EU server-side tracking: data residency, GDPR-grade configuration
EU server-side tracking: data residency for sGTM, EU hosting choices, GDPR-compliant configuration, DPA assessment with DPO.
By Ron Kopelman, freelance analytics consultant — updated May 18, 2026
For European Union companies, server-side tracking isn’t just a question of recovering conversions — it’s a question of where the data sits, who processes it, and whether the chain of sub-processors complies with GDPR Schrems II case law. My role on EU server-side missions is to scope your data-residency requirements with your DPO, choose hosting that respects them (Addingwell FR, Cloud Run EU regions, others), and document the chain for a clean processing register and LIA. This page covers the EU-specific decisions for server-side tracking — the technical content on tag deployment is on the parent server-side page and sGTM consultant page.
EU data residency tiers
Three levels of strictness depending on your sector and DPO.
Strict EU: no US sub-processor on the critical tracking path. Means: hosting in EU, ideally with an EU-headquartered company. Eliminates Google Cloud (US ownership) even for EU regions. Realistic only with Addingwell (FR team, FR servers) or self-managed Cloud Run with EU region but treated as an exception.
EU-region with US ownership accepted: hosting in EU regions but US-owned company is acceptable. Opens up Google Cloud EU regions (Belgium, Frankfurt) and Stape EU. Most common position for mid-market EU clients.
Permissive: any region accepted with appropriate DPA. Stape global, Google Cloud worldwide. Typical for sites not subject to strict regulated-sector requirements.
The level should be explicitly chosen by your DPO with documented reasoning, not implicitly assumed.
Sub-processor assessment
For each component of the tracking chain, the DPA and sub-processor list must be reviewed. Practical checklist:
- Hosting: Stape, Addingwell, Google Cloud, AWS — DPA scope, sub-processors, transfer mechanisms (SCC, adequacy decision)
- CMP: Axeptio (FR), Didomi (FR), Cookiebot (DK), OneTrust (US) — DPA, where consent data is stored
- Ad platforms: Meta, Google, LinkedIn — DPA scope, data minimization
- Analytics: GA4 (GoogleDataLLC), Piano (FR-based historically), Matomo (DE) — different residency options
For each, document: what data goes there, what’s the legal basis, retention, deletion rights, breach notification.
EU-specific technical setup
Beyond residency, three technical patterns reflect EU contexts:
Server-side hashing only. PII (email, phone, names) hashed SHA-256 server-side before any transmission to Meta, Google, LinkedIn. Never client-side in clear text. Documented in the LIA.
Cookie configuration with SameSite=Lax + Secure for first-party cookies set by sGTM. Ensures cookies work cross-domain in EU contexts (where Schrems II reasoning emphasizes data minimization).
Behavioral modeling disclosure. If Consent Mode Advanced is used, the LIA must specifically document what behavioral modeling does (statistical reconstruction from cookieless pings), what data it consumes, and what users see in the privacy policy. See consent mode consultant.
Hosting choice matrix
| Host | EU residency strictness | DPA quality | Best for |
|---|---|---|---|
| Addingwell | Strict EU (FR team + FR servers) | Excellent, FR direct | Strict EU sites, FR institutions, premium retail |
| Stape (EU region) | EU-region (EE-owned) | Standard EU DPA | Mid-market EU, multi-country |
| Google Tag Gateway | EU-region (US-owned) | Standard Google DPA | Sites accepting Google as full-stack provider |
| Cloud Run self-managed (EU) | EU-region (US-owned) | Direct GCP DPA | Large sites with DevOps capability |
For most EU mid-market clients (€1-10M revenue, GDPR-conscious but not regulated), Stape EU or Addingwell are the typical answers. For regulated sectors (banking, healthcare, public sector, education): Addingwell is the safer choice.
Engagement scope
A typical EU-focused server-side mission adds 2-3 days to a standard sGTM deployment for:
- Data residency assessment with DPO (half a day, structured)
- DPA review of all sub-processors (1 day)
- LIA drafting or review covering Consent Mode Advanced + server-side data flows (1 day)
- Processing register alignment (half a day)
Total fee adds €1,500-2,500 to the standard sGTM fee, depending on complexity.
Frequently asked questions
Does Schrems II prevent Meta CAPI use?
No, but it requires explicit SCC, documented transfer mechanism, and ideally data minimization (hashing PII before transmission, not sending unnecessary fields). Meta DPA covers SCC. The setup is allowed with proper documentation.
Best EU CMP for strict residency?
Axeptio (FR) is the typical recommendation for strict-EU FR sites. Didomi (FR HQ) is comparable. Cookiebot is DK-based, also EU. OneTrust is US — accepted by most EU clients but less aligned with strict positions.
Can I host on Cloud Run EU without becoming subject to US transfers?
The infrastructure is EU. The ownership is Google (US). Schrems II reasoning suggests this still triggers SCC requirements. Practically, most EU clients accept Cloud Run EU with proper DPA. Strict-EU positions don’t.