The General Data Protection Regulation (GDPR) has fundamentally changed how businesses handle personal data in the European Union. For companies that store customer data in databases, GDPR compliance isn't optional—it's a legal requirement with potentially severe penalties for non-compliance.
In this comprehensive guide, we'll explore what GDPR-compliant database hosting means, why it matters, and how to ensure your infrastructure meets all requirements.
Understanding GDPR and Database Hosting
GDPR is an EU regulation that governs how organizations collect, process, store, and protect personal data of EU citizens. When you host databases containing personal information, you become a data controller (deciding what data to collect) and potentially a data processor (handling the data on behalf of others).
Key GDPR Principles for Database Hosting
- Lawfulness, Fairness, and Transparency: Data must be processed legally with clear consent
- Purpose Limitation: Only collect data for specified, legitimate purposes
- Data Minimization: Collect only what's necessary
- Accuracy: Keep data accurate and up to date
- Storage Limitation: Keep data only as long as necessary
- Integrity and Confidentiality: Ensure appropriate security
- Accountability: Demonstrate compliance
Why Data Residency Matters
One of the most critical aspects of GDPR compliance is data residency—where your data is physically stored.
The Schrems II Decision
The 2020 Schrems II ruling by the European Court of Justice invalidated the Privacy Shield framework between the EU and US. This means:
- US-based cloud providers (AWS, Google Cloud, Azure) face additional scrutiny
- Data transfers to the US require Standard Contractual Clauses (SCCs) and risk assessments
- EU authorities can challenge these transfers if US surveillance laws apply
- EU-based hosting eliminates these concerns entirely
Benefits of EU Data Residency
When you host databases in EU data centers:
- ✅ No data transfer outside the EU
- ✅ Subject to EU privacy laws, not foreign surveillance legislation
- ✅ Simpler compliance documentation
- ✅ Reduced legal risk
- ✅ Increased customer trust
DanubeData hosts all infrastructure exclusively in Germany and Finland (Hetzner data centers), ensuring complete EU data residency.
Technical Requirements for GDPR Compliance
1. Encryption
GDPR Article 32 requires "appropriate technical and organizational measures" including encryption.
Encryption at Rest
All database storage must be encrypted. DanubeData databases use Longhorn storage with LUKS encryption enabled by default.
Encryption in Transit
All database connections must use TLS/SSL:
# PostgreSQL connection with SSL enforcement
psql "postgresql://user@db.example.eu:5432/mydb?sslmode=require"
# MySQL connection with SSL
mysql --host=db.example.eu --ssl-mode=REQUIREDDanubeData enforces TLS 1.2+ for all database connections.
2. Access Controls and Authentication
Implement the principle of least privilege:
-- Create role with minimal permissions
CREATE ROLE app_readonly;
GRANT CONNECT ON DATABASE production TO app_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO app_readonly;
-- Separate roles for different access levels
CREATE ROLE app_writer;
GRANT INSERT, UPDATE ON specific_tables TO app_writer;Multi-Factor Authentication (MFA)
Require MFA for database administrative access:
- Enable MFA on your hosting provider account
- Use certificate-based authentication for database access
- Implement IP allowlisting for database connections
DanubeData supports MFA on all accounts and provides firewall rules for IP allowlisting.
3. Audit Logging
GDPR requires maintaining records of processing activities (Article 30).
PostgreSQL Audit Logging
-- Enable pgaudit extension
CREATE EXTENSION pgaudit;
-- Configure comprehensive logging
ALTER SYSTEM SET pgaudit.log = 'all';
ALTER SYSTEM SET pgaudit.log_catalog = on;
ALTER SYSTEM SET pgaudit.log_parameter = on;
-- Reload configuration
SELECT pg_reload_conf();What to Log
Your audit logs should capture:
- All data access (SELECT queries on personal data tables)
- Data modifications (INSERT, UPDATE, DELETE)
- Schema changes (ALTER, CREATE, DROP)
- Authentication attempts (successful and failed)
- Permission changes (GRANT, REVOKE)
- Administrative actions
Retention: Keep audit logs for at least 3 years to demonstrate compliance.
4. Regular Backups
GDPR Article 32(1)(c) requires "the ability to restore the availability and access to personal data in a timely manner."
3-2-1 Backup Strategy
- 3 copies of your data
- 2 different storage types
- 1 offsite backup
DanubeData provides:
- Automated daily backups
- Point-in-time recovery
- Offsite backup to EU S3-compatible storage
- Backup encryption
- Backup testing and verification
Implementing GDPR Data Subject Rights
GDPR grants individuals specific rights over their personal data.
