Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
IONOS is the European arm of United Internet AG and one of the largest hosting and cloud providers in Germany. It offers domain registration, shared hosting, managed WordPress, the MyWebsite builder, IONOS Compute Engine (a sovereign IaaS offering), Server Cloud, dedicated servers, IONOS Cloud Storage and managed Microsoft 365. Because IONOS is headquartered in Germany and operates EU data centres, it is a strong default for European websites that need a hosting partner aligned with the GDPR, the German TTDSG / TDDDG and the BSI C5 cloud security catalogue.
IONOS SE, registered in Montabaur, Germany, is the consumer and small business hosting brand of United Internet AG. It offers domain registration, shared web hosting (Linux and Windows), managed WordPress, the MyWebsite drag and drop builder, dedicated and bare metal servers, IONOS Cloud Storage compatible with S3, IONOS Compute Engine (a sovereign IaaS), and bundled Microsoft 365 plans. IONOS Cloud, the IaaS arm, targets enterprises and public sector customers that need a sovereign EU cloud aligned with GAIA-X principles.
On a website hosted with IONOS, the infrastructure layer sets technical session cookies and may add load balancing cookies. The MyWebsite builder injects a small set of first party cookies for the editor (ionos_session, ionos_csrf). Analytics, marketing or social embed cookies are only added by the customer through MyWebsite blocks or by integrating third party services. Server logs capture IP, User-Agent, requested URL and Referer for security and abuse detection.
IONOS acts as processor for hosting, MyWebsite, e-mail and storage services, and as controller for its own customer communication. The IONOS Auftragsverarbeitungsvertrag (AVV / DPA) is signed automatically as part of the customer contract and is available in the customer panel in German, English, French and Spanish. The DPA references the European Commission Standard Contractual Clauses where applicable and the BSI C5 attestation.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU data centres, no third country transfer takes place. IONOS does operate a data centre in the United States for customers that need US presence; selecting that data centre obviously triggers the GDPR transfer rules. The IONOS Compute Engine carries an EU contractual ring fence: customer data is stored, processed and accessed only by IONOS personnel based in the EU.
Contractual necessity (Article 6(1)(b) GDPR) covers hosting, domain and mailbox processing. Legitimate interest (Article 6(1)(f)) covers security. Consent (Article 6(1)(a)) only applies if the customer adds analytics or marketing scripts through MyWebsite templates or other integrations.
Sign the IONOS DPA in the customer panel, choose an EU data centre, enable two factor authentication for the panel, review the BSI C5 and ISO 27001 attestations, document the sub-processor list, list IONOS in the privacy notice, and integrate any optional analytics or marketing snippet into the Consent Management Platform so it only fires after opt-in.
Websites using IONOS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is rarely required for IONOS infrastructure alone. Document a transfer impact assessment limited to the chosen data centre (EU vs US), the BSI C5 attestation, ISO 27001 certification, encryption at rest and in transit, IONOS Compute Engine sovereignty controls (compatible with EU GAIA-X principles) and the response plan for any third party access request.
Sample consent text
This website is hosted on IONOS infrastructure in the European Union. Hosting cookies for load balancing and security are strictly necessary and exempt from consent. Optional cookies set by templates of the IONOS MyWebsite builder for analytics or marketing only fire after you click Accept on the cookie banner.
Third-party domains contacted
ionos.comionos.deionos.esionos.frhosting-data.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ionos_session | HTTP cookie | Session | IONOS panel and MyWebsite session identifier. |
| ionos_csrf | HTTP cookie | Session | Anti CSRF token for the IONOS customer panel and MyWebsite editor. |
| ionos_locale | HTTP cookie | 1 year | Stores the preferred locale for the customer panel. |
IONOS collects user analytics data — you legally need a consent banner. Try FlowConsent free.
IONOS hosting and MyWebsite set technical session cookies (ionos_session, ionos_csrf) and a locale preference cookie. No analytics or marketing cookies are deployed by default.
Hosting cookies are strictly necessary and exempt from prior consent. Only the optional analytics or marketing snippets added by the customer through MyWebsite or other integrations need consent.
Article 6(1)(b) GDPR (contract) for hosting, domain and mailbox services. Article 6(1)(f) for security and abuse prevention. Article 6(1)(a) only for optional analytics or marketing scripts.
No, when an EU data centre is selected. IONOS does operate a US data centre for customers serving North American audiences; selecting that data centre triggers GDPR transfer rules. IONOS Compute Engine offers a sovereign EU contractual ring fence.
Rarely. A short transfer impact assessment is enough, focused on the data centre choice and the BSI C5 / ISO 27001 attestations.
Sign the IONOS DPA, choose an EU data centre, enable 2FA, review the BSI C5 and ISO 27001 attestations, list IONOS in the privacy notice and integrate optional analytics scripts into the CMP.
For sovereign EU hosting: OVHcloud, Scaleway, Hetzner, Infomaniak, Open Telekom Cloud. For Managed WordPress in the EU: Kinsta EU, WPEngine EU, Hostinger EU.
List IONOS SE as a processor for hosting and as the registrar for the domain, describe the technical cookies, reference the BSI C5 and ISO 27001 attestations and link to the IONOS DPA and privacy notice.