Data Sovereignty

Data sovereignty refers to the authority to dispose of data and serves as a collective term for the many facets associated with the processing of digital data – including data protection, encryption, transmission, and storage. Anyone who stores data in the cloud or uses IT services from external service providers must ensure appropriate data protection measures and familiarize themselves with the legal regulations. What are the requirements for data sovereignty and how do you maintain it?

What is data sovereignty?

Data sovereignty is a legal term that refers to legal guidelines relating to data. It is closely linked to data protection, cloud computing, and technological sovereignty. Data sovereignty laws create rules for the authority of governments and companies to dispose of digital user and business data. Data sovereignty thus refers specifically to the following questions:

  • Who owns the data?
  • Who is allowed to store the data?
  • How can data be stored?
  • How can data be used?
  • How is data protected?
  • What happens in the event of data misuse?

In times of organized cyberattacks, microtargeting, targeted advertising, and data giants like Google, Apple, Facebook, and Tencent, the definition of data ownership is far from clear. Private users and companies that use cloud services and external servers are often unaware that their externally stored data doesn’t always belong to them. This is exactly where data sovereignty comes into play.

Because a growing number of small and medium-sized companies appreciate cloud computing, i.e. the outsourcing of company data and technology to external servers, the importance of data sovereignty cannot be underestimated. If servers are located in countries where data protection guidelines do not meet European standards, the question of data sovereignty should be clearly clarified.

Data sovereignty and the cloud

The advantages of cloud computing are well known. However, as soon as sensitive data is not stored in-house but on external servers and possibly in other countries, questions over data security and data ownership arise.

Unless contractually stipulated, third-party providers may be allowed to analyze and sell data. In the EU, companies that process personal data are obliged to guarantee the highest level of data security. Therefore, verifiable data protection and modern compliance guidelines are essential. Both for companies that outsource their IT and for companies that provide IT services. If a company loses or neglects data sovereignty, this can have serious legal consequences.

Data sovereignty and the three states of data

Data can take on the following three stages online, in enterprise networks, and in the cloud:

  • Data-in-use: Data currently in use
  • Data-in-motion: Data currently being transmitted
  • Data-at-rest: Data stored locally or in the cloud

Data sovereignty used to be discussed primarily in connection with data-at-rest, i.e., stored data. Today, different standards apply: data security, revision security, and data sovereignty apply regardless of storage location, especially when external providers process company data. Companies must retain data sovereignty for all three stages. This high standard of data protection can be implemented using encryption software that ensures only select companies can decode sensitive, encrypted data.

IONOS Cloud Compute Engine

Medium-sized and large companies choose the cloud from Germany. IaaS and PaaS are services for champions.


What is the importance of data sovereignty for businesses?

In times of digitalization, public sector companies and those operating as part of the free economy must observe two basic rules to guarantee data security:

  1. IT infrastructure must be secure, flexible, and up to date at all times
  2. Data sovereignty over customer, user, and business data must be guaranteed.

Once appropriate safeguards and contractual arrangements are in place, companies can protect trade secrets and process personal data in accordance with EU data protection directives. Companies should always know how third-party service providers handle data and what rights of use they have. Since there are also legal uncertainties and gray areas when it comes to data sovereignty, it should be contractually regulated what happens to data and how it is stored, processed, and transferred.

An example:

If a production company wants to increase its performance, it can use the cloud and web services of a managed service provider. Via data analysis, this provider could, for example, make forecasts on maintenance tasks and determine the company's optimization potential.

Although the commissioning company should have data sovereignty in this case, this does not mean it necessarily has access to all data analyses of the commissioned company. Unless otherwise contractually agreed, parts of the data could also be reused or sold to third parties. Here, a lack of data sovereignty creates a security risk and a competitive disadvantage for companies.

What is the legal framework for data sovereignty?

Small online retailers or large-scale producers – the evaluation of customer and business data is important to allow businesses to quickly adapt production and services to meet customer expectations and behavior. Since it has become near impossible to hermetically seal off data from third-party access, legal frameworks are required. In addition to individual contractual arrangements between clients and service providers, national and international data protection regulations such as the EU General Data Protection Regulation (GDPR) are guidelines for data sovereignty.

A general data protection law that sets out basic guidelines for the protection of personal data does not exist in the USA. While there are specific data protection regulations for industries in the EU, data protection here is based on the voluntary commitment of US companies. In addition, US authorities have extensive powers of disposal over data. If European companies use the services of American cloud providers or web service providers, data protection gaps can arise.

What to consider when implementing data sovereignty?

According to the GDPR, companies that process personal data must take “appropriate technical and organizational measures to ensure a level of protection appropriate to the risk”. Data protection and data sovereignty present as complex tasks for companies. In particular, balancing the protection of corporate data, personal data, and a strong market position can be difficult. Since the GDPR focuses primarily on personal data, companies must ensure that users are informed about and consciously consent to the processing of their personal data. At the same time, the analysis of user data is a crucial success factor for digital companies.

In order to harmonize data sovereignty, data protection, and corporate success, it is advisable to hire data protection officers to oversee your company's data sovereignty. In addition, it should be clarified which data protection and data use guidelines third-party companies and partner companies have. A privacy policy is obligatory and should transparently communicate your measures to securely process data. Essential technical and organizational measures include:

  • Pseudonymization and encryption of data
  • Confidentiality and integrity of systems
  • Technical resilience of systems
  • Recovery and availability of data after technical emergencies
  • Regular review, assessment, and evaluation of protective measures
  • Compliance with and incorporation of data protection measures by employees

IONOS S3 Object Storage

The IONOS S3 Object Storage is ideal for backups as well as archiving company data. You can store any amount of static data for a reasonable price.

Highly scalable

Outlook: Data sovereignty in the US

US data security measures are still far behind those of European counterparts despite initiatives such as the US CLOUD Act. US authorities can legally access data without a judge's order if it is stored on servers that are subject to the US CLOUD Act. This also applies when it comes to American providers with European computer centers.

The European initiative for high-security, privacy-compliant, and market-ready data infrastructures is called Gaia-X. Gaia-X is partnering with IONOS Cloud and others to work on a data infrastructure that will become Europe's alternative to cloud computing services provided by the likes of Amazon, IBM, Google, Alibaba, or Microsoft. This would allow companies to securely process data via intra-European computer centers, ensure data sovereignty, and prevent the outflow of industrial and personal data to non-European actors. The infrastructure aims to be based on transparent, freely selectable network nodes and data centers whose attributes, capabilities and requirements are clearly communicated. Customers should be able to switch providers effortlessly without becoming dependent on web service providers and managed service providers or through cloud and vendor lock-in.


The GDPR sets out clear guidelines for the processing of personal data. Among other things, companies are also obliged to document and prove protective measures. For more information, read the following article on the EU GDPR requirements.

We use cookies on our website to provide you with the best possible user experience. By continuing to use our website or services, you agree to their use. More Information.