UK GDPR Data Residency — AWS & Azure UK Regions, International Transfers (2025)

🔒 UK GDPR Art.44–49☁️ AWS eu-west-2🔵 Azure UK South📋 IDTA⚖️ ICO Guidance🇬🇧 Post-Brexit
June 202510 min readClickMasters Data Protection Team

Direct Answer

UK GDPR Chapter V restricts the transfer of personal data to countries outside the UK unless adequate protections are in place. "Data residency" — keeping personal data on servers within the UK — is the simplest way to comply. For cloud-hosted software, this means choosing AWS eu-west-2 (London) or Azure UK South/West as your primary region. Transfers to third-party SaaS tools (even well-known ones like Salesforce, AWS us-east-1, or Mailchimp) constitute international transfers and require a transfer mechanism. ClickMasters builds all UK client software on UK-region cloud infrastructure by default.

UK GDPR Chapter V — The International Transfer Framework

AWS and Azure UK Regions — Data Residency Compliance

Critical: Using AWS us-east-1 or any non-UK region for personal data constitutes an international transfer under UK GDPR — even for a trusted US company like AWS. You need either US adequacy (UK-US Data Bridge, for participating organisations) or an IDTA. ClickMasters uses eu-west-2 by default for all UK client projects — this is non-negotiable in our project standards.

Service/AspectAWS eu-west-2 (London)Azure UK South (London) & UK West (Cardiff)
Region locationLondon, EnglandLondon + Cardiff, Wales
UK GDPR data residency✅ All data in UK — no international transfer✅ All data in UK — no international transfer
Disaster recovery optioneu-west-1 (Ireland) — EU GDPR adequateUK West (Cardiff) — stays within UK
NHS/Gov workloadsUsed by many NHS organisationsNHS England Azure Landing Zone standard
Core services coverageEC2, RDS, S3, Lambda, EKS — all eu-west-2 availableAzure core services all UK South/West available
CDN data residency riskCloudFront edge nodes global — do NOT cache personal dataAzure CDN — check per PoP; do NOT cache personal data
AI/ML services UK availabilityAmazon Bedrock: check region availability per modelAzure OpenAI Service: available in UK South from 2024
Encryption at restAWS KMS with CMKs in eu-west-2Azure Key Vault in UK South

Third-Party SaaS and International Transfers

ServiceHQ LocationTransfer Mechanism RequiredPractical Approach
StripeUSAIDTA or UK-US Data BridgeStripe participates in UK-US Data Bridge — check their DPA
SalesforceUSAIDTA or UK-US Data BridgeSalesforce offers UK-US Data Bridge addendum; use EU data centre option
Google AnalyticsUSAIDTA / UK-US Data BridgeEU consent mode + UK Data Bridge; consider server-side tracking
AWS (us-east-1)USAIDTA or UK-US Data BridgeAvoid for UK personal data — use eu-west-2 instead
HubSpotUSAIDTA / UK-US Data BridgeHubSpot DPA with Data Bridge; or EU data hosting option
IntercomUSAIDTA requiredIDTA in place; consider EU data hosting option
Twilio / SendGridUSAIDTA requiredIDTA in place with Twilio; check subprocessor list

Frequently Asked Questions — UK GDPR Data Residency

Related Guides & Services

Frequently Asked Questions

Common questions about uk gdpr data residency — aws & azure uk regions, international transfers (2025).

Data residency refers to the physical location where data is stored. Data sovereignty refers to the legal jurisdiction that governs the data. They overlap but are not identical. UK GDPR requires that transfers outside the UK have adequate protections — using a UK data centre (residency) is the simplest way to achieve this, but the legal jurisdiction (sovereignty) of the cloud provider and its parent company is also relevant. AWS and Microsoft are US companies — even when you use UK regions, US laws (like CLOUD Act) may apply to their US parent companies.

The UK-US Data Bridge (formally the UK Extension to the EU-US Data Privacy Framework) allows UK organisations to transfer personal data to US organisations that have self-certified under the framework. It was established in October 2023. Not all US companies have self-certified — check the Data Privacy Framework participant list before relying on this mechanism. Key participants: AWS, Google, Microsoft, Salesforce, Stripe.

The EU-UK adequacy decision (which allows EU-to-UK transfers without additional safeguards) was due for renewal in 2025. If it lapses, EU organisations could no longer freely transfer personal data to UK organisations without SCCs or BCRs. UK organisations building for EU customers should build "dual compliance" into their architecture — supporting both UK GDPR and EU GDPR simultaneously, which ClickMasters recommends for all UK-based SaaS platforms targeting EU markets.

Yes — UK GDPR applies based on where your users are (UK residents) and where your business is established (UK), not where the data is stored. Storing data in AWS eu-west-2 means the data is physically in the UK and there is no international transfer issue — but UK GDPR still governs how you process, retain, secure, and provide rights over that data.

About the Author

ClickMasters Data Protection Team UK GDPR international transfers and data residency specialists This guide has been reviewed by an ICO-registered DPO. ClickMasters builds UK data residency compliance into every project architecture as a non-negotiable default.

Build with UK Data Residency from...

Build with UK Data Residency from Day One ClickMasters uses AWS eu-west-2 or Azure UK South as default for all UK client projects. Your personal data stays in the UK. Book a free consultation. → Book Free Consultation: clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation