{"id":3052,"date":"2025-11-27T09:00:00","date_gmt":"2025-11-27T07:00:00","guid":{"rendered":"https:\/\/35x.de\/?p=3052"},"modified":"2025-11-26T16:13:30","modified_gmt":"2025-11-26T14:13:30","slug":"dsgvo-bluff-capping","status":"publish","type":"post","link":"https:\/\/35x.de\/en\/cloud-basics\/dsgvo-bluff-capping\/","title":{"rendered":"The GDPR bluff: Why a server in Frankfurt won't automatically save you (and encryption is more than just a tick box)"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"3052\" class=\"elementor elementor-3052\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2c5b4c36 e-flex e-con-boxed e-con e-parent\" data-id=\"2c5b4c36\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-44de09a5 elementor-widget elementor-widget-heading\" data-id=\"44de09a5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">The GDPR bluff: Why a server in Frankfurt won't automatically save you (and encryption is more than just a tick box)<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1a225fbe e-flex e-con-boxed e-con e-parent\" data-id=\"1a225fbe\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-41c0c7dd e-con-full e-flex e-con e-child\" data-id=\"41c0c7dd\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4258b6ad elementor-widget elementor-widget-text-editor\" data-id=\"4258b6ad\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Discussions about GDPR compliance in the cloud often end in a dead end of country abbreviations: \u201eUS cloud bad, EU cloud good.\u201c But reducing cloud security to geography overlooks the crucial technical point:\u00a0<strong>Who actually controls the data while it is being processed?<\/strong><\/p><p>The reality is inconvenient: a German location is not a security feature, and a US provider is not an automatic risk. What counts is the architecture.<\/p><p>Let's dispel three dangerous myths.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-46cf79d4 e-con-full e-flex e-con e-child\" data-id=\"46cf79d4\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-46edd29b elementor-widget elementor-widget-image\" data-id=\"46edd29b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"724\" height=\"1024\" src=\"https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-724x1024.jpg\" class=\"attachment-large size-large wp-image-3054\" alt=\"GDPR and encryption\" srcset=\"https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-724x1024.jpg 724w, https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-212x300.jpg 212w, https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-768x1087.jpg 768w, https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-1085x1536.jpg 1085w, https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-8x12.jpg 8w, https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung.jpg 1125w\" sizes=\"(max-width: 724px) 100vw, 724px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-43d09c18 e-flex e-con-boxed e-con e-parent\" data-id=\"43d09c18\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5487d2e6 elementor-widget elementor-widget-heading\" data-id=\"5487d2e6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Myth 1: \u201eA European provider is automatically secure and GDPR-compliant\u201c<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-6496b291 e-flex e-con-boxed e-con e-parent\" data-id=\"6496b291\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4eafc727 elementor-widget elementor-widget-text-editor\" data-id=\"4eafc727\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>This is perhaps the biggest fallacy. It is an unpleasant truth that is rarely spoken out loud in the industry: A data center in Germany does not guarantee modern security standards.<\/p><p>Time and again, we see \u201esovereign cloud\u201c providers who proudly claim to be GDPR compliant, but are years behind in terms of technology.<\/p><ul><li><strong>Lack of encryption:<\/strong>\u00a0Some local \u201epublic clouds\u201c do not even offer a standard\u00a0<em>Encryption at Rest<\/em>\u00a0a feature that has been a standard feature of hyperscalers for over a decade.<\/li><li><strong>Outdated admin architectures:<\/strong>\u00a0Without modern hardware isolation (such as the AWS Nitro system), administrative access to servers is often much easier than with global platforms.<\/li><\/ul><p><strong>The provocative question is:<\/strong>\u00a0What do you prefer? A provider in Frankfurt whose admins could theoretically access your unencrypted data via SSH because the architecture is outdated? Or a US provider that technically locks itself out and cannot access your data at all?\u00a0<em>can<\/em>?