Convenient, but use with caution. What must be taken into account with CDNs with regard to the GDPR?
Content Delivery Networks (CDN) are used on many websites. They are intended to ensure that the actual server can take care of its main tasks, such as managing orders in an online shop, and is not burdened with transferring frequently used but seldom changed files to the user. Examples would be graphics files, fonts or script libraries.
Such files are therefore delivered by a CDN. The CDN provider operates a more or less extensive network of its own high-performance servers from which the files are delivered. Clever algorithms ensure that the website user’s browser retrieves the data from the server in the CDN that is most accessible. Ideally, the loading time for the page is significantly reduced and the actual web server can take care of more requests.
However, what is often not considered: when files are retrieved from a CDN, data from the user’s end device is also transmitted to the CDN operator. This is not technically possible otherwise. Since this also includes the IP address of the end device and this IP address is regarded as personal data, the General Data Protection Regulation must also be observed.
From a data protection point of view, such a transmission is only uncritical if the CDN operator acts as a processor for the website operator AND the data is only processed within the European Union or a country with a valid adequacy decision (e.g. Switzerland).
In the case of other website elements, consent is often used in order to have the website user expressly consent to data transmission or processing. This is usually not reasonably possible with CDNs, because the graphic files, fonts or scripts in question are already required by the browser before consent can even be displayed.
The following situations are therefore not legally compliant from a data protection perspective:
Practical examples of such situations would be:
Which details must be taken into account with CDNs with regard to the GDPR? Make sure there is a valid and legally compliant order processing contract between you and the operator, as well as the operator’s registered office. If possible, this should not be in a third country.