GDPR in Practice: How to Choose Privacy-Respecting Services

Beyond the Checkbox: What GDPR Compliance Really Means

Every tech company claims to be “GDPR compliant.” It’s become a marketing checkbox — slap a badge on the website and call it done. But GDPR compliance exists on a spectrum, and the difference between genuine compliance and performative compliance can be the difference between your data being protected and your data being exploited.

This guide helps you look beyond the marketing and make informed decisions about the services you use.

The Three Tiers of GDPR Compliance

Tier 1: Genuine Compliance (EU-Based Companies)

Companies headquartered in the EU are directly subject to GDPR enforcement by European data protection authorities. They can’t escape European jurisdiction, and violations carry fines of up to 4% of global annual revenue.

What this looks like:

• Company is registered in an EU/EEA country
• Data is processed and stored on EU servers
• Subject to oversight by a national data protection authority (e.g., CNIL in France, BfDI in Germany)
• No legal obligation to comply with US data access requests under FISA or CLOUD Act

Examples: Proton (Switzerland/GDPR-equivalent), Infomaniak (Switzerland), Hetzner (Germany), OVHcloud (France)

Tier 2: Structural Compliance (US Companies with EU Operations)

Large US companies have established EU subsidiaries and data centers to serve European customers. They make genuine efforts to comply with GDPR, but their parent companies remain subject to US law.

What this looks like:

• EU subsidiary processes European data
• European data centers available
• Standard Contractual Clauses (SCCs) or other transfer mechanisms in place
• But: parent company can still be compelled by US courts to produce data

Examples: Microsoft (EU Data Boundary initiative), Google (EU data residency options), AWS (EU-based regions)

Tier 3: Performative Compliance (Checkbox Approach)

Some companies update their privacy policy, add a cookie consent banner, and call it a day. They technically comply with GDPR’s disclosure requirements while continuing to collect and process data in ways that test the boundaries of the regulation.

What this looks like:

• Updated privacy policy mentioning GDPR
• Cookie consent banner (often designed to manipulate users into accepting)
• Data processing still happens on US servers
• Broad data collection justified under “legitimate interest”
• Dark patterns in consent flows

Five Questions to Ask Before Choosing a Service

1. Where Is the Company Headquartered?

This determines which legal framework ultimately governs your data. An EU-headquartered company is subject to GDPR as its primary law. A US-headquartered company is subject to US law first, with GDPR compliance as an additional obligation that may conflict.

2. Where Is Your Data Actually Stored and Processed?

“We have EU data centers” doesn’t always mean your data stays there. Some companies route data through US servers for processing, analytics, or backup. Look for explicit commitments to EU-only data residency.

3. What Is Their Business Model?

If a service is free and ad-supported, your data is likely the product. Companies that make money from advertising have a structural incentive to collect as much data as possible. Subscription-based services align the company’s interests with yours: you pay money, they provide a service.

4. Can You Actually Delete Your Data?

GDPR grants the right to erasure, but implementation varies wildly. Some companies make deletion straightforward. Others bury it in settings, impose waiting periods, or retain “anonymized” data that can potentially be re-identified.

5. Have They Been Tested?

Look at a company’s track record. Have they been fined by data protection authorities? Have they been involved in data breaches? How did they respond? Companies that have been transparent about incidents and improved their practices deserve more trust than those that have never been tested.

Red Flags to Watch For

• “Legitimate interest” for everything: Companies using “legitimate interest” rather than explicit consent for non-essential data processing
• Cookie walls: Sites that block access unless you accept all cookies
• Manipulative consent flows: When “Accept All” is a bright button and “Manage Preferences” requires clicking through multiple screens
• Vague data sharing: Privacy policies that say data is shared with “partners” without specifying who
• No EU representative: Non-EU companies operating in the EU without an appointed EU representative (required by GDPR Article 27)
• US-only support channels: Companies that can’t or won’t handle data subject access requests through EU-based channels

Making the Switch

Choosing privacy-respecting services doesn’t mean sacrificing functionality. European alternatives exist for nearly every category of digital service, often with competitive features and the added benefit of genuine GDPR protection.

The key is to start with the services that handle your most sensitive data — email, cloud storage, messaging — and gradually migrate to European alternatives. You don’t need to switch everything at once, but every service you move to an EU provider is one less data point accessible to foreign surveillance programs.

The Bottom Line

GDPR is the world’s strongest data protection framework, but it only works if you choose services that genuinely respect it. Look beyond the marketing, ask the right questions, and favor companies whose business model, legal jurisdiction, and technical architecture all align with protecting your privacy. Your data deserves more than a checkbox.