Right of Access (Article 15)
Users can request all data you hold about them:
-- Query all data for a specific user
SELECT
u.email, u.name, u.created_at,
o.order_id, o.total,
p.payment_method
FROM users u
LEFT JOIN orders o ON u.id = o.user_id
LEFT JOIN payments p ON o.id = p.order_id
WHERE u.id = :user_id;Right to Erasure / "Right to be Forgotten" (Article 17)
Users can request deletion of their data:
-- Complete user data deletion
BEGIN;
-- Delete related records first
DELETE FROM order_items WHERE order_id IN
(SELECT id FROM orders WHERE user_id = :user_id);
DELETE FROM payments WHERE user_id = :user_id;
DELETE FROM orders WHERE user_id = :user_id;
DELETE FROM sessions WHERE user_id = :user_id;
-- Finally delete user
DELETE FROM users WHERE id = :user_id;
-- Log the deletion request
INSERT INTO gdpr_deletion_requests
(user_id, requested_at, completed_at, ip_address)
VALUES (:user_id, NOW(), NOW(), :ip_address);
COMMIT;Important: Some data may be exempt from deletion due to legal obligations (accounting records, fraud prevention).
Right to Data Portability (Article 20)
Provide user data in a machine-readable format (JSON, CSV).
Data Breach Response Plan
GDPR Article 33 requires breach notification within 72 hours.
Breach Response Checklist
- ☐ Contain the breach (revoke compromised credentials)
- ☐ Assess scope (what data was accessed/exfiltrated)
- ☐ Document timeline and details
- ☐ Notify supervisory authority within 72 hours
- ☐ Notify affected individuals if high risk
- ☐ Implement remediation measures
- ☐ Update security controls
- ☐ Conduct post-incident review
Penalties for Non-Compliance
GDPR violations can result in significant fines:
| Violation Type | Maximum Fine |
|---|---|
| Minor violations (Article 83(4)) | €10 million or 2% of global revenue |
| Major violations (Article 83(5-6)) | €20 million or 4% of global revenue |
Real-world examples:
- Amazon: €746 million (2021) - unlawful processing
- WhatsApp: €225 million (2021) - transparency violations
- Google: €90 million (2020) - cookie violations
- British Airways: €22.5 million (2020) - data breach
Why Choose EU-Based Database Hosting
DanubeData Advantages
| Feature | DanubeData | US Cloud Providers |
|---|---|---|
| Data Location | Germany & Finland (EU) | US with optional EU regions |
| GDPR Compliance | Native compliance | Requires SCCs, risk assessment |
| Data Transfer | No transfer outside EU | Subject to Schrems II scrutiny |
| Surveillance Laws | EU privacy protections | US FISA, CLOUD Act apply |
| Pricing | Transparent, no egress fees | Complex pricing, high egress costs |
Cost Comparison
AWS RDS (eu-central-1):
- db.t3.medium (2 vCPU, 4GB RAM): ~€85/month
- 100GB storage: ~€11.50/month
- Backup storage: ~€10/month
- Data transfer: €0.09/GB
- Total: ~€106.50/month (before traffic)
DanubeData PostgreSQL:
- Small (2 vCPU, 4GB RAM, 100GB): €29/month
- Backups included
- Free data transfer
- Total: €29/month (72% savings)
GDPR Compliance Checklist
Infrastructure
- ☐ Databases hosted in EU data centers
- ☐ Hosting provider is GDPR-compliant with valid DPA
- ☐ No data transfers outside the EU
- ☐ Encryption at rest enabled
- ☐ TLS/SSL encryption in transit enabled
- ☐ Regular security patches and updates
Access Controls
- ☐ Multi-factor authentication enabled
- ☐ Role-based access control (RBAC) implemented
- ☐ Principle of least privilege enforced
- ☐ IP allowlisting configured
- ☐ Regular access reviews conducted
Monitoring and Logging
- ☐ Comprehensive audit logging enabled
- ☐ Logs retained for minimum 3 years
- ☐ Intrusion detection system in place
- ☐ Regular log reviews conducted
- ☐ Automated alerting for suspicious activity
Data Subject Rights
- ☐ Process for handling access requests
- ☐ Process for data rectification
- ☐ Process for data deletion ("right to be forgotten")
- ☐ Process for data portability
- ☐ Response time SLA (typically 30 days)
Conclusion
GDPR compliance isn't just about avoiding fines—it's about building trust with your customers and protecting their fundamental rights. By choosing EU-based database hosting like DanubeData, you eliminate many compliance headaches:
- ✅ No data transfer concerns
- ✅ Built-in encryption and security
- ✅ Automated backups in EU regions
- ✅ Clear data processing agreements
- ✅ No US surveillance law exposure
Ready to ensure GDPR compliance? Create a free DanubeData account and deploy a GDPR-compliant database in Germany or Finland in under 60 seconds.
Additional Resources
- Full GDPR Text (Official EUR-Lex)
- European Data Protection Board Guidelines
- Schrems II Ruling Full Text
- DanubeData Security Documentation
- DanubeData Data Processing Agreement
Have questions about GDPR compliance? Contact our compliance team at compliance@danubedata.com