<\/p><p>GDPR compliance requires \u201eappropriate technical and organizational measures\u201c (TOMs). A provider that does not provide this technology is not compliant - no matter how German its postal address is.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1ef7e547 e-flex e-con-boxed e-con e-parent\" data-id=\"1ef7e547\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-32c19aae elementor-widget elementor-widget-heading\" data-id=\"32c19aae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Myth 2: \u201eEncryption at rest is enough.\u201c<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-25a6c5a0 e-con-full e-flex e-con e-child\" data-id=\"25a6c5a0\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7688e401 elementor-widget elementor-widget-text-editor\" data-id=\"7688e401\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Many companies check the \u201eEncryption at rest\u201c box and sit back. This is negligent.<\/p><ul><li><strong>The problem:<\/strong>\u00a0With standard encryption (managed keys), the provider controls the keys.<\/li><li><strong>The consequence:<\/strong>\u00a0If an authority (whether from the USA or Europe) demands the release of data, the provider can be technically forced to decrypt it.<\/li><li><strong>Conclusion:<\/strong>\u00a0<em>Encryption at Rest<\/em>\u00a0protects you from the theft of a hard disk from the data center, but not from a legal order to hand over data.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-46e86c06 e-flex e-con-boxed e-con e-parent\" data-id=\"46e86c06\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-17dc05b5 elementor-widget elementor-widget-heading\" data-id=\"17dc05b5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Myth 3: \u201eUS clouds are illegal because of the CLOUD Act.\u201c<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1bb1eea7 e-con-full e-flex e-con e-child\" data-id=\"1bb1eea7\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-42b26e53 elementor-widget elementor-widget-text-editor\" data-id=\"42b26e53\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The CLOUD Act is a risk, but not a blanket ban. It only applies if the provider has access to the data (\u201ePossession, Custody, or Control\u201c). The solution is technical, not political: if you manage the keys in such a way that the provider has no technical access to the plaintext, a disclosure order will be in vain. Where there is no access, nothing can be released.<\/p><p><strong>The real challenge: data-in-use &amp; the \u201ekill switch\u201c<\/strong><\/p><p>The GDPR is less interested in geography than in the question:\u00a0<strong>Who controls the plain text?<\/strong>\u00a0This is where two technologies come into play that enable true digital sovereignty:<\/p><ol><li><strong> Hardware isolation instead of trust (The Nitro Principle)<\/strong>For a long time, the following was true: whoever runs the server can look into the RAM. This is wrong with modern architectures. Systems like the\u00a0<strong>AWS Nitro System<\/strong>are designed in such a way that there is no administrative access (no SSH) for the cloud operator. Independent audits (e.g. NCC Group) confirm that there is no mechanism by which an operator could read data in the storage (\u201ezero operator access\u201c). This also protects data during processing.<\/li><li><strong> The ultimate emergency stop: External Key Stores (XKS)<\/strong>You only have real sovereignty when you remove the \u201eroot of trust\u201c from the cloud. With a\u00a0<strong>External Key Store (XKS)<\/strong>the keys are stored in your own hardware security module (or with a trustee) - never in the cloud.<\/li><\/ol><ul><li><strong>The effect:<\/strong>\u00a0When AWS needs to process data, they request your key for a short time.<\/li><li><strong>The kill switch:<\/strong>\u00a0If you disconnect from your keystore, all data in the cloud immediately becomes unreadable junk data.<\/li><li><strong>Legal consequence:<\/strong>\u00a0Even under duress\u00a0<em>can<\/em>\u00a0the provider does not release any readable data to the authorities because it does not have the key.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-37401bd4 e-flex e-con-boxed e-con e-parent\" data-id=\"37401bd4\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4ce2af97 elementor-widget elementor-widget-heading\" data-id=\"4ce2af97\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Sovereignty is an architectural decision<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-784031f0 e-con-full e-flex e-con e-child\" data-id=\"784031f0\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f0002e3 elementor-widget elementor-widget-text-editor\" data-id=\"f0002e3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>GDPR-compliant cloud use is possible - even with US hyperscalers. But it doesn't happen by itself.