Streaming live at 10am (PST)

Webflow & GDPR | Hosting in EU + Privacy Statement needed

Hello All,

I still do get some questions about the data location and ownership.

For the EU businesses that want to be GDPR compliant, they need 100% guarantee that the data is stored in the EU and that they are 100% owner of this data.

So since a couple of years we (kinda) know there are Webflow dataservers in the EU, but they possibly also exist in the US as well. That should/might not be a problem, but as far as i know, there isn’t this 100% guarantee that the US could confiscate data (under rules in f.e. the US Privacy Shield).

Can someone tell me more about this? Is there a way to get this done, perhaps written in a new DPA between Webflow and the Webflow User/Designer? Or perhaps this could even be done on a per project/website basis? (select which websites need this).

Even though GDPR’s main aim is to take careful actions with data and processing and you need to be able to prove that you’re working carefully with (user)data, not per se that every inch/corner of (f.e.) your website is 100% ‘watertight’ - still some clients in the EU want this.

Hopefully someone can help me out with these final steps in getting/making Webflow the, possibly best, solution to have both awesome and GDPR compliant websites in the EU.

2 Likes

Important read on this is: https://matomo.org/blog/2020/07/storing-data-on-us-cloud-servers-dont-comply-with-gdpr/?pk_campaign=homepage-banner&pk_source=homepage

I interpret this as: Having data (also) in the US will not fully comply to the GDPR. The privacy laws in the US are still not as they should be, and so data privacy in the US still is not good enough.

How can EU users of Webflow make use of this awesome platform and also comply to the GDPR data privacy rules?

2 Likes

There was an update on this in the form of a ruling of the European Court of Justice and it does not look good for current setup, as far as i can tell.

To comply to the GDPR, things with the Privacy Shield are (by far) not good enough.
There needs to be a specific/custom contract (SCC) between Webflow and the EU (or EER) user/owner of the data. This contract needs to be based on standard contractual clauses of the European Commission. More info on what needs to changed/be done is still in the works.

But in general, the US law is (according to the European Court of Justice) irreconcilable with the minimal requirements of data protection of the EU » Meaning that the transfer of (personal)data to the US is in fact illegal.

PS. This will also apply for the Brexit - If there isn’t a deal before the end of 2020, the UK will also be considered as a ‘not compliant’ country for data protection.

I’ll try to post the full details and document describing this ruling. It states pretty heavy problems/consequences for (global) data transfer to countries outside of the EER.

“The Court ruled that Decision 2016/1250 concerning the adequacy of the Protection provided by the EU-VS-Privacy Shield is invalid

Link to the Ruling of the European Court of Justice (in Dutch):

5 Likes

@icexuick i wish your voice could be heard. I’m afraid we, as non-american people, are being left aside in regards to the GDPR law.

2 Likes

Well ideally the whole law/privacy/data protection should be better all around the world. It’s for a good cause to be (much) more careful with this data.

But practically speaking, i think there should at least be good/specific and watertight contracts to be signed between f.e. a EU Webflow user and Webflow.

If i understand enough of the rulings, this is most likely something that needs to be done, and this contract should apply to the (EU) GDPR, not the US Privacy Shield. I even believe the whole Privacy Shield should not be in the same sentence as the GDPR.

It’s unfortunate for the EU/EER people that, they are ones that are fined for using their preferred software or online application of choice which happens to be located in the US
(The US is just an example, lots more countries aren’t on the ‘safe-list’ regarding the GDPR/Ruling of the Court of Justice.)

1 Like

This is a major issue - we really need an option to host on AWS Europe.

3 Likes

We really need something done about this. Many Webflow users in EU are still operating in full knowledge of this and taking the risk upon themselves.

I am keeping my Webflow subscription for now but I am steadily losing faith in them. To not even have a blog post about these changes or offer any advice for the EU users? It makes me feel like the unwanted third child.

5 Likes

Well there is stuff being done here - you can read here: Webflow, your EU customers need a statement (Privacy Shield)

So we’re (hopefully) not the unwanted child(s).

My guess is that it’s just very very complicated matter, which involves tons of legal stuff, but also how to get this technically right.

Also it’s all still fairly new, especially for US-based businesses, so i think investigating each/every system that (in this case) Webflow uses, and in order to get the “GDPR-PROOF” Label on each and everyone which could involve all kinds of technical and/or legal changes, is a major(!) undertaking. This could very well take many months, if not, years to do well.

2 Likes

That they’re looking at an EU hosted solution is great news. This is all a pain but would future proof things.

1 Like

The Webflow Statement is 8 weeks old now. Did I miss something or are there really no new Announcements on this topic?

@WebflowCommunityTeam is there any news on this ?

3 Likes

I’ve just built my first Webflow site and loved it so much was seriously thinking of building all new sites with it AND moving all my existing clients over to it over the next year. This major issue has stopped me in my tracks. Surely EU hosting would make all this pain go away?

Does anyone know - if the website doesn’t store any data (no web form data etc) then does it matter where it is hosted for GDPR compliance? Thanks in advance. Let’s hope we get a solution from Webflow soon.

2 Likes

Everyting is a bit vague, but even using google analytics is using users data. Some posts claimed people should stop using GA and GTM because that does not adhere to gdpr rules. I find it hard to believe but… who knows?

1 Like

You can stop Google cookies until someone opts in using some of the more advanced cookie pop-up software, so that’s covered so long as you say it in your cookie/privacy policy. but Webflow commerce is sending more detailed data, also the forms etc.

You can anonymize Google Analytics tracking. This should be enough for the GDPR.
Though there are also custom settings you should check/set in your GA account, and disable all sharing of data with Google (f.e. to improve the GA user experience). I don’t have a link ready, but perhaps searching for “make analytics GDPR proof” will give you the right tutorials on what you have to disable in GA.

There are however alternatives to track your analytics and website usage. f.e. https://matomo.org/

What I meant is ga is sending users data to the US servers, you have no control over that, and this is already prohibited by gdpr, unless explicit consent is given

Correct - but you can ask for consent using a cookie bar so that’s okay, it’s whether you can have user details in forms and or webflow commerce thats the question. All very confusing. If Webflow is GDPR compliant it might be okay?

Thanks for that. CookieBot has a Google Consent Mode which allows the Cookie Consent box to load before any of the Google Cookies.
Though @dram I do have clients who want anything that sends data to the US removed. (They process sensitive data.) The Data Protection Commission in Ireland is very active! They’re beginning to issue fines today for any cookie consent notices that are not up to par.

Check this topic as well

2 Likes

Since this is a couple of months old, I’d like to ask if there are any updates on this?

5 Likes