What legal rules apply to virtual classrooms in the EU?

The General Data Protection Regulation (GDPR) applies across the EU and EEA and sets strict rules for how student data can be collected, processed, and stored. On top of that, individual member states may have national laws or education policies that further define what’s acceptable, especially in public schools. Local Data Protection Authorities often publish specific recommendations or requirements for virtual classroom platforms.

Can I use platforms like Zoom or Google Meet in EU schools?

It depends on your country and the type of school. While technically allowed if adequate safeguards are in place, many EU countries—especially Germany and France—discourage or restrict the use of U.S.-hosted platforms due to unresolved issues around data transfers and legal risk. Platforms hosted entirely in the EU are generally preferred for compliance and simplicity.

What is the digital age of consent for students?

Under GDPR, the default age is 16, but each EU country can lower it to 13. For example, it’s 16 in Ireland, 15 in France, and 13 in Sweden. If students are under this threshold, schools must collect verifiable consent from parents before using tools that process personal data, like video calls, chats, or recordings.

Do I need parental consent to record a virtual class?

In most cases, yes—especially if the class includes minors under the national digital age of consent. Consent should be explicit, informed, and documented. The platform should also provide tools to inform participants when recording is active and offer the option to opt out.

Is it mandatory to store student data in the EU?

It’s not strictly mandatory under GDPR, but storing data within the EU greatly simplifies compliance—especially after the Schrems II ruling. Many public sector guidelines now explicitly recommend or require EU-hosted platforms. Using a platform with EU-based servers, like Digital Samba, avoids the legal complexities of international data transfers.

What should schools look for in a GDPR-compliant virtual classroom?

Look for EU hosting, a clear privacy policy, no third-party tracking, parental consent features, role-based controls for moderation, and the ability to delete data upon request. Ideally, the platform should be built specifically for education, not repurposed from general business tools.

How can Digital Samba help schools stay compliant?

Digital Samba is a video conferencing solution built in Europe for privacy-sensitive use cases like education. It offers full GDPR compliance, EU data hosting, no tracking or ads, and powerful moderation features. It also supports token-based access, so students can join securely without needing to create accounts or share unnecessary data.

Security

GDPR and EU Data Hosting: What You Need to Know

by Nina Benkotic

10 min read

August 22, 2025

When choosing a cloud platform or video communications API, one question always arises: Does GDPR require data to be physically stored in the European Union (EU)?

If you’re comparing vendors for SaaS, healthcare, education or public sector applications, this article offers clarity and will help you make the right choice. We’ll break down the legal regulations in simple language, explain key concepts like data localisation and jurisdiction, and help you make an informed decision that reduces legal risk without overcomplicating your tech stack and causing you extra costs.

Data location has become a key decision-making factor for compliance officers, CTOs, and product owners alike — especially in industries handling sensitive or regulated information. As governments, regulators and users demand higher standards of privacy and accountability, choosing the wrong vendor can lead to hidden legal exposure and operational issues. This makes understanding the connection between GDPR, server location, and jurisdiction on both the European and the national levels more critical than ever.

Table of contents

GDPR and server location: What the law actually says
So why do so many organisations prefer EU-only hosting?
Adequacy: The “whitelist” of safe countries
EU hosting = no transfers = no risk
Data residency, jurisdiction, and sovereignty: what they mean in practice
What are the risks of third-country transfers?
Choosing an EU-based provider: the path of least resistance
Why Digital Samba is the safer, smarter choice
So, does GDPR require data to be stored in the EU?
The takeaway
FAQs

GDPR and server location: What the law actually says

Let us focus first on the main question:

Does the GDPR require personal data to be stored exclusively in the EU?

No, the GDPR does not mandate that data must physically reside within the European Union. However, it does heavily regulate any transfer of personal data to countries outside the European Economic Area (EEA).

This nuance is crucial and easily misinterpreted. You are not legally required to use EU-only servers, but the moment you store or process personal data outside the EEA — or allow access from outside — Chapter V of the GDPR (Articles 44–50) applies.

These provisions are designed to ensure that the same level of protection guaranteed within the EU travels with the data, even beyond its borders.

