Why "our data is stored in the EU" doesn't automatically mean you're GDPR compliant

If you've ever asked a software vendor about their GDPR compliance, you've probably received some version of the following response: "All data is stored in our EU data centres."

It's a reassuring-sounding answer. It's also, on its own, largely meaningless.

Where data is physically stored matters, but it's one factor among many, and for a significant category of problems it's not the relevant factor at all. Understanding why helps you ask better questions of your vendors and make better decisions about your own data infrastructure.

What "stored in the EU" actually addresses

The GDPR places restrictions on transferring personal data outside the UK/EAA. If your data never leaves the EEA, you avoid a specific category of compliance problem: international transfer restrictions.

That's real and it matters. The Schrems rulings invalidated two successive EU-US data transfer frameworks precisely because US surveillance law gave American intelligence agencies access to data that EU law was supposed to protect. Keeping data physically within the EEA removes one avenue for that kind of access.

But it only removes one of many avenues.

What it doesn't address

Who owns the company? A data centre in Frankfurt owned by a US company is still subject to US law for certain purposes. FISA Section 702, for example, can compel US-headquartered companies to produce data regardless of where it's physically stored. The physical location of the servers is less important than the corporate structure and jurisdiction of the entity that controls them.

This is why "EU data centres" from AWS, Google, or Microsoft offers less protection than it might appear. Amazon, Google, Salesforce and Microsoft are US companies. EU-based servers don't change that.

Who has access? Data can be accessed from outside the EU without being "transferred" in the legal sense. If a US-based support team can log into a system and see your customers' personal data, that's effectively an international transfer of data — even if the server never moves.

What are you actually doing with the data? The GDPR isn't primarily about where the data is stored. It's about the lawful basis for processing, transparency, data minimisation, purpose limitation, retention periods, security measures, and individual rights. None of those are addressed by a statement about data centre locations.

What are your processors doing? If you use third-party services such as email marketing platforms, analytics tools or CRM systems for instance, each of those is a data processor. You're responsible for their compliance too. A vendor can host your data in the EU while that data is simultaneously flowing to a US analytics platform through a tracking pixel on your website.

The questions worth asking instead

When evaluating a vendor or assessing your own compliance, the data centre location question is worth asking, but it should be the start of a conversation, not the end of it. We cover the full set of questions worth asking in what to ask a cloud provider before you sign up.

The underlying point

GDPR compliance is a set of practices, not a location. You can be fully compliant while storing data in a UK data centre, and you can be thoroughly non-compliant while storing it in three separate EU locations.

The "EU data centre" response has become a reflexive answer because it sounds technical and reassuring and it deals with one real concern. But it's often used to avoid engaging with the harder questions.Questions about corporate structure, access controls, sub-processors, and actual data handling practices.

When you're evaluating vendors or reviewing your own compliance position, push past the location answer. The harder questions are where the real risks live.

If you'd like help working through your supplier relationships from a data protection perspective, we're happy to help..