Back

CDNs with GDPR in mind

#news

Content Delivery Networks (CDNs) Convenient, but use with caution. What must be taken into account with CDNs with regard to the GDPR? Content Delivery Networks …

Back

Content Delivery Networks (CDNs)

Convenient, but use with caution. What must be taken into account with CDNs with regard to the GDPR?

Content Delivery Networks (CDN) are used on many websites. They are intended to ensure that the actual server can take care of its main tasks, such as managing orders in an online shop, and is not burdened with transferring frequently used but seldom changed files to the user. Examples would be graphics files, fonts or script libraries.

Such files are therefore delivered by a CDN. The CDN provider operates a more or less extensive network of its own high-performance servers from which the files are delivered. Clever algorithms ensure that the website user’s browser retrieves the data from the server in the CDN that is most accessible. Ideally, the loading time for the page is significantly reduced and the actual web server can take care of more requests.

However, what is often not considered: when files are retrieved from a CDN, data from the user’s end device is also transmitted to the CDN operator. This is not technically possible otherwise. Since this also includes the IP address of the end device and this IP address is regarded as personal data, the General Data Protection Regulation must also be observed.

From a data protection point of view, such a transmission is only uncritical if the CDN operator acts as a processor for the website operator AND the data is only processed within the European Union or a country with a valid adequacy decision (e.g. Switzerland).

In the case of other website elements, consent is often used in order to have the website user expressly consent to data transmission or processing. This is usually not reasonably possible with CDNs, because the graphic files, fonts or scripts in question are already required by the browser before consent can even be displayed.

Consideration of the GDPR

The following situations are therefore not legally compliant from a data protection perspective:

  • Use of a CDN for which no valid order processing agreement (Article 28 GDPR) has been concluded with the operator. Reason: there is no legal basis for the transfer to a third party.
  • Using a CDN from an insecure third country.

Practical examples of such situations would be:

  • Integration of Google Fonts
  • Reloading script libraries such as jQuery from jsdelivr.net

Which details must be taken into account with CDNs with regard to the GDPR? Make sure there is a valid and legally compliant order processing contract between you and the operator, as well as the operator’s registered office. If possible, this should not be in a third country.

Use CDNs correctly

become legally compliant! Test now for 14 days free of charge.

to the privacy cloud

Recommended articles

Employee training – an underestimated problem

The necessity of employee training, central problem areas, possibilities and types of employee training and why the form of microlearning could be a possible solution.

Integrate Matomo/Piwik Pro in a legally compliant manner: Use without consent in the GDPR?

Matomo (formerly known as Piwik) is an open source web analytics platform that is considered a privacy-friendly alternative to other ... Weiterlesen ...

Release of the new dashboard

New dashboard for product configuration: more flexibility and user-friendliness After several months of intensive development work, we are pleased to ... Weiterlesen ...

Browser Fingerprinting and the GDPR

Browser fingerprinting is a technique used by websites and advertisers to track and identify a user’s device and online behavior based on information collected from their web browser. This information may include technical details about the device, software, and network, as well as user-specific information such as language preferences, time zone, and browsing history.

legalweb

.io

Bayerhamerstraße 14, 5020 Salzburg - Austria

[email protected]

Support | Imprint | Terms | Data protection

Privacy
Imprint | Privacy
The controller (legal web GmbH, Austria) would like to use the following services in order to process your personal data. Technologies such as cookies, localStorage, etc. can be used for personalization. This is not necessary for the use of the website, but allows us to interact with you more closely. If you wish, you can adjust or revoke your consent at any time via our privacy policy.
Targeting / Profiling / Advertising (1 Service)
Personalized advertising outside our website
Google GTag
Google Ireland Limited, Ireland
All Detailsto Google GTag
All Detailsto Google GTag