When we first published our guide on GDPR and cloud backups back in 2020, the regulatory landscape was still young. Organisations were scrambling to understand three core obligations: maintain backups, keep them up to date, and ensure your providers were compliant. Five years on, the picture is dramatically more complex.
The GDPR has evolved from a standalone privacy mandate into the foundational layer of an interconnected digital regulatory apparatus: now stacked alongside the NIS2 Directive, the EU AI Act, the EU Data Act, and the Digital Omnibus Package. Meanwhile, enforcement has intensified: European data protection authorities levied approximately EUR 1.2 billion in GDPR fines during 2025 alone, and the average cost of a data breach for US companies has climbed to $10.22 million when fines and remediation are combined.
At ProBackup, we back up SaaS data for thousands of organisations across Europe and beyond. We work directly with a Belgian Data Privacy specialist to keep our own practices current. This guide is the most comprehensive resource we have produced on the topic: written to help you understand not just what the law says, but what it means practically for your backup strategy in 2026.
Why GDPR Still Matters for Cloud Backups
The General Data Protection Regulation (GDPR), which entered into application on 25 May 2018, applies to any organisation that processes personal data of individuals in the EU or EEA — regardless of where the organisation itself is headquartered. This extraterritorial reach is often underestimated.
Cloud backups are squarely within scope. When you back up your SaaS platforms — your CRM contacts in HubSpot, your project data in Asana, your customer communications in Slack — you are creating copies of personal data. Those copies inherit every GDPR obligation that applies to the original data.
The practical implications are significant:
- Your backup must be able to support a deletion request (the "right to erasure"), not just in your live system but in your backup copies.
- Your backup provider becomes a **data processor** and must sign a Data Processing Agreement (DPA) with you.
- If your backup is stored in a country outside the EEA, that transfer must be governed by an appropriate legal mechanism.
- Your backups must be tested regularly, not just taken.
Article 32: Backup and Disaster Recovery Is a Legal Requirement
The most direct GDPR reference to backup sits in Article 32 - Security of Processing. It requires organisations to implement appropriate technical and organisational measures, including:
(b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Three concrete obligations flow from this:
Obligation 1: You must be able to restore personal data
This is not a recommendation — it is a legal requirement. If personal data is lost due to accidental deletion, ransomware, a SaaS platform outage, or a rogue automation, you are responsible for restoring it. Your SaaS provider's infrastructure-level redundancy does not cover data loss caused by actions within the application itself.
Obligation 2: Restoration must be timely
Article 32 specifies "in a timely manner." This is deliberately vague, but regulators interpret it in context. A data breach notification must be made within 72 hours (extended to 96 hours under the forthcoming Digital Omnibus Package). If you cannot recover personal data affected by an incident before that deadline, you face compounded compliance risk. Your backup frequency, restore speed, and recovery point objectives (RPOs) are therefore compliance questions, not just technical ones.
Obligation 3: You must test your backups regularly
Article 32(1)(d) explicitly requires you to test the effectiveness of your security measures. An untested backup is not a compliant backup. Regulators can and do ask for evidence that backups have been tested as part of audit and breach investigation processes.
Data Subject Rights and Your Backup Copies
One of the most underappreciated GDPR challenges for backup operators is the tension between data subject rights and the very nature of a backup. A backup is, by design, a point-in-time copy of your data — preserved, immutable, and designed to be restored rather than edited.
But GDPR grants individuals powerful rights that must be honoured across all your data stores, including backups:
The Right to Erasure ("Right to be Forgotten")
Under Article 17, individuals can request that you delete their personal data. This request must be honoured within 30 days. The challenge: if you have daily backups retained for 30, 60, or 365 days, every one of those backup snapshots also contains the person's data.
The GDPR does not require you to immediately purge every backup copy upon receiving an erasure request — but it does require you to ensure that data is not restored from a backup after deletion from your live systems without applying the same erasure. In practice, this means your data management and restore workflows must be designed to account for deletion requests.
The Right of Access (Data Subject Access Requests - DSARs)
Individuals can request copies of all personal data you hold on them, including data in backups. You must respond within 30 days. In 2026, automated DSAR fulfillment tooling has become a baseline expectation — manual workflows are too slow and error-prone to sustain compliance at scale.
The Right to Rectification
If a data subject requests that their data be corrected, that correction should not be undone by a subsequent restore from backup. Your restore processes need controls to prevent overwriting post-request corrections.
Controller vs. Processor: Where Do You Stand?
Understanding your role in the data chain is foundational to GDPR compliance. Most organisations using a backup solution will occupy both roles at different points.
