CDNs with GDPR in mind


3 minutes

Content Delivery Networks (CDNs) Convenient, but use with caution. What must be taken into account with CDNs with regard to the GDPR? Content Delivery Networks …


Content Delivery Networks (CDNs)

Convenient, but use with caution. What must be taken into account with CDNs with regard to the GDPR?

Content Delivery Networks (CDN) are used on many websites. They are intended to ensure that the actual server can take care of its main tasks, such as managing orders in an online shop, and is not burdened with transferring frequently used but seldom changed files to the user. Examples would be graphics files, fonts or script libraries.

Such files are therefore delivered by a CDN. The CDN provider operates a more or less extensive network of its own high-performance servers from which the files are delivered. Clever algorithms ensure that the website user’s browser retrieves the data from the server in the CDN that is most accessible. Ideally, the loading time for the page is significantly reduced and the actual web server can take care of more requests.

However, what is often not considered: when files are retrieved from a CDN, data from the user’s end device is also transmitted to the CDN operator. This is not technically possible otherwise. Since this also includes the IP address of the end device and this IP address is regarded as personal data, the General Data Protection Regulation must also be observed.

From a data protection point of view, such a transmission is only uncritical if the CDN operator acts as a processor for the website operator AND the data is only processed within the European Union or a country with a valid adequacy decision (e.g. Switzerland).

In the case of other website elements, consent is often used in order to have the website user expressly consent to data transmission or processing. This is usually not reasonably possible with CDNs, because the graphic files, fonts or scripts in question are already required by the browser before consent can even be displayed.

Consideration of the GDPR

The following situations are therefore not legally compliant from a data protection perspective:

  • Use of a CDN for which no valid order processing agreement (Article 28 GDPR) has been concluded with the operator. Reason: there is no legal basis for the transfer to a third party.
  • Using a CDN from an insecure third country.

Practical examples of such situations would be:

  • Integration of Google Fonts
  • Reloading script libraries such as jQuery from

Which details must be taken into account with CDNs with regard to the GDPR? Make sure there is a valid and legally compliant order processing contract between you and the operator, as well as the operator’s registered office. If possible, this should not be in a third country.

Use CDNs correctly

become legally compliant! Test now for 14 days free of charge.

Recommended articles

The role of AI in GDPR compliance

With the rise of artificial intelligence (AI) and its increasing use in various industries, it is becoming crucial for organizations to understand the role of AI in ensuring GDPR compliance.

Browser Fingerprinting and the GDPR

Browser fingerprinting is a technique used by websites and advertisers to track and identify a user’s device and online behavior based on information collected from their web browser. This information may include technical details about the device, software, and network, as well as user-specific information such as language preferences, time zone, and browsing history.

5 common GDPR myths debunked

The General Data Protection Regulation (GDPR) is a set of regulations introduced by the European Union (EU) in 2018 to ... Weiterlesen ...

Server Side Tracking GDPR compliant

How to implement server side tracking/tagging in compliance with GDPR? What needs to be considered in relation to the GDPR? ... Weiterlesen ...
Thank you for visiting, the website of legal web GmbH in Austria. We use technologies from partners (2) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
asd as asd