Facts vs Fear Mongering: Webflow and European users?

It’s a complicated matter, as often for legal things…

First of all : it’s not OVER for us europeans to use Webflow, but some aspects are legally more complicated since the Privacy Shield was deemed invalid.

From my understanding, the main issue is about personal and sensitive data. So I’d say that if your site handles personal data (like Facebook for examples) then you’ll need to ensure that this data is handled within EU following EU regulations.
For a Webflow site I imagine, this will mostly affect you for contact forms, and the usage of Cookies

Otherwise , the problem is more with 3rd parties like Memberstack who’s core business is to handle this sensitive data.

So what I’d say should be done:

  • You need to check what data your site has access to and how it handles it
  • If you’re suspicious about something, try to change it (better be safe than sorry)
  • Webflow is a US company but has servers in EU thanks to AWS. So they need to ensure the data processed within EU is treated according to EU regulations. This needs to be done via a specific contract between them, AWS and whatever other provider they use.
  • Webflow should really give transparency on this, I agree with you here.
  • Hope that the new Privacy Shield the govs are working on will address this and that we can go back to work without having to worry about this :slight_smile:
2 Likes

Good response.
I have actually messaged a few creators regarding this and it seems that most of them do not understand the legislation and don’t really care either. They are working under the assumption that the odds of having an issue are slim and that clients who handle a lot of user data are likely to have their own legal teams that you can trust this stuff to, so they just aren’t worrying about it.

Not to judge those creators as this is working out for them just fine it seems, but for me this feels irresponsible. I am happy to leave the actual website legalities to the clients but as far as the tools and plugins I am using and recommending, I need to be able to understand their legal status at least in brief.

Some transparency would be great. I have searched Webflows support and all I can find is an article about preparing for GDPR and in that a sentence stating they are seeking GDPR certification, nothing stating their current status.

Same for me. I stopped using Webflow and painfully went back to Wordpress.

I know this laws are kind of crazy but I agree that silence is not the most professional response from Webflow.

The problem is huge and involves Google Analytics, Memberstack, Zapier and all those extensions/integration that are USA based.

A friend of mine is a Privacy Consultant and just attended a course about this new situation. He sent me some material to study, the point is, there is no shortcut or way around it.

If Webflow and the other services will give us an EU based option we can use them, otherwise we can’t. That’s it.

@Pasint I agree with your reply here. If you use the contact form just like you would use an email and use only general cookies, there’s no reason to worry about.

Here’s a link with some explanations and resources on this matter: Storing EU data on US servers no longer compliant with GDPR - Matomo

So according to that article site should just make sure to include something like “your data will be sent to the US servers” in addition to the usual cookie opt-in popup and that’ll be enough.

So just to add a bit more. Here s what European Data Protection Board says on a subject of transferring of user data to non-EU servers:

Article 49 (1) (a) states that a transfer of personal data to a third country or an international organization may be made in the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, on the condition that ‘the data subject has explicitly consented to the proposed transfer,after having been informed of the possible risks of such transfers for the data subject due to the absence of anadequacy decision and appropriate safeguards’.

Note that this is an old document from 2018, but it is still valid for the current changed policy as far as I can tell (the change here is at the time of that old doc US had the proper “adequacy” with their privacy shield, now it doesn’t)

edit: also to add

In the absence of an adequacy decision, the GDPR allows a transfer if the controller or processor has provided “appropriate safeguards,” which may include:

  • Approved Codes of Conduct or Approved Certification Mechanisms
  • Binding Corporate Rules
  • Standard Contractual Clauses

Webflow uses standard contractual clauses part to allow the transfer of data (this is where the DPA that was posted a few times by WF team comes into play).

4 Likes

Hi everyone,

You may check here for our updated privacy policy: Webflow Data Protection Agreement Request

You may also check this post for most recent information: Privacy Shield update

That is from August 10 - it’s October now, are there any updates on this item?

  • We are considering additional technical and organizational safeguards we can offer, beyond contractual language, including an EU-hosted version of our service. We do not have an announcement to make on that front at this time. We are also in touch with our sub-processors as part of this process.

This would solve the whole thing if it could be served for EU customers on AWS Europe. Are you still exploring that as an option? how might it work, when might it be live etc etc ?

3 Likes

Also very interested. There are clients on-route for me that will/need to use/process some sensitive data, and i’d like to know if we can go Webflow.

2 Likes

+1 with @Shaneod , this is really the way to go.

1 Like

This statement is 2 month old now. Any updates? what about the way @Shaneod mentioned?

1 Like

Hi, for my site (Privacy Policy), I used an online privacy policy generator at https://www.privatry.com/. It’s paid (EUR 7.99) but worth it, IMO.

…hope this helps.

M

Come on @WebflowCommunityTeam - give us a clue as to what’s happening! :sweat_smile:

3 Likes

Hi, does this actually mean if i don’t use contact forms and google analytics or other trackers, it’s fine to use webflow hosting? cheers

1 Like

Hi again, so I am convinced a client (in Europe) of mine to switch to webflow incl. hosting since we like to use the CMS features. I am quite confused now what the situation is regarding all this US/EU Data privacy subject. It would be great if @WebflowCommunityTeam could provide something like a checklist (if possible) under what circumstances it’s safe to move forward with webflow for European creators/clients.
Maybe there is one already and I missed it in which case I am sorry, but I am looking for something like…

  1. No form data upload
  2. Correct Disclaimer / Opt-out incl Webflow
  3. … and so on

This would really help, since we don’t want to get into legal trouble. Would that be possible? thanks in advance, alx

4 Likes

It’s fine to use Webflow without contact forms yea - or ECommerce. Trackers are completely separate and you will just need standard cookie consent form if you are tracking people.

1 Like

@WebflowCommunityTeam any updates on this - I don’t need to know anything concrete but just a general plan? If you don’t plan on having an EU hosted version of Webflow at some point it would be better for me to know. sooner rather than later.

@WebflowCommunityTeam Please give us an update. Thanks.

There’s been an update on this. The CNIL and other privacy law enforcement agencies across Europe recommend encrypting the personal data. As long as any Webflow employee or data processors can’t see or collect plain non-encrypted data. Webflow should be GRPD compliant.

@WebflowCommunityTeam Is form data encrypted on your end ?

1 Like

I Don’t think that’s enough @ColibriMedia? A DPO (Data Protection officer) that I am working with on a project, is insisting on hosting in the EU which rules out Webflow for this job as things stand unfortunatly.

My business partner will not use Webflow currently because she doesn’t know if the system is future-proofed for EU users in this way.

The radio silence about Webflow’s plans is really worrying at this stage. I don’t need anything concrete now - but a hint as to whether the european data center option is a possibility or not would be reassuring.

3 Likes