You can host it yourself on servers in the EU.

But most companies don't actually want to host things themselves. If they did, 'cloud computing' wouldn't be so popular.

Sure, but smaller EU-resident providers could do hosting for companies.

But Office supports this too. This isn’t an FOSS advantage. It’s a disadvantage of cloud hosted providers.

The burden is on the owner of the data in any case. When using an external data processor like Microsoft they have to make sure that the external company complies, and this must be explicitly covered by the contract.

It is not the main point I am trying to make, but FOSS may be hosted in the same country by an entity whose business is integration and support.

The main point I am trying to make, though, is that investing in software that can be used and improved by anyone is (IMO) the appropriate allocation of tax money. Right now, the money is used on licenses (and, of course, support). What if it was used on development (and support) and the byproduct is a software that ideally can be used by anyone who paid for it, too?

The GDPR situation poses an opportunity to make that switch.

Your suggestion boils down to developing a business based on deploying and supporting a software product they can neither control nor own. 'Improved by anyone' tends to mean improved by no one who has a real stake in the product.

Not in a direct way.

What they mean is that FOSS is more likely to be developed with product quality and value in mind. Proprietary software need to satisfy corporate goals too. And these are often contradictory to the spirit behind GDPR.

Most companies are going to be well-aligned with not being sued out of existence for gdpr violations