Meeting the data processing agreement (DPA) requirement

As many of our customers are aware, the EU’s General Data Protection Regulation (GDPR) came into effect on 25 May 2018. Many organisations have geared  up to comply with their GDPR requirements by this date. Hetzner has done the same. We are committed to complying with our obligations in the GDPR, including in our role as a data processor for our customers.

What role does Hetzner perform for you?

We are the controller of your personal data when you sign up with us. We are the processor when we store the data that you have uploaded to your hosting package on Hetzner’s servers.

When we provide services to you, you are the data controller, i.e. you decide the purpose and means of how we process your data. This means that you decide how and why we process your data when we provide services to you.

As a processor, we merely process the data on your behalf, such as hosting your data on our managed hosting servers. We are a ‘low-touch’ processor, which means that Hetzner has no knowledge of the actual content of data that our customers store on our hosting platform.

What are the GDPR requirements?

As the controller, the GDPR requires you to conclude agreements with your processors when they process your personal data. Some customers require their processors to sign a Data Processing Agreement (DPA) to fulfil this requirement.

At Hetzner, we have taken the proactive step to update our Terms of Service in line with our requirements in the GDPR. This means that you do not need to use a DPA, because these requirements have been included in our Terms of Service under ‘Data Processing’ (clause 19). The clause describes the steps we take to ensure that we meet our processor obligations when we provide services to you. You can view our Terms of Service or find out more on our website’s Legal Centre.