Legal basis

Let’s look at the key legal instruments from Chapter V:

GDPR Article 44 – General principle for transfers

“Any transfer of personal data which is undergoing processing or is intended for processing after transfer to a third country… shall take place only if… the conditions laid down in this Chapter are complied with…”
GDPR Article 45 – Transfers on the basis of an adequacy decision

Transfers are allowed to countries that the European Commission has deemed to provide an "adequate" level of data protection.
GDPR Article 46 – Transfers subject to appropriate safeguards

If there is no adequacy decision, transfers may still occur using some other regulations such as Standard Contractual Clauses (SCCs) — pre-approved legal contracts that bind both sender and recipient to uphold EU data protection standards — or Binding Corporate Rules (BCRs) — internal data protection policies approved by regulators that allow multinational companies to transfer data within their own group.
GDPR Article 49 – Derogations for specific situations

This includes user consent or necessity for contract fulfilment, but is intended for exceptional cases only — not routine operations.

So why do so many organisations prefer EU-only hosting?

Because even if the data is physically stored in the EU, if the service provider is based in a non-adequate third country, such as the United States, the GDPR treats this as a restricted transfer.

This position was solidified in the Schrems II judgment (CJEU Case C-311/18, 2020), which invalidated the EU–US Privacy Shield framework. The court found that:

US surveillance laws (such as FISA Section 702, which allows US intelligence agencies to collect data from electronic communications of non-US persons without a warrant, and Executive Order 12333, which authorises broad foreign intelligence gathering outside the US) do not provide EU citizens with adequate redress.
and therefore, transfers to US-based providers, even with SCCs, may not offer adequate protection.

As a result:

SCCs alone are not enough.
Controllers must conduct a Transfer Impact Assessment (TIA) — a documented evaluation of whether the laws and practices in the recipient country could compromise the level of data protection guaranteed under GDPR.
Supplementary measures (e.g. encryption or pseudonymisation) may be required.
You must reassess these transfers regularly, considering changes in the recipient country's legal environment.

This creates an ongoing legal burden, especially for SMEs, public institutions, and EU-funded projects with limited compliance resources.

Adequacy: The “whitelist” of safe countries

The simplest way to avoid this legal overhead is to keep data within the EEA or transfer only to “adequate” countries recognised by the European Commission under Article 45. These countries are deemed adequate because their national laws and enforcement frameworks ensure a level of personal data protection that is essentially equivalent to that guaranteed within the EU.

As of 2025, the list of countries with full adequacy decisions includes:

Andorra
Argentina
Canada (commercial organisations)
Faroe Islands
Guernsey
Israel
Isle of Man
Japan
Jersey
New Zealand
Republic of Korea
Switzerland
United Kingdom
Uruguay

The United States is not on this list, though a new adequacy framework, the EU–US Data Privacy Framework, is under discussion. Its long-term viability remains uncertain due to expected legal challenges.

EU hosting = no transfers = no risk

If you choose a provider that:

Hosts all personal data within the EU,
Is fully owned and operated under EU jurisdiction,
Does not rely on third-country sub-processors,

then Chapter V of the GDPR doesn’t apply at all. There is no “transfer” as defined by the law — therefore:

No SCCs
No TIAs
No supplementary measures
No risk of invalidation due to foreign surveillance laws

Scenario	Legal risk	Compliance murden
EU-hosted, EU-owned provider	🟢 Low	🟢 Minimal
EU-hosted, US-owned provider	🔴 High	🔴 Requires SCC + TIA + extras
US-hosted, US-owned provider	🔴 Very High	🔴 Extensive
Transfers to “adequate” countries	🟡 Medium	🟡 Still requires documentation
Transfers under Article 49 derogations	🔴 High	🔴 Only for exceptional use

While GDPR does not mandate EU data hosting, keeping data inside the EEA under EU jurisdiction is by far the easiest and safest path — especially for regulated sectors and risk-sensitive organisations.

Data residency, jurisdiction, and sovereignty: what they mean in practice

These three terms, namely data residency, jurisdiction, and sovereignty, are often confused or used interchangeably. But for your compliance strategy, it's important to understand the distinctions.