<\/p><p>Stop relying on location. Ask the hard technical questions instead:<\/p><ol><li><strong>Who has the key?<\/strong>\u00a0(The answer must be: Me - or a trustee, not the cloud provider alone).<\/li><li><strong>Is there hardware isolation?<\/strong>\u00a0(Protection against admin access in the data center.)<\/li><li><strong>What happens if I pull the plug?<\/strong>\u00a0(Is the data then unreadable?)<\/li><\/ol><p>Those who answer these questions in a technically sound manner will build a fortress that is more secure and compliant than many a \u201esovereign cloud\u201c, which only advertises its location but fails when it comes to security.<\/p><p>Digital sovereignty does not start on the map. It begins in the architecture.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-0268fc9 e-flex e-con-boxed e-con e-parent\" data-id=\"0268fc9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-525fa2a elementor-widget elementor-widget-text-editor\" data-id=\"525fa2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If you want to know more about safe <a href=\"https:\/\/35x.de\/en\/services\/cloud-migration\/well-architected\/\">Cloud architectures<\/a> and data protection, we recommend that you read our other <a href=\"https:\/\/35x.de\/en\/european-sovereign-cloud\/aws-european-sovereign-cloud\/\">Technical article<\/a> on the website. There we offer in-depth analyses and practical solutions for your digital sovereignty.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Der DSGVO-Bluff: Warum ein Server in Frankfurt Sie nicht automatisch rettet (und Verschl\u00fcsselung mehr ist als ein H\u00e4kchen) Diskussionen \u00fcber DSGVO-Konformit\u00e4t in der Cloud enden oft in einer Sackgasse aus L\u00e4nderk\u00fcrzeln: \u201eUS-Cloud b\u00f6se, EU-Cloud gut.\u201c Doch wer Cloud-Sicherheit auf Geografie reduziert, \u00fcbersieht den entscheidenden technischen Punkt:\u00a0Wer kontrolliert eigentlich die Daten, w\u00e4hrend sie verarbeitet werden? Die [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3054,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"disabled","ast-breadcrumbs-content":"","ast-featured-img":"disabled","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[13,28],"tags":[15,8,17],"class_list":["post-3052","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-basics","category-european-sovereign-cloud","tag-architekturkonzept","tag-blog-post","tag-cloud-journey"],"uagb_featured_image_src":{"full":["https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung.jpg",1125,1592,false],"thumbnail":["https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-150x150.jpg",150,150,true],"medium":["https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-212x300.jpg",212,300,true],"medium_large":["https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-768x1087.jpg",768,1087,true],"large":["https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-724x1024.jpg",724,1024,true],"1536x1536":["https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-1085x1536.jpg",1085,1536,true],"2048x2048":["https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung.jpg",1125,1592,false],"trp-custom-language-flag":["https:\/\/35x.de\/wp-content\/uploads\/2025\/11\/dsgvo-und-verschlusselung-8x12.jpg",8,12,true]},"uagb_author_info":{"display_name":"Thomas Ristic","author_link":"https:\/\/35x.de\/en\/author\/admin\/"},"uagb_comment_info":0,"uagb_excerpt":"Der DSGVO-Bluff: Warum ein Server in Frankfurt Sie nicht automatisch rettet (und Verschl\u00fcsselung mehr ist als ein H\u00e4kchen) Diskussionen \u00fcber DSGVO-Konformit\u00e4t in der Cloud enden oft in einer Sackgasse aus L\u00e4nderk\u00fcrzeln: \u201eUS-Cloud b\u00f6se, EU-Cloud gut.\u201c Doch wer Cloud-Sicherheit auf Geografie reduziert, \u00fcbersieht den entscheidenden technischen Punkt:\u00a0Wer kontrolliert eigentlich die Daten, w\u00e4hrend sie verarbeitet werden? Die&hellip;","_links":{"self":[{"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/posts\/3052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/comments?post=3052"}],"version-history":[{"count":8,"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/posts\/3052\/revisions"}],"predecessor-version":[{"id":3061,"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/posts\/3052\/revisions\/3061"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/media\/3054"}],"wp:attachment":[{"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/media?parent=3052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/categories?post=3052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/35x.de\/en\/wp-json\/wp\/v2\/tags?post=3052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}