Data sovereignty in automation: what the GDPR requires you to consider before connecting your company to cloud tools

Before the first data of a customer, employee or patient crosses the servers of an automation platform, there is a question that few medium-sized companies ask themselves with the necessary precision: Where is this data processed, under what jurisdiction and what happens if that jurisdiction is not the European Union?

The General Data Protection Regulation establishes specific conditions for transfers of personal data to third countries [1]. It is not a bureaucratic requirement or a technical detail. It is a legal obligation with direct consequences: the Spanish Data Protection Agency imposed fines of more than 7 million euros in 2023 on Spanish companies for violations of the GDPR, with international transfers without adequate guarantees being one of the most sanctioned categories [10].

This article is not a legal analysis. It is a practical guide for the COO or the chief operating officer of a company with between 50 and 500 employees to know what questions they must answer before signing a contract with any cloud automation platform, with which tools they can have more control and in which cases the self-hosting ceases to be a technical option and becomes an obligation.

LEGAL NOTE
Important notice: This article does not constitute legal advice. The specific implications of the GDPR for each organization depend on its specific processing activities. If you have any questions, consult a data protection officer or specialized legal advisor.

What the GDPR says about international data transfers

The GDPR does not prohibit sending data outside the European Union. Set conditions. Articles 44 to 49 of the Regulation regulate when and how personal data can be transferred to third countries [1]. There are three main mechanisms that allow this: the European Commission's appropriateness decision (the destination country has a level of protection equivalent to the European one), standard contractual clauses (standard contracts approved by the Commission that the supplier signs) and binding corporate rules (mainly applicable to intragroup transfers in multinationals).

The United States has had an adaptation decision since July 2023 — the EU-US Privacy Framework. (Implementing Decision 2023/1795) —, which replaces the Privacy Shield invalidated by the Court of Justice of the EU in 2020 [2]. This means that transferring data to US companies certified under this framework is, in principle, in compliance with the GDPR. The problem is that the legal strength of this agreement is still being questioned and that certification is voluntary: not all American SaaS platforms are certified.

For regulated sectors — healthcare (Law 41/2002), financial services (MiFID II Directive), critical infrastructures (NIS2 Directive) —, the obligations go beyond the GDPR [11]. The NIS2 Directive, applicable since October 2024, adds risk management requirements in the technological supply chain, including automation providers with access to internal systems.

Data residency map by platform (verified as of March 2026)

The differences between platforms at this point are substantial. What follows is not an opinion: it is the data published by each vendor in their official documentation and verified as of the date of publication of this article.

When the self-hosting It ceases to be a technical option and becomes an obligation

There are three situations in which the debate about which cloud platform to choose ceases to be relevant, because the correct answer is not to use any cloud platform for that particular flow.

1. Health data and patient records

Law 41/2002 on patient autonomy and Regulation (EU) 2016/679 establish a reinforced regime for health-related data (special category of data, Article 9 GDPR). Any automation that processes patient data — records, test results, medical appointments, billing linked to diagnosis — must be carried out with guarantees that this data does not leave the infrastructure controlled by the healthcare organization, or that the provider has specific certifications (HIPAA in the US, equivalent measures in the EU) and signs a treatment manager contract in accordance with Article 28 of the GDPR.

For clinics, hospitals, medical insurers and any company with access to health data, n8n self-hosted or Xano on a Custom plan with HIPAA compliance are, of the options discussed in this article, the only ones that can meet this requirement.

2. Bank secrecy and financial data

Financial institutions — and companies that provide services to financial institutions — are subject to the MiFID II Directive, to Law 10/2014 on the organization, supervision and solvency of credit institutions, and in many cases to the requirements of the European Banking Authority on the outsourcing of cloud services (EBA/GL/2019/02). These frameworks don't prohibit the cloud, but they require that the entity maintain effective control over the data and be able to audit the provider.

The platforms that offer self-hosting or EU data residency verifiable with contractual SLA are the ones that best fit these requirements.

3. Data for minors

Article 8 of the RGPD and Organic Law 3/2018 (LOPDGDD) establish specific conditions for the processing of children's data. In Spain, the consent of children under 14 years of age requires authorization from parents or guardians.

Educational organizations, academies and any company that serves minors must carefully evaluate which automation flows involve data on students, their families or their academic performance, and ensure that these data are not transmitted to platforms outside the EU without adequate guarantees.

GDPR compliance checklist before implementing any automation

What follows is a practical checklist so that the management team can evaluate any automation platform before hiring it. It is not a substitute for a legal audit, but it identifies critical points that must be resolved before the first production data crosses the supplier's servers [3].

The real cost of not asking first

The usual argument for not addressing this analysis before hiring a platform is urgency: there is a process to solve now, the provider looks good and “we'll see about the GDPR”. The problem is that the time to discover that production automation violates the GDPR is always the worst: when there is data from thousands of customers being processed on servers that should not be doing so.

According to Deloitte, 45% of cybersecurity incidents with significant impact in 2023 were attributed to a vendor or third party with access to the organization's systems [12]. Automation platforms are, by definition, third parties with access to the data that flows through company processes. Gartner estimates that by 2025 75% of the world's population will be covered by modern privacy regulations [3]. The trend is toward more regulation, not less.

The economic argument is also clear. Migrating production automation — with all the workflows, integrations and historical data — from one platform to another because the former does not meet data residency requirements has a real cost: engineering time, risk of data loss and a period of operational disruption. Asking the question before hiring has zero cost.

