Data privacy is an important topic here at Hetzner. This article provides answers to common questions regarding this topic.
For our customers' websites, the log files store, among other things, the IP address, the browser visitors use, the time and date of the visits, and the system that visitors use. We at Hetzner Online only store pseudonymised IP addresses of visitors to the website. At the web server level, this happens by default by storing an IP address
<123.123.123.XXX> in the log file instead of the visitor's actual IP address, for example,
<18.104.22.168>. The XXX is a random value between 1 and 254, so it is no longer possible to establish the true identity of the visitor.
- Mail server log: Hetzner Online stores these log files for 7 days.
- Apache log: Customers can configure the length of time to store their log files. They can configure this themselves by going to their account on konsoleH. To do this, go to
Administration > Maintenance > Account Maintenanceand then click on
Activate own rulesto change this setting.
- Backups: Hetzner Online stores encrypted backups for 14 days.
If you do not want to record log files, please add a file
named.no-logs to your account.
When you use services that involve the processing of personal data, for example, with services provided by Hetzner Online, a DPA forms the basis of the data security understanding between you and Hetzner.
The data processing agreement defines the rights and obligations between you as the “Controller/Client” and Hetzner as the “Processor/Supplier”. In the DPA, Hetzner promises, for example, to only process the personal data that you provide to us and only for the agreed purposes. We also pledge to use comprehensive measures to protect your data while processing it. You can read an overview of these measures by going to Appendix 2 of the DPA, “Technical and Organizsational Measures in Accordance with Art. 32 GDPR and Amendments”.
In accordance with Art. 28 paragraph 3 of the EU’s General Data Protection Regulation (GDPR), you are required to have DPA if Hetzner processes personal data on your behalf. In other words, you need it if you have saved personal data on a server your rent from us or by using one of our other services.
There is an exception: If you process the personal data exclusively for private reasons, you do not need to create a DPA.
The EU’s General Data Protection Regulation defines this term in Art. 4, No. 1. In short, personal data includes information that can be connected to a specific person, and this includes things like their names, addresses, email addresses, genders, their account numbers, and many other things.
Types of data: In this section, you should define the types of personal data that we process as part of our contract with you. You can choose one of the pre-set types of data that we list, or you can add other types of data. Affected people: This section defines the groups of people whose personal data we process when we process data on your behalf. You can choose from a pre-set group of people that we list, or you can add other groups of people. Once you have finished creating your DPA, you will be able to see the list of types of data and affected people by going to Appendix 1 of the DPA.
If, after you have generated your DPA, you decide that you need to change the types of data and/or the affected people, you can do the following:
- Choice 1: Delete the existing DPA by clicking on the trash bin icon, and then create a new DPA.
- Choice 2: Create a second DPA in addition to the exisiting one. You can create up to 6 DPAs.
It is not absolutely necessary for you to sign the DPA at this point because you have already given your consent when you generated your DPA via your customer account and checked the checkbox “I consent to the agreement” at the end of the DPA.
We do not generate or sign DPAs that individuals or organizations create for themselves. We require everyone who needs a DPA with us to create one using this link: https://accounts.hetzner.com/account/dpa.
Hetzner US LLC, as a subsidiary of Hetzner Online GmbH, provides data center services within the USA for the parent company, Hetzner Online.
This means that your existing contractual agreement and customer relationship will continue to be exclusively with us (Hetzner Online GmbH), and your personal data will not be passed on.
We have prepared the following examples for you to illustrate this:
Case study 1: You rent products just within the EU (in Germany and/or Finland): The server locations Ashburn (USA) and Hillsboro (USA) are left out in this example. Your customer master data is stored and processed within Germany (EU).
Case study 2: You rent products within the EU and in the USA: Your customer master data continues to be stored and processed exclusively within Germany (EU). This has not changed due to the US locations. Hetzner Online GmbH concludes the standard contractual clauses (SCCs) with Hetzner US LLC, which enables you to use the servers at the Ashburn and Hillsboro locations in a GDPR-compliant manner even in compliance with the Schrems II agreement.
It is up to you as the customer to decide which data you store on the instances in the USA and whether or not you encrypt this data as a precaution. We regularly receive inquiries from the authorities. If you as a customer use the server for any illegal purposes, we assume that we may receive inquiries from the US authorities or that we may receive other forms of judicial requests such as warrants or subpoenas. If this happens, and only if this happens, authorities are obliged to cooperate on the basis of international agreements. The SCCs in the link regulate the obligations of the involved parties.
US authorities do not have direct access to your server or its content in the EU. US authorities have to comply with the regulations of the EU legislation. What that actually means:
For our data centers in Falkenstein and Nuremberg: We only accept requests and court orders from German authorities and German courts. We do not accept requests and/or court orders from foreign authorities/courts. We only grant access to our data centers to German authorities with a valid German court order.
However, like other hosting providers, we cannot guarantee that German authorities will not disclose the data obtained under German law to foreign authorities due to international agreements.
For our data center in Helsinki: We only accept requests and court orders from Finnish authorities and Finnish courts. We do not accept requests and/or court orders from foreign authorities/courts. We only grant access to our data centers to Finnish authorities with a valid Finnish court order.
However, like other hosting providers, we cannot guarantee that Finnish authorities will not disclose the data obtained under Finnish law to foreign authorities due to international agreements.
Conclusion: Conclusion: In summary, you as a customer do have influence - to a certain extent - on shaping who has access to the data on your servers. However, even data stored exclusively in Europe is not 100% protected from access by governmental requests and/or court orders. If you require a web hosting company that has absolutely no connections to the USA, then unfortunately, we may no longer be the best choice for you. Since Hetzner US LLC is part of the Hetzner Group, there certainly is a connection. We hope that we have explained things clearly from our point of view using the two above case studies.
If you have any other questions about DPAs, we will be happy to help. Please contact our data protection team at firstname.lastname@example.org.