tolinax

Cloud or own server: what Schrems II means

Schrems II and the cloud: what the ruling means in practice, when your own server makes sense, and when the cloud is still the better call.

Since the European Court of Justice ruled in July 2020, almost every mid-sized company asks us the same thing in the first meeting. Can we still keep our data in the cloud at all? The honest answer is uncomfortable. It depends which data you mean and where it travels.

Choosing between cloud and your own hardware used to be arithmetic. Running costs against capital expenditure, flexibility against control. That calculation still exists. It is simply no longer the only one you have to do.

What the ruling actually changed

The court struck down Privacy Shield, the arrangement many companies relied on when sending data to the United States. It did not strike down the standard contractual clauses. It did make clear that signing them is not the end of the story. You have to assess whether the destination country offers protection essentially equivalent to European law. If it does not, you need additional safeguards. Or you drop the transfer.

That is the part people skip. The duty to make that assessment sits with you as the controller. Not with a vendor who puts a certificate badge on its website.

A processing agreement is not the end of the check

But we have a data processing agreement. We hear that a lot, and it is not wrong. It is incomplete. A processing agreement governs the relationship between you and your supplier. It does not govern whether an authority in a third country may reach into data held by a company subject to that country's law, even when the server itself sits in Frankfurt. That is exactly what troubled the court. Where the provider is incorporated can matter more than where the data centre stands.

When a European or self-hosted setup makes sense

We recommend it whenever the data is sensitive by nature. Health records. Personnel files. Engineering data detailed enough for a competitor to rebuild half your product. Customer data too, where a leak costs you more than a fine, because it costs you trust.

The second case is duller and far more common. You need software that does not exist off the shelf anyway. When we build a line-of-business application, we decide with you where it will run before the first line of code is written. That is part of our custom software development, not an afterthought handed to whoever runs the servers.

When the cloud stays the right answer

More often than the debate suggests. A company with seven employees will not run its own server with redundancy, a backup concept and a disciplined patch schedule, and it should not try. For scheduling, accounting and correspondence there are European providers who do this better than a half-maintained box in the room next to the copier.

The last eighteen months of remote work sharpened this. If people have to work from anywhere, the systems must be reachable from anywhere, safely. That is usually easier to build on a solid cloud service than on a VPN improvisation from March 2020 that nobody has touched since.

What to look for in the contract

Ask where the company is incorporated, not only where the data centre sits. Ask for every sub-processor, including the ones doing support and monitoring. Find out who holds the keys when data is encrypted. Encryption only helps as long as the provider does not need your data in the clear to deliver its features. And check what happens when you leave. In which format do you get your data back, and how long does it take?

Self-hosting is not a free pass

One sentence we would happily staple to every consulting session: your own server does not remove responsibility, it hands it back to you. Updates, backups, restore tests, access rights, physical security. If nobody owns that work, your own server is not safer than the cloud. It is just less maintained, and it feels safer because you can walk over and touch it. That feeling is a poor advisor.

Frequently asked questions

Are US services banned since Schrems II?

No. They require an assessment. For each transfer you have to judge whether the standard contractual clauses plus additional measures produce an adequate level of protection, and you have to document that judgement.

Is a German data centre enough?

Not by itself. What matters is also who can lawfully compel access to the systems. A German location does not solve the problem if the provider answers to law outside the EU.

What does running your own server really cost?

The hardware is the smaller item. Budget for continuous maintenance, backups, restore tests and availability. If you cannot or will not budget for that, a European provider is the better deal.

If you are facing this decision and cannot tell which category your case falls into, we will sort it out with you. A conversation, with no obligation and no sales pressure.

This article is part of our knowledge hub Custom software development.