The decision of which automation platform to use isn't just a technical one. It is legal and operational at the same time. The technical team can evaluate the integrations and the price. Only the data controller — who in most medium-sized SMEs is the CEO or COO — can decide what level of regulatory risk is acceptable to the organization.

Self-hosting as a strategy, not an option of last resort

For years, self-hosting was the option of organizations with technical resources and a budget for their own servers. The appearance of platforms such as n8n (open-source automation), Supabase (self-hosting PostgreSQL database) or Xano (no-code backend with on-premise option) has changed this calculation: today it is possible to build an automation and data architecture completely on the company's own infrastructure, with modern tools and without the license cost that previously made this option inaccessible.

For companies in regulated sectors—healthcare, insurance, banking, education with child data, critical infrastructures under NIS2—, self-hosting is not an elegant technical option. It's the most direct answer to a regulatory question: where is my data? If the answer is “on our own servers”, compliance analysis is radically simplified.

For other medium-sized companies —those that do not operate in sectors with special requirements—, the choice between cloud with EU data residency and self-hosting depends on the volume of data, the technical profile of the team and the management's appetite for regulatory risk. What is no longer acceptable is to make that decision without having considered it.

References

1. Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of individuals with regard to the processing of personal data and the free movement of these data. DOUE ON 11/19/16, 4.5.2016. Articles 44 to 49 regulate transfers of personal data to third countries or international organizations.

2. Spanish Data Protection Agency (AEPD). (2023). Guide to international data transfers. AEPD. https://www.aepd.es/guias/guia-transferencias-internacionales.pdf — The AEPD states that transfers to countries without an adequacy decision from the European Commission require additional guarantees (standard contractual clauses, binding corporate rules). The US has had an EU-US Privacy Framework since July 2023 (EU Implementing Decision 2023/1795), although its legal stability is subject to debate.

3. Gartner. (2024). Predicts 2025: Privacy, Data Security and Risk Management. Gartner Research. Gartner estimates that by 2025, 75% of the world's population will see their personal data covered by modern privacy regulations. In the EU, the GDPR already affects all organizations that process data from European residents, regardless of their size.

4. ONTSI/ Red.es. (2024). Digital technologies in business 2023. National Observatory of Technology and Society. https://www.ontsi.es/es/publicaciones/tecnologias-digitales-en-la-empresa-2023 — Only 13.9% of Spanish companies analyze big data; 74.2% of SMEs have a basic level of digital intensity. The Digital Kit (Royal Decree-Law 36/2020) offers grants of up to €29,000 per company for digitalization, including management and automation tools.

5. Make (2026). Enterprise Plan. https://www.make.com/en/enterprise — Make offers EU data residency as an option in its Enterprise plan, with servers located in the European Union. Make's registered office is Prague, Czech Republic (EU). The On-Prem Agent allows access to local networks without exposing ports to the outside.

6. No. 8 (2026). Pricing & Self-hosting. https://n8n.io/pricing — n8n operates its cloud from European infrastructure (Berlin). The Community (self-hosted) version is free under a fair-code license and allows installation on its own infrastructure without any data leaving the organization's servers. The Enterprise plan includes SO/SAML, audit logs, RBAC and HA clustering.

7. Zapier. (2026). Plans & Pricing. https://zapier.com/pricing — Zapier is based in San Francisco, California (USA) and does not offer EU data residency in its standard plans. Transfers to Zapier from the EU are covered by the EU-US Privacy Framework. (Decision 2023/1795), whose long-term legal strength is still being evaluated by European courts.

8. Xano. (2026). Security & Compliance. https://www.xano.com/security —Xano is SOC 2 Type II, SOC 2 Type III, and ISO 27001.HIPAA certified available as an add-on ($500/month). Self-hosting available on a Custom plan (AWS, Azure, GCP or on-premise). 99.99% SLA in PlanPro.

9. Supbase. (2025). Enterprise. https://supabase.com/enterprise — Supabase offers full self-hosting (open source under the Apache 2.0 license for the core). In October 2025, it reached a valuation of $5.000M (Series E, Accel + Peak XV). Verified enterprise customers: PwC, McDonald's, Johnson & Johnson, GitHub Next. Available on AWS Marketplace since December 2025.

10. Spanish Data Protection Agency (AEPD). (2024). Resolved sanctioning procedures 2023—2024. AEPD. https://www.aepd.es/resoluciones — The AEPD imposed fines totaling more than €7M in 2023 for breaches of the GDPR against Spanish companies. The most common breaches include international transfers without adequate safeguards and a lack of legal basis for processing.

11. Directive (EU) 2022/2555 (NIS2), Article 21. Cybersecurity risk management measures for essential and important entities. The NIS 2 Directive, applicable since October 2024 in the Member States that have transposed it, adds security obligations for organizations in critical sectors (energy, transport, health, digital infrastructures, public administration) that include the management of the technological supply chain.

12. Deloitte. (2023). 2023 Global Future of Cyber Survey. Deloitte Insights. https://www.deloitte.com/global/en/services/risk-advisory/research/future-of-cyber.html — 91% of the organizations surveyed experienced at least one cybersecurity incident with significant impact in the past year. 45% attribute the incident to a vendor or third party with access to their systems. Cloud automation services are a growing risk vector when the data chain is not audited.