Term	What it means	Why it matters
Data residency	Where your data is physically stored	Affects legal exposure and local privacy rules
Jurisdiction	Which country’s courts and authorities can access the data	Determines whether your data is subject to EU law or foreign surveillance regimes
Data sovereignty	The principle that data is governed by the laws of the country where it is stored	Key for public sector, healthcare, and GDPR-aligned operations

Example

If your provider is headquartered outside of the European Economic Area (EEA) or is otherwise subject to a third country’s legal system, GDPR treats this as a restricted transfer — even if the servers themselves are located inside the EU.

Take the example of a US-based company that runs data centres in Germany:

Physically, your data never leaves the EU (residency in Germany).
But legally, the provider is still subject to US jurisdiction, including laws like the CLOUD Act or FISA Section 702, which can compel disclosure of EU customer data to US authorities.
From the GDPR’s perspective, this means the data is at risk of foreign access, and therefore Chapter V (Articles 44–50) applies.
As a result, you would need to rely on transfer mechanisms such as Standard Contractual Clauses (Article 46), carry out a Transfer Impact Assessment, and implement supplementary safeguards.

This is why you can often hear compliance teams say that “It’s not just where the servers are — it’s who controls them.”

By contrast, if your provider is both hosted and owned under EU jurisdiction, no third-country laws apply, and no transfer rules are triggered. That’s why EU-owned and operated vendors (like Digital Samba) remove this layer of complexity altogether.

This makes pure EU jurisdiction and ownership essential for certain sectors.

What are the risks of third-country transfers?

GDPR Article 44 and the Schrems II ruling of 2020 made it clear: sending personal data outside the EU is high-risk unless the recipient country offers adequate protection.

Key legal and operational risks include:

Access by foreign surveillance agencies
US-based providers, for instance, may be legally compelled to hand over user data — even if stored in Europe.
→ This undermines the confidentiality guarantees required under GDPR, especially for sensitive sectors like healthcare or education.
Complex documentation requirements
You’ll need Standard Contractual Clauses (SCCs), risk assessments, and proof of technical safeguards for every transfer.
→ This often requires legal expertise and creates recurring administrative overhead that many smaller teams are unprepared for.
Legal uncertainty and reversals
The so-called Privacy Shield was invalidated; similar frameworks like the EU–US Data Privacy Framework face ongoing legal scrutiny.
→ Relying on these mechanisms puts your compliance at risk of disruption if a court rules them inadequate — again.
Procurement restrictions
Public sector tenders and EU-funded projects often require EU-only storage and jurisdiction for legal certainty.
→ Choosing a non-EU vendor could disqualify you from bids or trigger lengthy exception requests.
Loss of user trust
For sensitive industries, storing data under foreign control can damage your reputation and user confidence.
→ Customers, students, or patients may be less willing to engage with platforms that can’t guarantee European data protection standards.

Bottom line: Cross-border transfers are not illegal, but they are burdensome, fragile, and often incompatible with real-world compliance needs. For many organisations, choosing an EU-hosted and EU-owned provider is the most future-proof and legally resilient approach.

Choosing an EU-based provider: the path of least resistance

Let’s translate all of the above into practical decision-making.

When evaluating cloud, video, or communications vendors, here’s how fully EU-hosted platforms simplify compliance:

No SCCs or TIAs required

No need to sign additional contracts or perform transfer impact assessments — you're not transferring data outside EU borders at all.
→ This significantly reduces your legal workload and speeds up your procurement or integration timeline.

Exclusive EU jurisdiction

Your data is shielded from non-EU laws like the US CLOUD Act or FISA.
→ This ensures that only EU courts and data protection authorities have legal authority over your users' personal data.

Faster vendor due diligence

Procurement becomes easier when the provider is entirely within the EEA and under EU law.
→ You can streamline compliance checks and confidently report alignment with GDPR and national regulations.

Lower legal overhead

You reduce the time and money spent on compliance tasks, freeing resources for actual innovation.
→ This is especially beneficial for SMEs and startups with limited legal or privacy staff.

Better alignment with the public and regulated sectors

Healthcare platforms, EdTech tools, and public institutions increasingly require EU-only vendors in tenders and audits.
→ By choosing an EU provider, you pre-qualify for privacy-sensitive contracts without needing special data exemptions.

