--- title: Data Sovereignty date: 2026-06-01T17:19:00+02:00 author: Hannes Heckel canonical_url: "https://www.fast-lta.de//en/glossary/data-sovereignty" section: Glossar --- Data sovereignty has three dimensions: legal sovereignty means that data is subject to the legal framework the organization chooses — for European organizations ideally exclusively under GDPR, without conflicts from extraterritorial laws such as the US CLOUD Act. Technical sovereignty means the organization can access its data at any time without approval from a third party and can migrate data without disproportionate effort. Operational sovereignty means that data remains independently available and recoverable even in a crisis — cyber attack, network failure, provider insolvency. The topic has gained urgency through three developments: the US CLOUD Act (2018) authorizes US authorities to require US companies to hand over data they store on behalf of customers — regardless of where the data is physically stored. Even servers in Frankfurt are subject to this if the provider is a US company (AWS, Microsoft Azure, Google Cloud). The Schrems II ruling by the CJEU (2020) invalidated the EU-US Privacy Shield. Its successor, the EU-US Data Privacy Framework (2023), is legally fragile. Geopolitical risks such as sanctions and export controls make dependencies on individual large providers a strategic risk. For regulated industries, data sovereignty is often not a strategic option but a compliance obligation: in healthcare, §203 StGB (Germany) prohibits unauthorized disclosure of patient data. In public administration, BSI requirements exclude cloud storage for classified information. In the financial sector, European data protection authorities are increasingly scrutinizing the use of US cloud services for sensitive data categories. ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ## Frequently asked questions #### Is it sufficient if my cloud data is stored on servers in the EU? No — not automatically. The US CLOUD Act is linked not to the physical server location but to the legal framework of the company storing the data. An AWS server in Frankfurt is subject to US law because AWS is a US company. What matters is which law the provider is subject to — not where its servers are located. #### What is the difference between data sovereignty and data protection? Data protection (especially GDPR) governs the protection of personal data: purpose limitation, consent, data subject rights. Data sovereignty goes further and encompasses complete control over all data — including non-personal business data, production data, configurations. Data sovereignty means: you decide where your data is stored, who accesses it and which law governs it.