Enforced since May 25, 2018, the General Data Protection Regulation (GDPR) has profoundly transformed the legal framework for personal data management in Europe. Yet, nearly eight years after its enforcement, many businesses maintain non-compliant backup practices: hosting outside the EU, lack of encryption, vague retention policies, incomplete data processing agreements. The penalties are significant: up to EUR 20 million or 4% of annual global turnover, whichever is higher. This guide details the GDPR obligations applied specifically to backups and the practical solutions to achieve compliance.

What the GDPR requires for backups

The GDPR does not contain an article exclusively dedicated to backups, but several provisions apply directly. Three fundamental articles govern the obligations of data controllers and their processors regarding backup.

The GDPR is based on the principle of accountability: it is not enough to be compliant, you must be able to demonstrate it. Your backup practices must therefore be documented, auditable, and regularly verified.

Key articles:

Article 5 - Principles relating to processing

Article 5(1)(f) requires that personal data be processed in a way that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage (integrity and confidentiality). Backups are the primary mechanism to satisfy this requirement for protection against accidental loss.

Article 32 - Security of processing

Article 32(1)(c) explicitly mentions "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident". This is the direct obligation to have functional and tested backups. Article 32(1)(a) also requires pseudonymization and encryption of personal data as security measures.

Article 28 - Processor

When you entrust your backups to an external provider, they act as a processor under the GDPR. Article 28 requires a written contract detailing processing instructions, security measures, confidentiality obligations, and the conditions for data return or deletion at contract end.

Integrity

Backed-up data must not be altered

Confidentiality

Only authorized persons access the backups

Availability

Restore possible within appropriate timeframes

Data hosting: why location matters

The GDPR strictly regulates transfers of personal data outside the European Economic Area (EEA). The Schrems II ruling by the Court of Justice of the European Union (July 2020) invalidated the Privacy Shield and made transfers to the United States particularly problematic. Even the new EU-US Data Privacy Framework adopted in 2023 remains contested and could be subject to a "Schrems III."

The US CLOUD Act (2018) allows American authorities to demand access to data stored by American companies, regardless of the hosting country. Using a backup provider subject to US law (AWS, Azure, Google Cloud) therefore potentially exposes your personal data to extraterritorial access incompatible with the GDPR.

Why host in France:

Maximum legal certainty

No risk of transfer outside the EU, no Standard Contractual Clauses (SCC) needed. French and European law applies fully, without legal gray areas.

Protection from extraterritorial laws

A French hosting provider not subject to the CLOUD Act or FISA 702 cannot be compelled to disclose your data to a foreign power without going through international mutual legal assistance mechanisms.

Optimal latency and performance

A datacenter in France offers reduced transfer times for backups and restores, a concrete advantage for meeting Article 32(1)(c) requirements on "appropriate timeframes."

NimbusBackup: 100% France. Our infrastructure is hosted in Equinix datacenters in the Paris region, on our own autonomous network (AS206014). No data leaves French territory. RDEM Systems is a company under French law, not subject to the CLOUD Act.

Encryption: an obligation of means

Article 32(1)(a) of the GDPR explicitly cites encryption among the technical security measures. This is an obligation of means: the data controller must implement encryption adapted to the sensitivity of the data and the state of the art. In 2026, the reference standard is AES-256, considered unbreakable with current technologies.

Encryption best practices for backups:

Client-side encryption

Data must be encrypted before transmission to the backup provider. This way, even if the backup server is compromised, the data remains unreadable. The provider never has the decryption keys.

Secure key management

Encryption keys must be stored separately from encrypted data. The client retains the sole copy of their encryption key. A key vault or HSM module can strengthen this management.

Encryption in transit (TLS 1.3)

Backup transmission between your infrastructure and the backup server must be encrypted via TLS 1.3 minimum, protecting against network interceptions (man-in-the-middle attacks).

Native encryption in Proxmox Backup Server

PBS natively integrates AES-256-GCM client-side encryption. When configuring a backup job, an encryption key is generated locally on your Proxmox server. Data is encrypted before deduplication and transmission. The remote PBS server only receives encrypted chunks it cannot decrypt.

