STACKIT DPIA: A European cloud alternative under review

The Dutch government published a DPIA on April 22, 2026, assessing the use of STACKIT cloud services. The report provides insight into how personal data are processed in this relatively new European cloud environment and is relevant for CIOPN members considering alternatives to major US-based providers.

The DPIA examines three core services, namely compute, database, and object storage, within a representative cloud setup. It analyses different categories of personal data such as content data, account information, log data, and support data. The findings show that the main risks relate to transparency, logging, and the division of roles and responsibilities between provider and customer.

The overall conclusion is that no high privacy risks remain, provided that organisations implement the recommended measures. Earlier identified high risks have been reduced to a set of low residual risks following technical and contractual adjustments. A key factor in this outcome is the revised Data Processing Agreement (DPA), which more clearly defines processing purposes and roles. 

A notable aspect highlighted in the DPIA is the emphasis on European data residency. The assessed services process data exclusively within the EU, primarily in Germany, and do not involve non-EU subprocessors within the scope of the assessment. This connects to broader discussions on digital sovereignty and dependencies on international cloud providers.

At the same time, the report makes clear that a significant part of the responsibility remains with the customer organisation. This includes decisions on configuration, logging, data usage, and additional risk assessments. The DPIA is explicitly positioned as a generic framework and must be complemented by organisation-specific assessments.

Overall, the DPIA presents a cloud environment that can be used from a privacy perspective within defined conditions. At the same time, it illustrates that actual risks continue to depend on how services are configured and applied in practice. For CIOPN members, the document primarily serves as a reference point to support cloud strategy and governance decisions, rather than replacing their own evaluation.

The full report is available via the Dutch government website: https://www.rijksoverheid.nl/documenten/2026/04/22/dpiaontheuseofstackitcloudservices