European Commission has determined the destination provides essentially equivalent protection. As of 2026, valid adequacy decisions cover the UK, Switzerland, Canada (commercial), Japan, South Korea, Israel, New Zealand, Argentina, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, and the US under the Data Privacy Framework (for participating organisations only).
- Appropriate safeguards (Article 46) — Standard Contractual Clauses (SCC 2021/914), Binding Corporate Rules (BCR), approved codes of conduct, approved certification mechanisms.
- Derogations (Article 49) — explicit consent, contract necessity, important reasons of public interest, legal claims, vital interests. These are narrow and not for systematic transfers.
For routine cloud workloads, only adequacy and SCCs are operationally usable. BCRs are powerful but take 12-18 months to approve through a lead supervisory authority and are realistic only for global groups.
Schrems II and the Transfer Impact Assessment
The CJEU's Schrems II judgment (Case C-311/18, July 2020) invalidated Privacy Shield and held that controllers using SCCs must assess whether the destination country's law and practice provide protection essentially equivalent to GDPR. The 2024 EDPB Recommendations 01/2020 on supplementary measures formalised the six-step transfer impact assessment (TIA):
- Know your transfer — map data, processors, sub-processors, end recipients
- Identify the transfer tool (SCC, BCR, adequacy)
- Assess whether the third-country law affects the tool's effectiveness — particularly access by public authorities
- Adopt supplementary measures if needed (encryption, pseudonymisation, split processing)
- Take procedural steps if those measures require them
- Re-evaluate at appropriate intervals
Step 3 is where most TIAs fail. The controller has to evaluate the destination country's surveillance regime — for the US, that is FISA 702, EO 12333, and the Cloud Act; for China, the Personal Information Protection Law and the cybersecurity-review regime. The EDPB's European Essential Guarantees framework (necessity, proportionality, independent oversight, effective remedy) is the test. A copy-pasted TIA that does not engage with the actual legal regime will not survive a DPA inspection.
Need expert help with gdpr data residency?
Our cloud architects can help you with gdpr data residency — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
The 2023 EU-US Data Privacy Framework
The Commission's adequacy decision of 10 July 2023 covers data transfers to US organisations that self-certify under the Data Privacy Framework (DPF). Coverage is partial — the receiving organisation must appear on the Department of Commerce DPF list. Non-DPF transfers to the US still require SCCs plus a TIA. The DPF replaced Privacy Shield with a redress mechanism (the Data Protection Review Court) that the Commission found adequate; Schrems III litigation is already pending before the CJEU and a decision is expected in late 2026.
Operational implication: relying on DPF for a US sub-processor is workable today but not a long-term strategy without parallel SCC fallback ready. Most enterprise customers we advise sign SCCs alongside DPF coverage so a future invalidation does not leave the transfer route exposed.
Hyperscaler Region Choice and the Cloud Act Question
Storing data in an AWS Frankfurt region or an Azure North Europe region does not, on its own, prevent a transfer. If the cloud provider's parent corporate group is a US entity, US extraterritorial law (Cloud Act, FISA 702) may compel disclosure regardless of where the data physically sits. EDPB guidance on cloud (and the Düsseldorf Circle's January 2022 paper) treats this as a transfer in the legal sense even when no data crosses a border, because access from the third country can occur. This is the controversial "transfer by access" position; not every DPA agrees, but the conservative reading is to treat it as a transfer.
Three architectural responses exist:
| Architecture | What it gives you | What it does not |
|---|---|---|
| EU region of US hyperscaler + SCC + TIA | Performance, broad service catalogue | Doesn't remove Cloud Act exposure; relies on supplementary measures |
| EU sovereign cloud (S3NS, Bleu, AWS European Sovereign Cloud) | EU-controlled operations, EU-only personnel access | Limited service catalogue, premium pricing, still maturing |
| EU-incorporated provider (OVHcloud, Hetzner, IONOS, Stackit) | No US-parent dependency | Smaller scale, fewer managed services, no native AI/ML breadth |
The new sovereign-cloud offerings — AWS European Sovereign Cloud (announced October 2023, first region in Brandenburg expected 2026), Microsoft EU Data Boundary (rolled out through 2024-2025), Google's S3NS partnership with Thales in France, and Bleu (Capgemini/Orange/Microsoft) targeting French SecNumCloud qualification — represent a serious effort to address the Cloud Act gap, but enterprise readiness varies. Customers running highly sensitive special-category data under Article 9 should evaluate at least the EU-incorporated-provider option in the architecture mix.
Encryption as a Supplementary Measure
The EDPB's 2021 guidance on supplementary measures lists encryption with keys held exclusively by the data exporter (or an EU-located trustee) as effective for storage and transit scenarios. The unresolved question is encryption-in-use. Confidential computing (Intel SGX, AMD SEV-SNP, AWS Nitro Enclaves, Azure Confidential VMs) is increasingly cited in TIAs, but no DPA has yet definitively confirmed it as an Article 46(2) supplementary measure. The conservative architecture treats CC as defence-in-depth, not the sole control.
BYOK and HYOK key-management patterns matter here. AWS KMS with an external key store backed by an HSM in your data centre, Azure Key Vault Managed HSM, GCP Cloud KMS with EKM — each lets the customer hold the root of trust. Combined with envelope encryption and break-glass procedures, this is the most defensible storage pattern for special-category data.
Sectoral Residency Rules That Override GDPR Choice
Member state law adds residency requirements GDPR itself does not impose:
- French Health Data Hosting (HDS) — health data must be hosted by an HDS-certified provider; not all EU regions of major hyperscalers are HDS-certified.
- German social-security data — §80 SGB X imposes additional restrictions on cross-border processing of social-security data.
- Swedish public-sector data — the Public Access to Information and Secrecy Act and the new säkerhetsskyddslagen impose restrictions on classified information that effectively bar US-parent cloud for certain workloads.
- Banking secrecy laws — Luxembourg, Switzerland, and several other jurisdictions add bank-secrecy constraints on top of GDPR.
Sectoral overlay is the area most often missed in cloud-architecture decisions. A GDPR-compliant transfer can still violate a national health-data residency rule. Run the TIA and the sector-law check.
How Opsio Helps
Opsio designs cloud-residency architectures for European customers running on AWS, Azure, GCP, and EU sovereign clouds. Our work covers transfer impact assessments to EDPB Recommendations 01/2020 standard, region-and-provider selection against sectoral overlays, key-management design for BYOK and HYOK patterns, and the documentation that supervisory authorities expect during inspections. We integrate the residency programme into the broader request a GDPR readiness review and pair it with cloud security consulting and NIS2 compliance guide for European enterprises work so the same architecture supports multiple regulatory regimes.
About the Author
Country Manager, Sweden at Opsio
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.