This "zero-knowledge" architecture complies with CNIL recommendations for encrypting data entrusted to a processor.

Right to erasure and backups

Article 17 of the GDPR enshrines the "right to erasure" (often called the "right to be forgotten"). Any person can request the deletion of their personal data when it is no longer necessary for the purposes of processing. But how do you reconcile this right with the very nature of backups, which are precisely intended to retain copies of data?

The challenge: Deleting a specific piece of data in a full or incremental backup is technically complex, even impossible without restoring the entire backup, deleting the data, then recreating a new backup. This operation is impractical at scale.

Approach recommended by authorities:

Data protection authorities, including the CNIL and the European Data Protection Board (EDPB), recognize that immediate erasure from backups is not always feasible. The best practice is to:

Delete the data from production systems immediately

The data is erased from all active databases and online systems upon receipt of a valid erasure request.

Document the erasure request

Record the request with the processing date and the systems concerned. In case of backup restoration, the data will be deleted again in accordance with the documented procedure.

Let retention do its work

Backups containing the data will be automatically deleted upon expiration of the retention policy. This is why a controlled and documented retention period is essential for GDPR compliance.

NimbusBackup allows you to configure granular retention policies per PBS datastore, ensuring that backups containing data to be erased will be automatically purged within a controlled and documented timeframe.

Subprocessing and DPA contract

Entrusting your backups to an external provider constitutes data processing under Article 28 of the GDPR. The data controller must enter into a Data Processing Agreement (DPA) that precisely defines the conditions for processing personal data by the provider.

Mandatory DPA clauses (Article 28):

Subject and duration of processing — Nature of backed-up data, categories of data subjects, retention period

Documented instructions — The processor only processes data upon instruction from the data controller

Security measures — Description of technical and organizational measures (encryption, access control, monitoring)

Sub-processing — List of sub-processors, obligation to inform in case of change

Assistance with data subject rights — The processor assists the controller in responding to access, rectification, and erasure requests

Fate of data at contract end — Return or deletion of data and all existing copies

Right to audit — The data controller can audit or have audited the processor's compliance

Warning: A backup provider that refuses to sign a DPA compliant with Article 28 of the GDPR should be immediately rejected. The absence of a processing contract is an infringement in itself, regardless of any data breach. Consult the CNIL's processor guide for a reference template.

NimbusBackup provides a complete DPA compliant with Article 28 of the GDPR to all its clients. This contract details the security measures implemented, the data location (France exclusively), incident notification procedures, and the conditions for data return at contract end.

Retention duration and policy

The storage limitation principle (Article 5(1)(e) of the GDPR) requires that personal data be kept only for as long as necessary for the purposes of processing. Applied to backups, this means you must define and document a justified retention period for each data category.

Common legal bases for retention:

Accounting obligations

10 years for accounting documents (French Commercial Code, art. L123-22). Backups containing billing data can be retained accordingly.

Health data

20 years minimum for medical records (French Public Health Code, art. R1112-7). Backups must respect this regulatory duration.

Contractual data

5 years after the end of the contractual relationship (standard civil statute of limitations, art. 2224 of the French Civil Code).

Business continuity

30 to 90 days for operational backups intended for disaster recovery. Beyond that, specific justification is required.

In Proxmox Backup Server, the retention policy is configured per datastore with precise rules: number of daily, weekly, and monthly backups to keep. The garbage collector automatically deletes expired snapshots and orphan chunks, ensuring that data is not retained beyond the defined period.

NIS2 and GDPR: converging obligations

The NIS2 directive, effective since October 2024, strengthens cybersecurity requirements for essential and important entities. While the GDPR protects personal data, NIS2 targets the resilience of information systems as a whole. The two frameworks reinforce each other regarding backup.

