GDPR-Compliant Web Hosting for Irish & EU Businesses

A solicitor in Galway rang us last March. Her small firm's website had been running on a US-based shared host for years — the kind with a shamrock in the logo and a .ie domain reseller deal. A client, who happened to work in data protection, had asked her directly whether the site stored contact-form data in the EU. She did not know. She looked at the DPA (she had never read it). There was no data residency clause. The hosting company was headquartered in Texas, its CDN was Cloudflare US, its email processor was in California. In theory, every form submission on her site was an international data transfer. In practice, she had a GDPR problem she had not known she had.

I am telling that story because it is not unusual. It is closer to the default state of Irish SMB hosting than most business owners realise. The good news: the fix is cheap and mostly mechanical. The bad news: almost no one does it until a client asks, and by then you have a small, expensive problem.

Why your hosting location is a GDPR decision

GDPR does not ban transferring personal data outside the EU. It requires that any such transfer has a lawful basis — either an adequacy decision (the EU formally recognising the destination country as safe), Standard Contractual Clauses, or Binding Corporate Rules — plus, post-Schrems II, a documented transfer impact assessment showing that the destination's surveillance laws do not undermine the protections.

What most SMBs treat as "just hosting" actually involves three separate data flows: where the site is served from (the server's physical location), where form data and uploads are stored (the database, often in the same region but not always), and where traffic is proxied through (the CDN or WAF, which decrypts your traffic). Each of those is a processing location under GDPR. Each of them needs to be accounted for.

The honest truth is that plenty of SMBs have been fine for years in a grey zone and nothing bad has happened. The risk profile changed in 2023 when the Data Protection Commission started actively investigating smaller companies following complaints, and again in 2024 when client due-diligence processes — especially from larger B2B buyers — started demanding data-residency documentation as a precondition for working together. Being non-compliant is no longer just a regulator risk; it is a sales-blocking risk.

The four clauses every DPA must contain

A Data Processing Agreement is the contract between you (the controller) and your hosting provider (the processor). Under Article 28 GDPR, specific clauses must be present. Most DPAs template-drafted by smaller hosts miss at least one. When you review yours, the clauses that matter most:

1. Data residency and onward-transfer restrictions. Where will data physically live, and what permissions does the processor have to move it? Acceptable: "within the EEA, specifically in [country]". Unacceptable: "globally, as required for service delivery".

2. Sub-processor transparency and notification. The host will use sub-processors — backup vendors, monitoring tools, CDNs. The DPA must list them, commit to equivalent terms with them, and give you advance notice of any change. A DPA that says "sub-processors may change from time to time" with no notification process is a red flag.

3. Breach notification within 72 hours. Required by law. Your host should commit to notifying you within a defined window — 24 to 48 hours is standard and lets you meet your own 72-hour regulator deadline with buffer.

4. Return and deletion on termination. When you leave, what happens to your data? The DPA should commit to a defined return-and-delete process, with written confirmation.

There are other clauses — audit rights, international-transfer specifics, confidentiality — and a full DPA will cover all of them. But those four are the ones I see missing from small-host contracts most frequently.

EU data residency — who genuinely provides it

This is where the market diverges sharply, and I am going to be direct because vague advice on this topic is doing real harm.

Hetzner, OVH, Scaleway vs the US hyperscalers

Hetzner (Germany) is what we use for our own infrastructure and what we put most clients on. German-headquartered, German-law-governed, data centres in Falkenstein and Nuremberg and a Finnish facility. Their DPA is clean. Their CX22 shared instance costs EUR 4.51/month at time of writing, which makes the whole "EU hosting is expensive" argument absurd. For straightforward website hosting, Hetzner is hard to beat on price-to-compliance ratio.

OVH (France) is the other major option. French-headquartered, DPA is clean, and they run data centres across the EU. A notable point: OVHcloud has publicly resisted US subpoena access to EU data in multiple cases, which matters post-Schrems II.

Scaleway (France) is smaller but competitive, particularly for managed Postgres and object storage.

