Under GDPR, your hosting provider is a ‘data processor’ — they process personal data on your behalf. You, as the site owner, are the ‘data controller’ — you determine what data is collected and why. Both roles carry specific legal obligations. This is especially important for WooCommerce stores handling customer data.
As a data processor, your hosting provider must: process data only on your documented instructions, ensure staff are bound by confidentiality, implement appropriate technical and organisational security measures, assist with data subject access requests, delete or return data when the contract ends, and notify you of data breaches without undue delay.
Data location
A key GDPR consideration. Personal data of EU/UK residents should ideally be stored within the EU/UK. If data is transferred outside these regions, specific legal mechanisms (adequacy decisions, standard contractual clauses) must be in place. See our guide on hosting for regulated industries.
The Data Processing Agreement (DPA) is the contractual backbone of GDPR compliance between you and your hosting provider. It should clearly define: what data is processed, the purposes and duration of processing, the security measures implemented, sub-processor arrangements, and breach notification procedures.
WP Pro Host stores all data in UK data centres, provides a comprehensive DPA as part of every hosting agreement, maintains detailed processing records, has documented breach notification procedures (within 24 hours), and supports data deletion requests within the timeframes required by GDPR. Read our full privacy policy.
Frequently Asked Questions
What is a data processor in the context of WordPress hosting?
Under UK GDPR, a data processor processes personal data on behalf of the data controller. Your WordPress hosting provider is a data processor — they store and process the personal data your site collects (contact form submissions, WooCommerce customer data, user accounts) on their servers on your behalf. You, as the site owner, are the data controller — you determine what data is collected and why. Both roles carry specific legal obligations, and your hosting provider must comply with GDPR requirements as a data processor.
Do I need a Data Processing Agreement with my WordPress host?
Yes. UK GDPR requires a written Data Processing Agreement (DPA) between you (the data controller) and your hosting provider (the data processor) when the host processes personal data on your behalf. The DPA must specify: what data is processed, the purposes and duration of processing, the security measures implemented, arrangements for sub-processors, breach notification procedures, and data return or deletion terms. Without a DPA, your use of that hosting provider for processing personal data may constitute a GDPR compliance failure.
Does hosting location matter for UK GDPR compliance?
Yes. Personal data of UK residents should be stored within the UK or in countries with an adequate data protection framework. Data transferred outside these jurisdictions requires specific legal mechanisms such as adequacy decisions or standard contractual clauses (SCCs). Hosting your WordPress site on UK servers simplifies compliance by keeping customer data within UK jurisdiction without requiring additional legal safeguards. For WooCommerce stores collecting UK customer data, UK-based hosting is the most straightforward path to data residency compliance.
What are a hosting provider’s GDPR obligations for data breaches?
Under GDPR, a data processor (your hosting provider) must notify you of a personal data breach without undue delay after becoming aware of it — in practice, this should be within 24 hours to give you sufficient time to meet your own 72-hour ICO notification obligation. The notification must describe the nature of the breach, categories and approximate number of individuals affected, the likely consequences, and measures taken or proposed to address it. Hosting providers that cannot provide documented breach notification procedures are not meeting their GDPR processor obligations.
What GDPR security requirements apply to WordPress hosting providers?
Article 32 of UK GDPR requires data processors to implement appropriate technical and organisational security measures, including: pseudonymisation and encryption of personal data, ongoing confidentiality and integrity of systems, ability to restore availability and access to personal data after an incident, and regular testing and evaluation of security measures. For WordPress hosting, this translates to: encryption at rest and in transit, site isolation between accounts, access controls on server infrastructure, regular security scanning, incident response procedures, and tested backup and recovery capability.