Why Digital Samba is the safer, smarter choice

At Digital Samba, we’ve designed our platform from the ground up to meet the expectations of EU-based teams — especially those handling sensitive or regulated data.

Here’s what makes us different:

Fully hosted in the EU
All video, storage, and API traffic is handled exclusively within European data centres owned by EU entities.
Under sole EU jurisdiction
We are a European-owned company, meaning your data is never subject to foreign access laws.
No third-country transfers – ever
Our infrastructure and operations do not rely on non-EU sub-processors or cloud providers.
Compliance without complexity
Choosing Digital Samba means:
- No SCCs
- No TIAs
- No unnecessary legal review
Trusted by EdTech, healthcare, and public sector clients
We serve organisations that value privacy, sovereignty, and full transparency.

Whether you're building a video classroom, a secure telehealth app, or migrating communications infrastructure, we eliminate the legal guesswork.

So, does GDPR require data to be stored in the EU?

Not directly — but practically, yes, for many use cases.

While the regulation permits international data transfers under strict conditions, these have become difficult to meet in a legally sustainable way.

If you're handling sensitive data, operating in a regulated industry, or working on publicly funded EU projects, then choosing an EU-hosted and EU-governed provider is more than a compliance shortcut — it’s a strategic advantage.

The takeaway

As the data protection landscape evolves, clarity and simplicity are crucial. Choosing providers who are aligned with EU values, laws, and jurisdiction is not just about ticking boxes — it’s about earning trust and ensuring resilience.

Whether you're a product owner, IT lead or compliance officer, hosting data entirely within the EU eliminates legal ambiguity, simplifies vendor management, and protects your users.

Digital Samba stands ready to support you with privacy-first, fully EU-hosted infrastructure — built for teams who care about compliance and user trust.

Book a demo and see how easy privacy can be.

FAQs: GDPR, data location, and hosting

What’s the difference between data residency and jurisdiction?

Residency refers to where data is physically stored — often called GDPR data residency requirements. Jurisdiction refers to who has legal authority over that data. Both matter for GDPR compliance and directly impact data sovereignty in the EU.

Can I use a US-based provider if they store data in Europe?

Technically, yes, but it’s risky. Even if data meets GDPR data storage location requirements, the US CLOUD Act may still apply. You’ll also need additional contracts and assessments to remain GDPR compliant.

Are SCCs enough to comply with GDPR?

SCCs are a valid mechanism, but only when combined with a Transfer Impact Assessment and, if needed, supplementary measures. This makes compliance with GDPR data storage requirements and cross-border transfers more complex.

Is Digital Samba compliant for public sector use?

Yes. Digital Samba is fully hosted and governed within the EU. We meet GDPR data centre requirements and procurement rules for education, healthcare, government, and EU-funded projects.

What sectors benefit most from EU-only data hosting?

Healthcare, education, government, legal, and finance — or any organisation handling sensitive data or serving EU citizens where data localisation requirements are critical.

How do I know if my current vendor is under third-country jurisdiction?

Check their ownership structure, sub-processor list, and data processing agreements. If they’re US-owned, even with EU servers, foreign laws may still apply.

Does it matter where (geographic location) your data is stored?

Yes. GDPR doesn’t strictly require data localisation, but EU personal data must always be protected by GDPR standards. In practice, many sectors prefer EU-only hosting to avoid foreign laws and simplify compliance.

Sources

Court of Justice of the European Union. (2020). Judgment of the Court (Grand Chamber) of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18 (Schrems II).
Digital Samba. (2025). Data Privacy and Data Security.
Digital Samba. (2025). Legal Information.
European Commission. (n.d.). Adequacy decisions.
European Commission. (n.d.). Transfer of personal data to third countries.
European Data Protection Board. (2021). Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0).
European Union. (2016). General Data Protection Regulation (EU) 2016/679.
Executive Order No. 12333, 3 C.F.R. 200 (1981).
U.S. Congress. (2018). Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 18 U.S.C. § 2713.
U.S. Foreign Intelligence Surveillance Act of 1978, 50 U.S.C. § 1881a (FISA Section 702).

← Ensuring Student Data Privacy in Virtual Classrooms