AWS, Google Cloud, Microsoft Azure — the US hyperscalers — are the hardest to get clearly right, and this is where most of the Schrems II case law has landed. You can technically configure AWS to keep data in eu-west-1 (Dublin) and sign their GDPR addendum with EU Standard Contractual Clauses. But AWS is a US company subject to the US CLOUD Act. A US court order can compel them to produce data held anywhere in the world. The EDPB and several national DPAs have expressed concern about this despite AWS's encryption and contractual commitments. Whether this is a real risk for your small business depends on your threat model. For a solicitor handling client-confidential data, I would not use it. For a coffee shop website with a contact form, it is probably fine. Judgement call, but one that has to be made consciously rather than by default.

Here is where I disagree with a lot of the GDPR-hosting content online: the position that all EU data on US-controlled infrastructure is automatically non-compliant is overstated. The position that it is definitely fine because you clicked a GDPR addendum is equally wrong. The reality is a spectrum and it depends on data sensitivity, sector, and whether you can document your transfer impact assessment. If you work in health, legal, or finance, keep the data on EU-owned infrastructure. If you do not, document your SCCs properly and move on.

What a GDPR-compliant hosting checklist looks like

A compact, usable version. If you can tick every box, you are in a defensible position.

• Server physical location is inside the EEA and documented
• Database location is inside the EEA (separate question if database is managed)
• CDN and WAF either in the EEA or documented with SCCs and a TIA
• DPA signed, current, and includes the four clauses above
• Sub-processor list current and reviewed within the last 12 months
• Backup location is inside the EEA
• Your own privacy policy correctly identifies the host as a processor and names their country
• Analytics tool either GDPR-native (Plausible, Fathom, Matomo) or correctly configured (GA4 with consent mode and IP anonymisation)
• Email processor (for transactional mail) is EU-based or documented — this is the one most often missed

I would not call myself a lawyer and this is not legal advice. But any reasonable DPO reviewing your site should be able to work through this list in an hour and come up green.

Common mistakes Irish SMBs still make

Cloudflare, analytics, and the Schrems II problem

Cloudflare is interesting because it is a US company running a CDN that decrypts your traffic. That decryption is technically a processing event in the country where the edge node sits, which for European traffic is usually — but not always — inside the EU. Cloudflare offers an Enterprise data-localisation add-on that confines traffic to the EU, and their standard plans route mostly through EU edges but do not contractually guarantee it. For most small sites this is acceptable and I use it myself, but it needs to be documented in your privacy notice.

Google Analytics is the bigger one. The classic Universal Analytics installation was ruled non-compliant by multiple European DPAs in 2022. GA4 with EU-region data storage and consent mode plus IP anonymisation is, by current guidance, acceptable — but the installation must be done correctly and the consent banner must actually block the script when the user declines. A lot of sites still ship GA4 with no consent blocking at all. That one is a clean, easy fine for an active DPC inspector.

The "our hosting provider is in Ireland" fallacy

I hear this regularly: "We are hosted with an Irish company." That usually means the reseller is Irish. The physical servers, the CDN and the email might be anywhere. Ask for the actual data centre location, in writing, and check it matches your DPA.

What managed hosting should actually include

Hosting at the SMB level has become almost a commodity — you can get a LAMP stack running on Hetzner for EUR 4.51/month. What "managed hosting" is actually supposed to add on top:

• Someone else owns the compliance paperwork. EU region, DPA, sub-processor list, backup residency — maintained and audited, not your problem.
• Someone else owns performance. TLS, HTTP/3, image optimisation, caching — tuned, not default.
• Someone else owns uptime. Monitored, patched, alerted, with a defined response time when things break.
• Someone else owns backups. Daily, encrypted, restored on request, geo-redundant within the EEA.
• A human you can ring. This sounds basic and is increasingly rare at the SMB price point.

Our own managed hosting starts at EUR 59/month and ships with all of the above by default, because we built it for our own client base first and felt like we might as well sell it. The DPA is clean. The servers are in Hetzner Falkenstein. The CDN is Cloudflare with consent-gated analytics injection. It is GDPR-compliant out of the box — not because compliance is magic, but because the work has been done once, properly, on the provider side so each new client does not have to redo it.

If you want to talk through your specific setup, get in touch — we will look at your current host's DPA and tell you honestly whether you need to move or whether a few configuration changes will put you in the clear.