Content Delivery Networks (CDNs)
Convenient, but use with caution. What must be taken into account with CDNs with regard to the GDPR?
Content Delivery Networks (CDN) are used on many websites. They are intended to ensure that the actual server can take care of its main tasks, such as managing orders in an online shop, and is not burdened with transferring frequently used but seldom changed files to the user. Examples would be graphics files, fonts or script libraries.
Such files are therefore delivered by a CDN. The CDN provider operates a more or less extensive network of its own high-performance servers from which the files are delivered. Clever algorithms ensure that the website user’s browser retrieves the data from the server in the CDN that is most accessible. Ideally, the loading time for the page is significantly reduced and the actual web server can take care of more requests.
However, what is often not considered: when files are retrieved from a CDN, data from the user’s end device is also transmitted to the CDN operator. This is not technically possible otherwise. Since this also includes the IP address of the end device and this IP address is regarded as personal data, the General Data Protection Regulation must also be observed.
From a data protection point of view, such a transmission is only uncritical if the CDN operator acts as a processor for the website operator AND the data is only processed within the European Union or a country with a valid adequacy decision (e.g. Switzerland).
In the case of other website elements, consent is often used in order to have the website user expressly consent to data transmission or processing. This is usually not reasonably possible with CDNs, because the graphic files, fonts or scripts in question are already required by the browser before consent can even be displayed.
Consideration of the GDPR
The following situations are therefore not legally compliant from a data protection perspective:
- Use of a CDN for which no valid order processing agreement (Article 28 GDPR) has been concluded with the operator. Reason: there is no legal basis for the transfer to a third party.
- Using a CDN from an insecure third country.
Practical examples of such situations would be:
- Integration of Google Fonts
- Reloading script libraries such as jQuery from jsdelivr.net
Which details must be taken into account with CDNs with regard to the GDPR? Make sure there is a valid and legally compliant order processing contract between you and the operator, as well as the operator’s registered office. If possible, this should not be in a third country.