GDPR compliant, because we said so.

You’ve probably seen these two words on loads of websites, often in the footer: “GDPR compliant”. Sometimes even as a cute little circle-of-golden-stars logo.

It’s reassuring and feels official. But there’s actually no certification body for this or no official badge. It’s just a self-declaration, and about as valid as a “healthy” stamp on a packet of biscuits.

In practice, it can mean anything. From “we spent 2 years working with lawyers and redesigning our whole data processing flow” to “we threw on a cookie banner and got ChatGPT to write a privacy policy” (or simply stole it from a competitor’s website).

And then we get “European-hosted” which also sounds good and safe.

Again, not really. Hosting location and legal jurisdiction are two completely different things.

If the company behind the service is American, US law still applies. And US authorities have the power to demand your data regardless of where it’s physically located.

This is where the difference between European-hosted and European-owned is critical. A European company, incorporated and headquartered in the EU is not subject to the US CLOUD act and their courts.

Some vendors get all creative with this and setup a European subsidiary or a local partnership to market themselves as “EU-based”. But if the parent company is in the US, the data is still easily within reach of US courts. Microsoft confirmed this despite playing the subsidiary game themselves.

Then we get to sub-processors: the companies vendors work with behind the scenes. You can have European email platforms sending emails through Amazon, European analytics services using Microsoft Azure, and so on. I recently spotted a European privacy service that was running on Google cloud.

Under GDPR, vendors are required to disclose their sub-processors. Some hide them deep in their legal pages, but they should be on the site. If you see a list of US companies, you know the European branding is just marketing.

So, what should you check for?

Figure out where the company is based, legally. It can be surprisingly difficult to find sometimes. Then check the sub-processors list and where those are based. Read the privacy policy, it should indicate what data is shared and with whom.

And if any of these elements are hard to find or somewhat vague, you know what that “GDPR compliant” badge is worth.

Colin

← Back to archive