GDPR Fines Are Now Landing on Hosting Companies Directly. Two Cases From 2025 Establish the Precedent.

For the first seven years of GDPR enforcement, data processors, the companies that handle personal data on behalf of someone else, were mostly implicated through their customers. A controller got fined; the processor was mentioned in the investigation; the liability stayed with the company that owned the customer relationship. That pattern changed in 2025. The UK’s Information Commissioner’s Office issued its first-ever monetary penalty against a data processor in March 2025, a £3.07 million fine against Advanced Computer Software Group for security failures that enabled a ransomware attack on NHS systems. France’s CNIL fined Mobius Solutions, a SaaS data services company, €1 million in December 2025 for retaining data after a contract ended and using that data for its own purposes. Both companies are data processors. Neither owned the relationship with the individuals whose data was at risk. Both were fined directly.

For managed hosting companies processing EU customer data, those two cases define a new compliance exposure. The legal framework that makes processors directly liable under GDPR has existed since May 2018. What changed in 2025 is that regulators started using it.

The Two Precedent Cases

Advanced Computer Software Group provides software and IT services to the NHS and UK health sector. In August 2022, ransomware attackers accessed health subsidiary systems through a customer account that had no multi-factor authentication. Medical records and home-access details for 890 at-home care patients were among the data exposed, affecting 82,946 individuals in total. The ICO’s investigation found that Advanced had not deployed MFA across systems containing health data, lacked comprehensive vulnerability scanning, and had inadequate patch management. The provisional fine was £6.1 million. After voluntary settlement and cooperation, the final penalty was £3.07 million. The fine was issued under Article 32 UK GDPR, which requires appropriate technical and organizational security measures. Advanced was fined not as the organization whose patients were affected but as the IT services company that processed that data under contract and failed to secure it.

Mobius Solutions was a UK-registered company subcontracted by Deezer, the French music streaming service, to run personalized advertising campaigns. When the contract ended, Mobius retained a copy of personal data covering more than 46 million Deezer users. It also used that data to improve its own service without any instruction from Deezer to do so. The CNIL identified three violations: retaining data after contract termination in breach of Article 28(3)(g), processing data outside the controller’s instructions in breach of Article 28(3)(a), and failing to maintain records of processing activities in breach of Article 30. The fine was €1 million. Because Mobius had no EU establishment, the one-stop-shop mechanism did not apply and the CNIL took direct jurisdiction. The investigation ran from November 2022 to December 2025, a three-year process, but the enforcement outcome is unambiguous: a processor that uses data for its own purposes and fails to delete it at contract end faces direct regulatory action.

The Scale of What Regulators Are Processing

GDPR breach notifications now arrive at EU supervisory authorities at an average of 443 per day, according to DLA Piper’s annual survey published in January 2026. That is a 22 percent increase from 363 per day the prior year and the first time the daily average has exceeded 400 since GDPR took effect. Across 2025, regulators received over 160,000 breach notifications. Total cumulative GDPR fines reached €7.1 billion as of January 10, 2026. Enforcement stabilized at approximately €1.2 billion annually in both 2024 and 2025.

DPAs are increasingly using breach notifications as entry points for examining processor arrangements. When a breach is notified, investigators are now routinely checking whether a signed Article 28-compliant data processing agreement existed, whether the sub-processor chain was authorized, and whether the processor notified the controller within the required timeframe. A breach that triggers scrutiny of missing or deficient DPA terms creates a compound enforcement scenario: the underlying security failure plus documentation violations across the processor chain.

The Vodafone Germany case from June 2025 illustrates a related enforcement theory. Germany’s BfDI imposed a €45 million fine with two components. €30 million addressed authentication security failures in the MeinVodafone customer portal. The remaining €15 million was specifically for Vodafone’s failure to adequately select, check, and monitor partner sales agencies acting as processors and agents. The partner agents had created fictitious contracts and modified terms without customer knowledge. Vodafone did not itself create the fraudulent contracts, but the regulator fined it €15 million for the absence of oversight over its processor relationships. The violation was the structural failure to govern the processor chain, not just the resulting harm.

What Processors Are Actually Required to Do

GDPR Article 28 defines the direct obligations on data processors. A managed hosting company processing EU customer data is typically acting as a processor for its customers, who are controllers. The obligations are not suggestions and, as the 2025 enforcement record confirms, they are now actively enforced against processors directly.

The instruction-only rule sits at the center of processor compliance. A processor may only handle personal data as the controller has instructed. This applies to analytics, performance benchmarking, service improvement, and marketing. If a hosting company uses customer website data for any of these purposes without explicit authorization in the DPA, it has stepped outside the processor role and into controller liability. Mobius was fined for exactly this: it used Deezer’s data to improve its own product without authorization.

Sub-processor management is the area where exposure compounds most quickly. Any company a hosting provider uses to deliver its service that touches customer personal data, including colocation providers, CDN operators, backup services, monitoring tools, and support ticketing systems, is a sub-processor. GDPR requires written authorization from each of the hosting company’s customers before engaging sub-processors, either on a named basis or under a general authorization scheme with advance notification of changes. The hosting company must impose equivalent data protection obligations on each sub-processor by contract. Critically, if a sub-processor fails, the hosting company remains fully liable to its customers. The defense “our data center provider failed” does not eliminate the processor’s liability under GDPR.

The security obligation in Article 32 is now operationally interpreted. Following the Advanced Computer Software case, regulators expect demonstrable technical controls: MFA on all systems containing or providing access to customer personal data, comprehensive vulnerability scanning and patch management, encryption at rest and in transit, access controls with minimum-privilege principles and logging, and documented incident response capability. A policy document stating that these exist is no longer sufficient. Investigators in 2025-2026 are examining whether controls are actually deployed.

Data deletion at contract termination is the Mobius violation. A hosting company must delete all customer data, or return it in a format the customer can use, when a contract ends. This requires an offboarding process that includes documented deletion confirmation. Retaining copies for “operational reasons” after contract termination, without explicit authorization in the DPA, creates direct GDPR liability.

The Practical Compliance Posture

A signed Article 28-compliant DPA must exist with every customer before processing begins. Missing DPA terms, not just completely absent DPAs, are independently enforceable. The DPA must specify the subject matter, duration, nature and purpose of processing, data types, and data subject categories, and must include all eight mandatory processor obligation clauses.

Processors must also maintain their own records of processing activities under Article 30(2). This is a direct processor obligation that exists independently of the controller’s own records. Mobius was fined for this specific gap.

Breach notification timelines matter operationally. GDPR requires a processor to notify the controller “without undue delay” after discovering a breach. Most DPAs specify 24 to 48 hours contractually. The controller then has 72 hours to notify their supervisory authority from the moment they become aware. A processor delay that causes the controller to miss the 72-hour window creates compounded exposure for both parties.

The EU Cloud Code of Conduct, approved by the EDPB in 2021, provides formal compliance guidance specifically for cloud providers acting as processors in B2B contexts. Certification under the Code is not legally required, but it provides documented compliance assurance to customers and reduces procurement due diligence. Controllers are increasingly auditing their processors as part of their own GDPR compliance obligations. Hosting providers should expect audit questionnaires, security assessments, and DPA review requests to become standard commercial interactions, not exceptional ones.