An important shift in 2026 enforcement: the historical assumption that processors carry minimal liability is obsolete. Regulators now apply shared legal liability across the data supply chain. If your backup provider's misconfiguration or weak default security settings lead to a data breach, the processor is held directly liable alongside you as the controller. This makes vendor due diligence a primary compliance obligation, not a nice-to-have.
Vetting Third-Party Backup Providers
Choosing to outsource your backup to a third-party provider is not the end of your GDPR obligations — it is the beginning of a new set of them. Your backup provider is a data processor, and you are responsible for ensuring they meet the same data protection standards you do.
Key questions to ask any backup provider before signing:
Security architecture
- Is data encrypted at rest (AES-256) and in transit (TLS 1.2+)?
- What is their access control model? Is role-based access control (RBAC) enforced?
- Do they maintain audit logs of all data access?
- Are they SOC 2 Type II certified? Is the report available for review?
- Have they undergone third-party penetration testing?
Data location and sovereignty
- Where are your backups physically stored? Which country or region?
- Can you choose your backup region to keep EU data within the EEA?
- Who are their sub-processors (e.g., cloud infrastructure providers)?
- Are Standard Contractual Clauses (SCCs) in place for any international transfers?
Data subject rights support
- Can the provider support targeted deletion of a specific user's data from backups?
- Can they assist with DSAR responses that require searching backup data?
- What is their process for handling rectification requests that span backup copies?
Breach notification
- What is their contractual obligation to notify you of a breach? Within what timeframe?
- Does their notification timeline allow you to meet your own 72-hour (or 96-hour post-Omnibus) obligation to your supervisory authority?
At ProBackup, we work with a Belgian Data Privacy specialist (Dirk De Bot at DPS4U) and maintain our DPA and sub-processor register publicly accessible from our website footer. We are built on AWS infrastructure in the EU, and all data is encrypted with AES-256 at rest and TLS in transit. Our SOC 2 Type II certification is available on request from our Trust Center.
Data Residency and International Transfers
GDPR's Chapter V imposes strict rules on transfers of personal data outside the EEA. Any time your backup data leaves the European Economic Area — even if only for processing or storage purposes — you need a lawful transfer mechanism in place.
Adequacy Decisions
The European Commission has granted adequacy decisions to a number of countries, meaning data can flow there without additional safeguards. The EU-US Data Privacy Framework (DPF), adopted in July 2023, survived its first major legal challenge in September 2025, providing a relatively stable mechanism for transfers to certified US organisations. However, it remains under scrutiny and should be treated as a framework to monitor, not assume.
Standard Contractual Clauses (SCCs)
For countries without adequacy decisions, the 2021 SCCs remain the most widely used mechanism. If your backup provider's infrastructure includes US or non-EEA cloud regions, ensure your DPA incorporates current SCCs and that any Transfer Impact Assessment (TIA) has been completed where required.
Data Residency Controls
The most operationally clean solution for EU-based organisations is to ensure your backup provider can offer dedicated EU-region storage. This eliminates the need for transfer mechanisms entirely for your backup data. When evaluating providers, ask specifically whether EU-region storage is included in standard plans or requires an enterprise upgrade.
Data Retention: The Tension Between Backup and Minimisation
GDPR's data minimisation and storage limitation principles (Article 5) require that personal data is kept only for as long as necessary for its original purpose. This creates a genuine tension with backup strategy: the whole point of a backup is to retain data for a period so you can recover it.
Regulators have recognised this tension. The working position accepted by most supervisory authorities is that backup data may be retained beyond normal deletion schedules — but only within a clearly documented retention framework.
Defining your backup retention periods
Your backup retention policy should explicitly define:
- How long daily backups are retained (common ranges: 30 to 365 days)
- Whether longer-term archives are maintained and for what purpose
- How the retention period relates to the underlying data's retention schedule
- What happens to backup data when the underlying data is deleted (e.g., upon a right-to-erasure request)
NIS2: The New Cybersecurity Directive That Changes the Stakes
The NIS2 Directive (Network and Information Security Directive 2), which Member States were required to implement into national law by October 2024, is one of the most significant new developments for organisations running digital infrastructure - including SaaS backup operations.
Where GDPR focuses on protecting personal data and individual rights, NIS2 focuses on systemic cyber risk and operational resilience. It expands the scope of who must comply significantly beyond the original 2016 NIS Directive, covering essential entities and important entities across a broad range of sectors including digital infrastructure, cloud computing services, managed service providers, and data centre operators.
What does NIS2 require in relation to backup?
NIS2 requires covered entities to implement risk management measures including:
- Business continuity: Backup management and disaster recovery are explicitly listed as required measures under Article 21.
