Commissioning affected by GDPR in EU
For organizations operating in the EU, commissioning software is part of the data governance landscape. Questions of data ownership, hosting location and legal responsibility are central to how platforms are selected and approved.
CxPlanner’s commissioning software is developed and hosted in the EU. That gives owners and contractors a straightforward path to aligning commissioning workflows with EU data protection requirements, without having to manage complex third-country data transfers or opaque sub-processor chains.
GDPR introduces strict obligations for both data controllers (typically the owner, contractor or consultant) and data processors (such as the software provider). In commissioning, the relevant data usually includes:
- names and contact details of project participants
- digital signatures and approvals
- photos and other documentation from site, sometimes with people visible
- user activity logs tied to individual accounts
This is personal data in the sense of the regulation. Ultimately, protecting the customer also means protecting ownership. Organizations must remain the owner of its project data and the rights attached to it.
Clear contractual terms on data ownership, export and deletion are therefore just as important as technical features when selecting commissioning software.
GDPR fines and financial exposure
For large enterprises, fines can reach up to 4% of worldwide annual turnover. That has led many legal and compliance teams to treat cloud-based technical tools, including commissioning platforms, in the same way as core business systems.
The questions are no longer limited to features; they also cover hosting location, data export, contractual safeguards and auditability.
From a commissioning perspective, this affects planning and execution. When a platform is not clearly aligned with GDPR, teams may be forced back to local storage, manual exports or fragmented solutions to satisfy internal requirements.
That undermines the very benefits commissioning software is supposed to provide.
How GDPR, EU hosting and commissioning can be combined
GDPR does not completely prohibit transfers of personal data outside the EU, but it makes them legally and operationally complex.
For many large organizations, the practical response has been to adopt an EU-only or EU-first hosting strategy for systems that routinely handle project and personal data.
For commissioning software, this has clear implications:
Data must be hosted on servers located within the EU
This simplifies the legal basis for processing and avoids the need for complex transfer impact assessments and additional safeguards related to third countries. Data flows to non-EU regions must be controlled and clearly documented, since that goes against the base of GDPR and data ownership.
Ownership and control must be unambiguous
The customer needs to retain ownership of all project data, with the ability to export, archive or delete it according to internal policies and contractual obligations.
A structured commissioning platform can support these requirements in a practical way.
When systems, tests and documents are clearly organized by project, and when all actions are logged with user and time, the owner gains a transparent overview of where data sits, who has access and how it is used.
That is exactly the information internal GDPR stakeholders expect to see.
Key requirements for GDPR-aligned commissioning platforms
In an EU context, a commissioning platform should support GDPR in a practical, “built-in” way across three areas:
- EU data residency and jurisdiction: The platform should be able to demonstrate that core storage and processing happen in the EU, under EU jurisdiction, reducing complexity around cross-border transfers.
- Access control and traceability: Access should follow data minimization (role-based permissions, project scoping, and separation between organizations), with key actions logged to maintain a clear audit trail.
- Lifecycle and retention: Commissioning data needs differ during execution vs. after handover, so the platform should support active work and then enable export, archiving, or controlled deletion based on agreed retention rules.
CxPlanner’s Compliance with EU Hosting and GDPR Expectations
CxPlanner is designed around these needs as an EU-safe commissioning platform. It’s developed and hosted in the EU with project data stored on EU infrastructure. The commissioning software:
Organizes systems and data: equipment, tests, and documentation in a structured way and ties approvals, comments, and test activity to specific users and project context for strong traceability.
Access is controlled through roles and project membership, allowing owners, consultants, contractors, and vendors to collaborate in one workspace while keeping permissions clearly separated.
At closeout, data can be exported, archived, or managed in line with the owner’s retention policy - where the owner remains the controller and CxPlanner acts as the processor under an EU-aligned data processing agreement
Run GDPR-compliant commissioning with CxPlanner
Keep your commissioning data in the EU, maintain clear ownership, and document every test and approval in one platform.
Book a demo and explore how CxPlanner can support GDPR-compliant commissioning on your next project.