European GDPR - Any news? [UPDATED July 2023]

Hello again,

This video shows how to integrate Iubenda (as mentioned by @milkshaken) on a website How to be GDPR CCPA compliant with Iubenda Deal on Appsumo REVIEW - YouTube. Now because of price and the ramifications of not being compliant with GDPR regulations, developers should pass this informations to their clients and get either the embed code or the link to the documents directly from them. In my opinion being compliant is the responsibility of the client/owner not the developer. I hope this helps.

I’m replying to you Stan because you asked for somebody that uses Iubenda and I do. Of course, this reply is meant to share with everybody some info I found. Even if sometimes I could sound upset in this message, it’s not because of you guys, it’s just because of this complicated situation. So let’s start.

What Iubenda says (and the EU law says):
transferring data from the EU to the US (of course other countries too, but I will mention the US because we’re talking about Webflow) is an exception and you can do it only on some conditions:

Schermata 2021-01-13 alle 09.25.15873×299 68.7 KB

Schermata 2021-01-13 alle 09.25.07864×358 80.6 KB

Schermata 2021-01-13 alle 09.24.52843×383 90.4 KB

Link to the Iubenda explanation

As you can see the “famous” informed consent that many people are suggesting, it’s not just “Hey, your data are being transferred and stored in the US, are you ok with this?”. You have to inform your customers in a detailed way about the risks and about what could happen with their data. You have also to look at the US company’s SCC (Standard Contractual Clauses), verify that the company itself guarantees those data security, more than the US government will do.

Also, Iubenda it’s just a tool to show banners, Privacy and Terms and Conditions pages in a proper, legal way: it doesn’t provide Privacy guarantees itself.

Webflow said they did some changes and provided [this link] to sign a kind of agreement(Webflow Data Protection Agreement Request) to accept their conditions. Anyways, it seems to me that this contract you sign by following the link, is about YOUR account, YOUR data as a designer because YOUR data are being stored on their US servers. I don’t think this covers us for storing OUR customers’ and users’ data.

Somebody suggested asking them more info: well many of us did this on public forums, private forums with Webflow representatives (I did that) and this is the only semi-official declaration/answer I can find online.

Schermata 2021-01-13 alle 09.28.06779×672 174 KB

Link to the post

As you can see, they mentioned a chance to have an EU based Webflow Hosting, but no news about that anymore. That would be the perfect solution because we wouldn’t have to look into legal stuff at all.

They said they already modified their SCC so probably the solution is already out there (?) If so, why not explaining to us how to integrate it on our websites? They have great videos about small design details: many of us will be satisfied with a plain text guide on how to manage this Privacy problem.

Even though the problem wasn’t created by them, wasn’t created by us right? We’re paying for a service, the situation has changed, we look for the best tool to use and “best” includes legal stuff.

I just wrote them an email at privacy@webflow.com, I’ll let you know what they’ll say.

hi @Velea thank you for your time to answer. I have found nice article, not how to solve problem but what is going on. I aways searching for more articles as some have explanations that are easy to understand.

I have also find nice example how company communicate with their users on Mailchimp

Looking forward to hear about WF response

Yes Stan, in other posts about Privacy I’ve mentioned Mailchimp too: that’s a good example of a company that explains things clearly.

Thanks for that link, I’ll have a look!

Hi @Pablo_Cortes thank you for your input.

That is technically correct and some clients provide their specific policies when needed. But as you have mentioned is our responsibility to inform client in detail what they will need, in this case very specific and detailed description how data of their costumers are handled, to be safe and not to be fined and offer them solution.

After digging on net it is for me a bit more clear what should be done and be able to explain situation to clients. But wouldn’t be nice instead spending several days on searching just to open a Webflow website and read article about this issue directly from service you pay for?

@Velea
What you have outlined with screenshots in your post is actually 3 separate condition under which the transfer of data can take place.

1. In the case of adequacy standards, no problem. Privacy Shield was such an adequacy standard.
2. SCC : You do not need to obtain consent, but you need to outline the SCC in your privacy policy. Webflow has provided this, via their DPA.
   SCC can, in theory, be challenged legally. But SCC are what every major player is using, including Amazon AWS, where Webflow is hosting.

Amazon (AWS) has updated its EU-US Privacy Shield FAQ page, reassuring its customers that rigorous technical and organizational measures are in place to protect users’ privacy and that its customers can “continue to rely on the SCCs included in the AWS GDPR Data Processing Addendum if they choose to transfer their data outside the European Union in compliance with GDPR. The AWS GDPR Data Processing Addendum with Standard Contractual Clauses is part of the AWS Service Terms and is available automatically for all customers transferring personal data from the EU to any of the AWS regions around the world, including in the US.”