GDPR

- Protection of personal data
- Encryption (art. 32)
- Data availability (art. 32)
- Processor contract (art. 28)
- Penalties: 4% of global turnover

NIS2

- Information system resilience
- Encryption (art. 21)
- Business continuity and backups (art. 21)
- Supply chain security
- Penalties: 2% of global turnover

In practice, a GDPR-compliant backup strategy already meets a large portion of NIS2 backup requirements: encryption, availability, European hosting. NIS2 adds specific requirements for restore tests, procedure documentation, and supply chain security. See our dedicated NIS2 and backups article for a deeper dive into these obligations.

GDPR compliance checklist for your backups

Here are the essential points to verify to ensure your backups comply with the General Data Protection Regulation:

GDPR Checklist - Backups

EU hosting (ideally France) — Data backed up on servers located in the European Union, with a host not subject to extraterritorial lawsClient-side AES-256 encryption — Data is encrypted before transmission to the provider, who does not hold the decryption keysDPA with the provider — Data Processing Agreement compliant with Article 28 of the GDPR signed with the backup providerDocumented retention policy — Retention periods justified by a legal basis for each category of backed-up dataRegular restore tests — Quarterly verification of the ability to restore data within "appropriate timeframes" (art. 32)Access logging — Backup access logs retained and auditable to trace any authorized or suspicious accessRight to erasure procedure — Documented process for handling erasure requests including management of data present in backups

Warning: This checklist covers the main requirements but does not constitute an exhaustive compliance audit. Depending on your industry and the nature of the data processed, additional obligations may apply (health data, banking data, etc.). Consult your DPO or a specialized lawyer.

How NimbusBackup ensures GDPR compliance

All our Proxmox Backup Server offerings are designed to meet GDPR requirements. Client-side encryption, 100% French hosting, DPA provided: compliance is built in from the design stage (privacy by design, Article 25 of the GDPR). RDEM Systems also offers sovereign hosting in Equinix Paris datacenter and a digital sovereignty checklist to audit your infrastructure.

100% French hosting

Equinix datacenters in the Paris region, own AS206014 network. No transfer outside France. French company not subject to the CLOUD Act.

Client-side AES-256 encryption

Native PBS encryption before transmission. Only you hold the keys. Zero-knowledge architecture compliant with CNIL recommendations.

Compliant DPA provided

Processing agreement compliant with Article 28 of the GDPR systematically provided to all clients. Security, audit, and data return clauses included.

Configurable retention

Granular retention policies per datastore. Automatic purge of expired snapshots by the PBS garbage collector.

Complete logging

Access, backup, and restore logs retained. Full traceability for your GDPR compliance audits.

Support and guidance

French technical team. Assistance for configuring retention policies and compliance documentation.

Our 6 GDPR-compliant PBS offerings:

Single Drive PBS (EUR 12/TB) — Encrypted backup on one site, French hosting
Double Drive PBS (EUR 22/TB) — Geo-redundancy across 2 separate French sites
AirGapped Drive PBS (EUR 34/TB) — Air-gap isolation through physical disk rotation
Drive Bank PBS (EUR 69/TB) — Air-gap + secure bank vault
Magnetic PBS (EUR 89/TB) — HDD + automatic long-term LTO tape archiving
Magnetic Bank PBS (EUR 149/TB) — LTO tapes in bank vault, maximum compliance

Discover NimbusBackup Request a quote

Conclusion: GDPR compliance for your backups is not optional

The GDPR places clear obligations on how personal data is backed up: encryption, location, retention period, processing contract, right to erasure. Ignoring these obligations exposes your organization to significant financial penalties and, above all, a loss of trust from your clients and partners.

The good news is that a well-designed backup strategy naturally meets these requirements. Sovereign hosting, client-side encryption, documented retention policies, and a solid DPA: these pillars protect both your data and your regulatory compliance. They also form a solid foundation for meeting the requirements of the NIS2 directive.

Don't wait for a CNIL audit or a data breach to bring your backups into compliance. The cost of proactive compliance is negligible compared to the penalties and reputational damage from a data leak.

Sources and references

GDPR-compliant backups, starting today

100% French hosting, client-side AES-256 encryption, DPA included. From EUR 12/TB/month.