Strategy, automation & security

What is GDPR / data protection in the cloud?

The GDPR (General Data Protection Regulation) governs across the EU how personal data may be processed lawfully. Data protection in the cloud means meeting these requirements even when data is processed by a cloud provider such as Microsoft Azure — through data processing agreements, encryption, access control and the choice of suitable storage locations.

Also known as: GDPR · DSGVO · data protection · data processing agreement · GDPR compliance

01

Where it is used

The GDPR sets out principles: data may only be processed for a defined purpose, in a data-minimizing way and on a legal basis, and data subjects have rights such as access or erasure. In the cloud, responsibility is shared on top of this — the company remains the controller, the cloud provider becomes a processor, governed by a data processing agreement (DPA).

In practice, data protection in the cloud means shaping technical and organizational measures so that GDPR principles are upheld: choosing an EU region for data storage, encryption at rest and in transit, strict access control and traceable logging. Security and data protection are tightly intertwined here.

02

A practical example

A SaaS platform for the insurance industry processes personal data and must be GDPR-compliant from the start. The infrastructure runs in an EU region of Azure, secrets live in a managed vault, access requires multi-factor authentication and traffic is encrypted. This makes processing not only secure but also documented in a way that holds up under data protection law.

03

Benefits & typical use cases

A data-protection-compliant cloud architecture creates legal certainty and trust — especially in regulated industries.

  • Legally sound processing of personal data with a documented basis
  • Data storage in EU regions to reduce third-country risks
  • Encryption and strict access control as technical safeguards
  • Traceability for audits and data subject rights through logging
04

How it differs from related terms

Data protection is not the same as IT security: the GDPR is a legal framework for personal data, while IT security provides the technical means to implement it. Data protection in the cloud therefore builds on measures such as IAM, MFA, networking & security and secure secret management, but adds legal and organizational obligations such as the DPA.

05

How smiit works with it

smiit implements data protection technically instead of only promising it. For Claimity AG, a GDPR-compliant Azure infrastructure was built as infrastructure as code — with EU data storage, Azure Key Vault for secrets, Keycloak for identity and MFA, and protection through Azure Front Door and a virtual network. This anchors data protection reproducibly in the architecture rather than relying on manual diligence.

Common mistakes & misconceptions

  • The GDPR is often perceived as merely a cookie-banner obligation — yet it governs the entire processing of personal data, from collection to deletion.
  • Many think using a cloud outside the EU is automatically unlawful; what matters are appropriate safeguards such as standard contractual clauses and an adequate level of protection.
  • People assume data protection is solely the IT department's job; in reality it affects processes, contracts and responsibilities across the whole organization.

Frequently asked questions

Is using Microsoft Azure even possible in a GDPR-compliant way?

Yes, with the right design. The key factors are choosing an EU region, a data processing agreement, encryption and controlled access. Responsibility for the correct configuration remains with the company.

What is a data processing agreement (DPA)?

A DPA governs the obligations between controller and processor, such as the cloud provider. It is a central prerequisite for having personal data processed lawfully in the cloud.

How do data protection and IT security relate?

Data protection defines the legal requirements, IT security provides the technical means to implement them. Without appropriate security measures such as encryption and access control, GDPR compliance is practically unachievable.

Is it enough to simply choose an EU region for data storage?

Choosing an EU region is an important building block, but on its own it is not sufficient. It also requires a data processing agreement, technical measures such as encryption and access control, and organizational obligations. Support or administrative access from third countries must be considered as well.

Which obligations remain with the company when it uses a cloud provider?

As the controller, the company remains responsible for the lawfulness of the processing — for instance the legal basis, purpose limitation, data subject rights and correct configuration. The provider acts as a processor within the scope of the DPA but does not take that responsibility off the company's hands.

Related serviceDigital strategyRelated case studyA production SaaS platform for digital claims in 6 weeksClaimity AG

Related terms

Process optimization & automationPower AutomateAI Builder (document extraction / OCR)Master data management (MDM)DevOpsCI/CDIaC (infrastructure as code)IT securityIAM / KeycloakMulti-factor authentication (MFA / 2FA)Networking & security (VNet, zero trust)

Sources & further reading

Want to put this topic to work in your company?

Updated · Back to the glossary

Get in touch