3. Informed consent is actually the last resort, in the absence of both adequacy standards and SCCs.

Lastly, this is inaccurate. Iubenda provides legal services, that is actually their bread and butter, the api is just nifty. They can generate the Privacy Policy, Cookie policy and T&Cs for you, which is a legal service, and I imagine that it is as much of a guarantee as you will get anywhere. I think this is what most people are failing to grasp in this post: It’s the legal text you link to that will protect you, not the checkbox. Cookie banners are a dime a dozen, but lawyers are not.
And actually what costs the most is the consent management solution, which as far as I can tell would make a site bulletproof for whoever is not content with Webflow’s
DPA.

Actually, this is not the case. I have just read through it. It’s 18 pages of legal text, but it will answer pretty much all questions on this forum, which is probably why Webflow has stopped responding (=they have done their due diligence, but they can’t put a post out saying ‘Here is how to comply to GPDR’ because that could be construed as legal advice)

TL;DR:
The DPA is to be signed by the owner of the site, not the designer.
The site owner is the Data Controller, and is Webflow’s Customer, and the site’s customers are the end-users.
Webflow (and its subprocessors) are the Data Processors.
The Data Controller (site owner) is responsible for the data they collect from their end-users, and Webflow is responsible for the personal data they receive from or on behalf of their Customer (site owner) which includes end-user data. (definition 1.7, pg 3)
The DPA outlines the duties and responsibilities of both the site owner and Webflow.
Two critical points:
The SCC are the to the standard defined by the European Comission. (definition 1.10 pg 3)
Webflow undertakes the responsibility to hold their subprocessors to the same SCC standards. (Subprocessing, pg 15)

I dunno, this seems pretty good to me.

hmm. I honestly believe that most developers are aware that only agreement button (checkbox) doesn’t protect you and there have to be a link to these texts.

I didn’t get this part, so you saying that WF can’t (are not allowed) communicate with users and let us know in some of article in plain english (sorry, I’m not familiar with law terms) to inform us what the did, what they will do and what can be done by us to ensure that all our clients will be safe on their platform? Hard to believe but if you said so I would not argue as I’m only developer.

You’re right, that was a terrible choice of words Sorry.
What I meant was this: A blog post on what would essentially constitute legal advice is outside the scope of ‘the service that you pay Webflow for’. You can find articles in plain english on the subject from other services that actually specialise in legal advice.

Here is an infographic from the horse’s mouth, that is as simple as it gets: Data protection - Better rules for small business

Webflow provided a contractual solution in the form of the DPA. However, how this solution is implemented on each site will wildly depend on each individual situation. It would be irresponsible of them to tell you ‘Ok, sign the DPA, then do this and that, then put a checkbox here and then you’re good’ and it would be naive to just take that and run with it and have peace of mind. Even if it was vaguely accurate advice.
I know people are looking for a simple answer, and I guess that answer is ‘There isn’t one’. But neither does it boggle the mind to grasp the situation.

As with developing any other product meant for people to use, educating oneself on the legal and ethical landscape of your field is a very important part of the process.
Seems devs are really content to learn how to implement a nice looking contact form, collect people’s sensitive data and send it half way across the world, but not so content to spend the same amount of time to learn exactly how to treat that data with respect while doing it. I’m not saying you have to become an expert, but at least understand what the fuss is all about.

I apologise for going on an on, but I am very passionate about this haha… I’m not even in the field, I’ve only ever made one website.

But I think developers have a really big responsibility to society right now. Just think about the impact on everyone’s lives from developers’ choices over the last 15/20 years. Data ownership and privacy rights are gonna dominate the next 20, and anyone that makes websites is gonna have a hand in that, and as an end-user myself I want them to do their due-diligence.

You’re right, they won’t provide us with a detailed guide because that would mean taking on legal responsibility. I didn’t think about that.

It’s not about wanting just to make “nice-looking” stuff, it’s about knowing what is our role and be humble enough not to mess with other fields that are not our specialty. We’re not lawyers and no matter how much info we find online or how much we could be passionate about the subject we’re not in the position to offer official legal guidance to our clients, maybe just some advice. Webflow doesn’t want to, why should I do that?

So I think I’ll proceed this way:

1. Clients that have a Privacy specialist - I’ll tell them about Webflow and their specialist will tell me what to do.
2. Small clients that don’t have a Privacy specialist - I’ll use other web development tools (probably WordPress + European hosting)

ok lets summarise it:

1. Webfolw did great job (DPA Form) in their legal way so we can use Webflow for EU clients without problem.
2. Webflow can’t communicate with users according to data protection as it is illegal and can put them to risk

I will accept it and will not talk about Webflow anymore with a hope that at least small part of their announced funding (140M) will be used for EU members services.

This is great scenario for company or agency who can employ or hire lawyer beside designers developers, marketing specialist and another professions.