- Supply chain security: Organisations must assess the security posture of their service providers, including backup vendors.
- Incident reporting: Significant incidents must be reported to the relevant national authority within 24 hours (early warning) and 72 hours (full report) — tighter than the GDPR's 72-hour personal data breach notification window.
- Cyber hygiene: Basic cybersecurity practices including patching, access control, and encryption are mandated.
NIS2 vs. GDPR: Two different but overlapping frameworks
A critical point: NIS2 compliance does not automatically mean GDPR compliance, and vice versa. Organisations that fall within NIS2 scope need to manage both simultaneously. They each require a designated representative in the EU for non-EU organisations — and importantly, these are *different roles* that cannot simply be assigned to the same person without care.
The key operational difference is urgency. GDPR representatives primarily handle documentation, data rights requests, and regulatory correspondence — tasks that are important but rarely time-critical. NIS2 representatives must be prepared to facilitate technically complex, time-sensitive incident communications. Assuming a single outsourced provider can cover both roles adequately without specialist cyber security capability is a common and potentially costly mistake.
The Digital Omnibus Package: What's Changing in 2026
In November 2025, the European Commission introduced the Digital Omnibus Package — a sweeping legislative simplification designed to address the paralysing operational friction caused by multiple overlapping digital regulations. It is expected to be enforced from mid-to-late 2026 and introduces several changes that directly affect backup and incident response.
The 96-hour breach notification window
One of the most practically significant changes: the GDPR's 72-hour breach notification deadline is being extended to **96 hours**. This additional time was explicitly designed to give incident response teams the breathing room needed for accurate forensic investigation before notifying authorities. For organisations relying on backup restores as part of their incident response, this provides slightly more operational flexibility.
The Single Reporting Portal
Currently, a single cyber incident can trigger distinct, separately formatted notifications under GDPR, NIS2, DORA, and eIDAS — each with different deadlines and requirements. The Digital Omnibus Package introduces a Single Reporting Portal: one submission that is automatically routed to the appropriate national authorities across frameworks.
For backup operators, this means your incident response plan needs to be updated. You will no longer be filing separate notifications to different bodies — but the information required for that single submission will need to be comprehensive enough to satisfy all frameworks simultaneously.
The EU AI Act and Backup Implications
The EU AI Act, transitioning into full applicability from August 2026, may seem distant from backup operations — but it has a direct relevance for organisations using SaaS platforms with AI features, or deploying agentic AI tools that interact with business data.
Agentic AI tools - such as AI agents built into monday.com, ClickUp, and other SaaS platforms — can now autonomously create, modify, delete, and reorganise data at machine speed. A poorly configured or misunderstood instruction can result in mass data changes or deletions before any human notices. We cover this in detail in our article on Agentic AI vs. the Importance of SaaS Backup.
From a backup and GDPR perspective, the AI Act reinforces the importance of:
- Audit trails: AI systems must maintain transparency logs. Your backup provides an independent, tamper-proof history of data states — critical when AI-driven changes need to be investigated or reversed.
- Data Protection Impact Assessments (DPIAs): High-risk AI systems require DPIAs that run in parallel with GDPR DPIAs. Your backup strategy should be documented as a risk mitigation measure in these assessments.
- Data minimisation: AI models processing personal data must use only what is necessary. Ensure your backup policy does not inadvertently expand the footprint of personal data being retained.
Beyond Europe: Global Privacy Laws That Reference Backup
GDPR set the template that most other major privacy regulations now follow. If you operate in markets outside the EU, you are likely subject to additional laws that carry parallel obligations for your backup practices.
United Kingdom - UK GDPR
Post-Brexit, the UK retained its own version of GDPR (UK GDPR), enforced by the Information Commissioner's Office (ICO). Backup obligations mirror those under EU GDPR. Note that non-UK organisations targeting UK individuals must appoint a UK Representative — separate from any EU Representative appointment.
United States - State Privacy Laws (18 and counting)
The US still lacks a comprehensive federal privacy law. However, 18 states now have full consumer privacy frameworks, all of which carry data retention, deletion, and security obligations relevant to backup. California (CCPA/CPRA), Virginia, Colorado, Texas, and Oregon are among the most actively enforced. Key backup-relevant obligations under US state laws include:
- Honouring deletion requests across all data systems, including backups
- Implementing reasonable security measures (which regulators interpret to include backup and recovery)
- Providing data portability upon request
Switzerland - Revised Federal Act on Data Protection (FADP)
Fully enforced since September 2023, the revised Swiss FADP broadly mirrors GDPR but with one critical difference: fines under the Swiss law are levied against individual executives rather than the company itself. A Chief Privacy Officer or CISO can personally face a fine of up to CHF 250,000 for intentional violations. For Swiss-market operations, this makes personal accountability for backup compliance especially acute.
