For EU insurance firms, data residency is not a preference — it is a legal imperative. Every health record, policy document, and claims file you hold about EU policyholders is personal data governed by the GDPR. Where that data is stored, processed, and backed up determines which legal safeguards apply and whether you can demonstrate compliance to your national data protection authority.
This guide explains the GDPR framework for international data transfers, the implications of the Schrems II ruling, current adequacy decisions, and a practical comparison of the major cloud infrastructure options used by EU insurance firms.
GDPR Chapter V: The Framework for International Transfers
Chapter V of the GDPR (Articles 44–49) governs transfers of personal data to third countries (countries outside the EU/EEA). Article 44 establishes the general principle: a transfer may only take place if the conditions in Chapter V are complied with. This applies to any transfer — including cloud storage, email routing, support ticket access by a non-EU team, or software-as-a-service tools that process data on non-EU servers.
The mechanisms available for lawful transfer are:
1. Adequacy Decisions (Article 45)
The European Commission may determine that a third country offers an adequate level of data protection. Transfers to adequate countries require no additional safeguards. Current adequacy decisions as of April 2026 include:
- United Kingdom (adequacy decision adopted June 2021, under review).
- United States — the EU-US Data Privacy Framework (DPF), adopted July 2023 following the Schrems II invalidation of Privacy Shield. DPF-certified organisations can receive EU personal data without additional safeguards. However, the DPF remains subject to legal challenge and potential invalidation.
- Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, Uruguay.
Important caveat for insurance firms: even where a US cloud provider is DPF-certified, US intelligence laws (notably FISA Section 702 and Executive Order 12333) may enable US government access to data held in EU data centres by US-headquartered providers. The risk assessment for this access must be part of your Transfer Impact Assessment (TIA) where relevant.
2. Standard Contractual Clauses (SCCs)
The European Commission's modernised SCCs (adopted June 2021) are the most widely used transfer mechanism for non-adequate countries. The 2021 SCCs introduced a modular structure covering controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor transfers. Where you use a cloud provider that processes data on your behalf, the controller-to-processor modules apply.
After Schrems II (C-311/18, July 2020), SCCs alone are no longer sufficient in all cases. You must conduct a Transfer Impact Assessment (TIA) to determine whether the legal framework of the destination country allows the SCCs' protections to be upheld in practice. If the TIA identifies a gap, you must implement supplementary technical or contractual measures.
3. Binding Corporate Rules (BCRs)
BCRs are internal codes of conduct for multinational groups, approved by a lead DPA. They allow intra-group transfers to non-adequate countries. BCRs are not relevant for most insurance brokers but may be relevant for multinational insurance groups with non-EU affiliates.
4. Derogations (Article 49)
Limited transfers for specific purposes are permitted without an adequacy decision or SCCs — e.g., when the transfer is necessary for the conclusion or performance of a contract with a policyholder (Article 49(1)(b)). However, EDPB guidance makes clear that Article 49 derogations are exceptions and cannot be used to legitimise routine, repeated transfers.
Schrems II and Its Practical Impact on Insurance Firms
The Court of Justice of the EU's Schrems II ruling in July 2020 invalidated the EU-US Privacy Shield and placed the legality of all SCC-based transfers to the US under scrutiny. The ruling established that SCCs are valid as a mechanism, but require a case-by-case TIA.
For insurance firms, the practical implications are:
- Any US-based software vendor (CRM, document management, email, claims platform) that accesses or stores EU client data must have a valid transfer mechanism — DPF certification, SCCs with a completed TIA, or both.
- Vendors that are DPF-certified but route EU data through US servers should be treated with heightened scrutiny, particularly for health data where US HIPAA protections do not apply to non-US entities.
- Log review and support access by non-EU staff at your software vendors constitutes a transfer — check your vendors' support access controls.
Cloud Provider Comparison: EU Insurance Use Cases
AWS Frankfurt (eu-central-1 / eu-central-2)
Data residency: AWS offers EU data residency commitments through its EU Data Boundary programme (generally available since January 2024). Data stored in eu-central-1 (Frankfurt) or eu-central-2 (Frankfurt) is guaranteed to remain in Germany, with EU-resident control plane operations.
GDPR status: AWS is subject to US CLOUD Act and FISA Section 702. The EU Data Boundary programme includes technical measures (encryption, access controls) designed to address Schrems II TIA concerns, and AWS has committed to challenge US government access requests. A TIA is still recommended for processing special category health data.
Insurance-relevant certifications: ISO 27001, SOC 2 Type II, BSI C5 (Germany cloud security catalogue), PCI DSS.
Latency: Excellent for EU users; Frankfurt is a Tier 1 internet hub with sub-10ms latency to most of Western Europe.
Hetzner Nuremberg (FSN1) and Helsinki (HEL1)
Data residency: Hetzner Online GmbH is a German company with data centres in Germany (Nuremberg, Falkenstein) and Finland (Helsinki). All data processing occurs within the EU; there is no US parent company and no US legal jurisdiction exposure under CLOUD Act or FISA.
GDPR status: Hetzner is entirely subject to EU/German law. The absence of US parent company jurisdiction makes Hetzner the cleanest option from a Schrems II perspective — no TIA concerns, no US government access risk, no DPF dependency. For insurance firms processing large volumes of Article 9 health data, this is a material compliance advantage.
Insurance-relevant certifications: ISO 27001 (Hetzner holds ISO 27001 certification for its data centres). Fewer enterprise certifications than AWS — if your clients or reinsurers require BSI C5 or FedRAMP, Hetzner may not meet procurement criteria.
Latency: Very good for EU users; Nuremberg and Helsinki connect well to DACH, Nordics, Benelux, and UK markets. Slightly higher latency to Southern Europe compared to Frankfurt-based providers.
Cost: Significantly lower than AWS or Azure for equivalent compute and storage, with no data egress fees for traffic within the Hetzner network. For cost-sensitive insurance brokers and MGAs, Hetzner offers the best cost-compliance profile.
Microsoft Azure West Europe (Amsterdam) and North Europe (Dublin)
Data residency: Azure offers EU Data Boundary commitments (generally available from January 2024), keeping data within the EU for in-scope services. Microsoft stores and processes data in the declared EU boundary region.
GDPR status: Microsoft is a US company subject to CLOUD Act. Similar TIA considerations apply as with AWS. Microsoft's EU Data Boundary and contractual commitments to challenge government access requests are the most mature of any US hyperscaler, given Microsoft's long history of legal challenges to US government data access demands.
Insurance-relevant certifications: ISO 27001, SOC 2, BSI C5, ISO 27017, ISO 27018 (specific to cloud privacy). Azure has the broadest enterprise certification portfolio of any cloud provider, making it the preferred choice for large insurance groups with demanding procurement and audit requirements.
Latency: Excellent; Amsterdam and Dublin are major European connectivity hubs.
Practical Guidance: Choosing an Architecture for GDPR Compliance
For EU insurance firms, the optimal architecture depends on your size, risk profile, and data sensitivity:
- Small brokers and MGAs: Hetzner (Nuremberg or Helsinki) for primary data processing and storage; simplest Schrems II position; lowest cost; well-suited for firms using PrizMova Europa, which is deployed on Hetzner infrastructure by default.
- Mid-market insurance intermediaries: AWS eu-central-1 or Azure West Europe with EU Data Boundary enabled; documented TIA on file; DPA-reviewed SCCs with your providers.
- Large insurance groups with reinsurance relationships: Azure West Europe for core systems (strongest enterprise certification portfolio); Hetzner or dedicated colocation for highest-sensitivity health data where you want zero US-law exposure.
Regardless of provider, you must document your transfer mechanism, complete a TIA where required, and update your ROPA to reflect data locations accurately. For the interaction between data residency and DORA third-party risk requirements, see our DORA ICT risk management guide. For Solvency II regulatory reporting data residency requirements, see our Solvency II QRT reporting guide.