EU General Data Protection Regulation
GDPR-compliant IoT platform infrastructure
IoT platforms process data on behalf of your business — collecting sensor readings, routing device telemetry, triggering automated responses. When that data includes personal information from connected devices, your IoT infrastructure is a GDPR data processor. We ensure yours is compliant.
What is the GDPR?
IoT platforms sit at the intersection of physical devices and digital data processing. Every sensor reading collected, every telemetry message routed, every alarm triggered may involve personal data. GDPR applies to every system that processes data — not just where it rests. That includes your IoT platform.
In force since
25 May 2018
Scope
Any org processing EU personal data
Max fine
€20M or 4% of global turnover
Breach reporting
72 hours
Key GDPR obligations for IoT platforms
IoT platforms are data processors — they handle device telemetry and operational data flowing through your infrastructure. These six articles govern what obligations that creates.
Art. 5 — Principles of processing
IoT platforms must process device data only for the purposes for which it was collected. Sensor telemetry retention should be minimized and subject to configurable retention limits. We support configurable data retention periods.
Art. 6 — Lawful basis
Processing personal data via IoT devices requires a valid lawful basis — typically contract or legitimate interest. IoT data collection is a processing activity and should appear in your Record of Processing Activities (Art. 30).
Art. 17 — Right to erasure
If a data subject requests deletion, you must remove personal data from device logs, telemetry history, and any intermediate storage. We support configurable retention windows and data purge on request.
Art. 28 — Data Processor
We act as your data processor for any personal data processed through managed IoT platforms. Our DPA covers ThingsBoard, Node-RED, and ChirpStack — and the infrastructure sub-processors involved.
Art. 32 — Security of processing
IoT platforms need the same security as any data processor. Our deployments use encrypted storage, isolated tenant environments, TLS for all device communication, and access controls — protecting device data.
Art. 33 — Breach notification
If a breach affects personal data on our managed IoT infrastructure, we notify you within 72 hours so you can meet your reporting obligation to your supervisory authority.
Art. 30 — IoT as a documented processing activity
Under GDPR Art. 30, data controllers must maintain a Record of Processing Activities (RoPA). Your IoT platform is likely one of them — it processes data from connected devices, sensors, and physical infrastructure.
- Document your IoT data flows in your RoPA: what telemetry you collect, for what purpose, under which lawful basis, and how long you retain it
- Data minimization: collect only the sensor readings you need — avoid storing full telemetry streams when only aggregated values are required
- Retention: configure data retention limits so the system purges historical telemetry after your defined retention period
What we provide for GDPR compliance
- Data Processing Agreement (DPA) on request
- EU data residency — Nuremberg (primary) + Falkenstein (DR)
- Audit logs retained and exportable
- Data export on request (Art. 20 portability)
- Data deletion on request (Art. 17 erasure)
- 72-hour breach notification to you (Art. 33)
- Encrypted backups stored within the EU
- Sub-processor list available on request
Your GDPR-compliant IoT stack
Three managed IoT platforms — running on EU infrastructure with DPA coverage for all device data processed through your deployments.
IoT platform processing personal data?
Request our DPA for your managed IoT infrastructure and discuss how to document your device data flows in your Record of Processing Activities.
Request a DPA