Australia, Canada, Singapore, Japan
Each of these jurisdictions has adopted or updated privacy legislation in recent years that includes security-of-processing obligations analogous to GDPR Article 32. If you serve customers in any of these markets, consult local counsel — but in almost every case, maintaining a compliant backup strategy under GDPR will put you in a strong position under these laws as well.
Your Practical GDPR Backup Compliance Checklist
Use this checklist as a practical starting point for reviewing your backup programme against GDPR and related 2026 obligations. This is not a substitute for legal advice, but it covers the core operational requirements that regulators expect to see documented.
Backup Infrastructure
☐ Backups are taken at a frequency sufficient to meet your recovery point objectives
☐ Backups are encrypted at rest (AES-256 or equivalent)
☐ Backups are encrypted in transit (TLS 1.2+)
☐ Backup systems have role-based access controls (RBAC) — minimal access by default
☐ Backup access events are logged in an audit trail
☐ Backups are stored in a geographically distinct location from primary data
☐ EU personal data is backed up within the EEA, or a lawful transfer mechanism (SCCs, DPF) is in place
Testing and Governance
☐ Backup restores are tested at least quarterly and results are documented
☐ Recovery time objectives (RTOs) are defined and achievable within your breach notification window
☐ Backup policy is reviewed annually and signed off by a named responsible party
☐ Backup retention periods are defined per data category and documented in your ROPA
☐ Your incident response plan references backup restore as a recovery step and assigns ownership
Data Subject Rights
☐ A deletion request log exists and is cross-referenced before any backup restore
☐ Restore procedures prevent overwriting post-request data corrections
☐ Your backup provider can support targeted user-level data searches if a DSAR requires it
Third-Party Management
☐ A signed, current DPA exists with your backup provider
☐ Your backup provider's sub-processor list is available and has been reviewed
☐ Your DPA includes breach notification obligations for the provider with a deadline that supports your own 96-hour reporting window
☐ Your backup provider's security certifications (e.g., SOC 2 Type II, ISO 27001) have been reviewed and are current
NIS2 and Related Obligations (if in scope)
☐ Your organisation has assessed whether it falls within NIS2 scope
☐ Backup and disaster recovery are documented as part of your NIS2 Article 21 risk management measures
☐ GDPR and NIS2 representatives (if required) have been separately appointed and are actively engaged
☐ Your incident response plan is updated to reflect Single Portal reporting under the Digital Omnibus Package
How ProBackup Approaches Compliance
ProBackup is a SOC 2 Type II certified backup solution for SaaS platforms including Asana, ClickUp, monday.com, HubSpot, Jira, Notion, Slack, and others. Our parent company B4B IT is headquartered in Belgium and we work with a specialist Belgian Data Privacy expert (Dirk De Bot at DPS4U) to maintain our compliance posture.
Here is how our product and operations map to the obligations described in this guide:
Our full GDPR documentation, audit reports, and security details are available at probackup.io/gdpr and probackup.io/resources/audit-reports.
Summary: What Has Changed Since 2020
Our 2020 guide distilled GDPR's backup obligations into three points: backup is legally required, backups must be regular, and your provider must be compliant. All three remain true. But the landscape has become significantly more complex:
- Enforcement has intensified dramatically: EUR 1.2 billion in fines in 2025 alone, with US organisations absorbing 83% of all penalties historically.
- NIS2 has added a parallel cybersecurity compliance framework covering backup, incident response, and supply chain security — with distinct representative requirements from GDPR.
- The Digital Omnibus Package is streamlining but also raising standards: one portal for incident reporting, a 96-hour notification window, and tighter consent architecture requirements.
- The EU AI Act is intersecting with backup compliance: As AI agents increasingly operate within SaaS platforms, the importance of independent, granular backup has never been higher.
- Shared liability across the data supply chain is now enforced: backup providers are held as accountable as the organisations they serve.
- Data subject rights obligations apply to backup copies: Erasure, access, and rectification requests must be managed across your live systems and your backups.
The organisations that treat backup as a compliance instrument (not just an IT function) are the ones who navigate this landscape most successfully. A robust, tested, documented backup strategy is simultaneously your best risk mitigation tool and your clearest demonstration of accountability to regulators.
This article is intended for IT decision-makers, compliance officers, and data protection professionals. It reflects the regulatory environment as of March 2026 and should not be treated as legal advice. For specific compliance guidance, consult a qualified data protection professional.