I agree that we as developers have to take steps and make sure that clients site is not only nice looking, fast, secure, and easy to find etc. but as well bulletproof when come to law in this case data protection for costumers of country the website is created and/or …

And because I really care I would like to have answers for potential GDPR questions from clients. Thats why I have asked questions HOW TO on Webflow platform. That said, as Freelancer I’m spending all my time on learning new languages, improving skills, implementing or get familiar with new updates in languages, design, SEO, servers etc… and now also trying to understand necessary basics of data protection.

But there is a big difference, If I mess up design, code, SEO I can go back fix it and “nothing” happened (I’m not talking about security). But if I mess up (implement wrong / not proper / not good enough ) law text it will have huge impact on client pocket and on my reputation. So even if I will have time to keep updated and fully understand law and its changes I will become a “lawyer” instead a developer.

I love to be a developer and I would like to keep it this way.

That was a reason why I asked for help and/or advice of best practices from people who knows more because they use it on “daily” basis.

FINAL SUMMARY
There is a way how to use securely Webflow for EU clients by using paid third party services to provide text that will protect EU clients to be fined.

Another option as have been mentioned is to use EU servers, but I would not go for WP.

I respectfully disagree with the claim that only a big agency can use Webflow in a fully compliant way.
It cost me 22EUR to create an auto-updating Privacy & Cookie Policy with iubenda, that includes the references to SCC, as well as all e-commerce features/ payment processing and external plugins. I am as small fry as it gets, but if I was processing data at a large enough scale to require a Data Protection Officer in Europe, I would probably be able to afford the 500 fee to add consent management and be fully covered (ie. be using exactly the same safeguards as Google, Facebook or any of them.)
If I was a developer I would subscribe to their monthly subscription for 48 dollars which would allow me to offer this bulletproof GPDR solution to all of my clients, with iubenda -a law firm, being the guarantor of the compliance, not me the designer.
Mind you, I only had to pay the 22 bucks because I have e-commerce. If you are hosting a static site with just a contact form, you can get a Privacy Policy with allusion to SCC for free.
How is that out of reach for small clients?

Sure, you can’t flip a switch for that inside Webflow for the same reason you can’t buy shoes in a bakery.

The choices that developers make greatly affect what is needed legally.
For example you can use Google Analytics without even a cookie pop-up and be compliant. You just have to anonymise IP, disable data sharing and store Client ID locally instead of setting a cookie for it.
I don’t think it’s out of scope for a developer to offer this choice to a client or themselves, nor to ask the question: Do you really need to know the exact neighbourhood your user is in and 3 years worth of their past search history in order to gain the benefit you are seeking? Or does Google actually want to know that in order to maintain their highly damaging market monopoly?

A site is given many chances to remedy a potential privacy vulnerability before a fine is incurred (that’s also outlined in the European Comission guide I linked to above). So if not processing high risk data and if -and that’s a big if- your oversight is somehow brought to the attention of the EU-wide Data Protection Authority and they give you a warning, you have the opportunity to fix it before getting a fine or even losing access to your database.

This is all much of a muchness though, because none of it is specific to Webflow. A site owner needs to go over all their integrations with the same care. So since no one is mentioning it, I guess everyone that is using Google Analytics has opted into their latest DPA? It was last updated on August 16, 2020 and they give you no prompt to opt in or anything, so you have to somehow magically become aware of it and then manually go find it and accept.

True story.

But you see what I mean?

I never said that. Probably it was wrongly written as I was pointing out your text in quote, that developer have to spend time to be educated in law.

I have also place in final summary that there is a way by using paid third party services when using in this case Webflow. I have spend this week and probably next to find more about iubenda and other services as there are for me some unanswered questions, but this has nothing to do with this topic.

It will be nice to have some webinar to talk about GDPR, iubenda, TermsFeed etc. and talk about that with people who have something to share about their experience with these services and problems they had to solve. But Im not sure if there are people interested in this topic as I am.

They replied to my email, I just added an update to my first post

Hi everybody.
I have some more info on the topic, I’ll summarize the situation.

There are two categories of personal data that Webflow has access to and that could be a problem for EU customers:

• Website owner’s data
• Forms data
• Website visitors data

To be compliant regarding Website owner’s data (name, email, payment data, they can sign Webflow DPA

The DPA applies to Forms data too, but if it’s not enough for your client, you can use a third-party EU-based form service, or just not use forms at all.

Regarding website visitors’ data, Webflow anonymizes all IP addresses and there are no other personal data collected when a visitor accesses the website.

I hope this helps to clarify the situation!

Schermata 2021-02-08 alle 08.58.471141×515 67.7 KB

Hi, does this mean webflow sites, forms etc is finally compliant? Are there any extra steps that needs to be made to be absolutley sure? Thanks.