I’ve gone to Webflow Data Protection Agreement Request.
This is for a data processing agreement (DPA) which is one of the more important things you need to have for the GDPR.
Still there is a possible issue about the location of the servers that hold the ‘user-data’.
As far as i know, it’s not 100% clear where the servers are, or more specific on which server your data is. Generally i’ve settled and communicated to my clients it’s still US regulations even if the servers ‘might’ be in the EU for example. With an extra link to the DPA i signed with Webflow did suffice for now.
Hope you can find some more info on the supplied links.
Also mention-able and in line with the GDPR:
disable view of form submissions and user data for the site designer
option to move site to separate account for a client only
option for enabling IP anonymization for Google Analytics
option for 2FA
option for removal of database entries and personal data
Thanks a lot for both of your fast replies and help @jbleroux & @icexuick.
I’ll have to take care of signing the DPA with webflow for my own company still.
Doing research at the moment too though for a webshop we are about to build with Webflow and I have to make sure, that our client doesn’t get into legal trouble by running a Webflow Ecommerce website. Especially since customers are going to leave very critical information about themselves when purchasing a product.
So looks like I have to go and put some extra energy into modifying our privacy statement, that the shop won’t get targeted. Thanks for the tips @icexuick that will help quite a bit.
@rjbiccum yup, every website that can be accessed by an EU resident has to comply. The people who made the law clearly don’t quite get how the internet works
Add a popup with a button to continue to the site with: “I hereby confess that i’m an US citizen and not from any other country”
Anybody any new insights on the GDPR or relevant/big cases/sued companies?
Here in The Netherlands it’s almost off the (news)radar and in my local vicinity there have not been any ‘problems’ for business.
Usually SSL/GDPR and privacy statement are things that make a company look more professional and also that https:// sites get ‘improved’ rating/value in search-engines is often enough to do the works.
But still a lot of companies underestimate the (full) idea of it: They think that adding SSL and making visitor tracking anonymous and removing some form fields with personal data is it.
Just visited the dentist and the whole waiting room could hear the girl at the desk (on the phone) talking loudly with a patient and she was repeating all kinds of personal data. That’s essentially also GDPR.
Well… the aim of the GDPR is well intended. The actual (real) impact and practicality are still something else.
I still do get some questions about the data location and ownership.
For the EU businesses that want to be GDPR compliant, they need 100% guarantee that the data is stored in the EU and that they are 100% owner of this data.
So since a couple of years we (kinda) know there are Webflow dataservers in the EU, but they possibly also exist in the US as well. That should/might not be a problem, but as far as i know, there isn’t this 100% guarantee that the US could confiscate data (under rules in f.e. the US Privacy Shield).
Can someone tell me more about this? Is there a way to get this done, perhaps written in a new DPA between Webflow and the Webflow User/Designer? Or perhaps this could even be done on a per project/website basis? (select which websites need this).
Even though GDPR’s main aim is to take careful actions with data and processing and you need to be able to prove that you’re working carefully with (user)data, not per se that every inch/corner of (f.e.) your website is 100% ‘watertight’ - still some clients in the EU want this.
Hopefully someone can help me out with these final steps in getting/making Webflow the, possibly best, solution to have both awesome and GDPR compliant websites in the EU.
I interpret this as: Having data (also) in the US will not fully comply to the GDPR. The privacy laws in the US are still not as they should be, and so data privacy in the US still is not good enough.
How can EU users of Webflow make use of this awesome platform and also comply to the GDPR data privacy rules?
There was an update on this in the form of a ruling of the European Court of Justice and it does not look good for current setup, as far as i can tell.
To comply to the GDPR, things with the Privacy Shield are (by far) not good enough.
There needs to be a specific/custom contract (SCC) between Webflow and the EU (or EER) user/owner of the data. This contract needs to be based on standard contractual clauses of the European Commission. More info on what needs to changed/be done is still in the works.
But in general, the US law is (according to the European Court of Justice) irreconcilable with the minimal requirements of data protection of the EU » Meaning that the transfer of (personal)data to the US is in fact illegal.
PS. This will also apply for the Brexit - If there isn’t a deal before the end of 2020, the UK will also be considered as a ‘not compliant’ country for data protection.
I’ll try to post the full details and document describing this ruling. It states pretty heavy problems/consequences for (global) data transfer to countries outside of the EER.
“The Court ruled that Decision 2016/1250 concerning the adequacy of the Protection provided by the EU-VS-Privacy Shield is invalid”
Link to the Ruling of the European Court of Justice (in Dutch):
Well ideally the whole law/privacy/data protection should be better all around the world. It’s for a good cause to be (much) more careful with this data.
But practically speaking, i think there should at least be good/specific and watertight contracts to be signed between f.e. a EU Webflow user and Webflow.
If i understand enough of the rulings, this is most likely something that needs to be done, and this contract should apply to the (EU) GDPR, not the US Privacy Shield. I even believe the whole Privacy Shield should not be in the same sentence as the GDPR.
It’s unfortunate for the EU/EER people that, they are ones that are fined for using their preferred software or online application of choice which happens to be located in the US
(The US is just an example, lots more countries aren’t on the ‘safe-list’ regarding the GDPR/Ruling of the Court of Justice.)
We really need something done about this. Many Webflow users in EU are still operating in full knowledge of this and taking the risk upon themselves.
I am keeping my Webflow subscription for now but I am steadily losing faith in them. To not even have a blog post about these changes or offer any advice for the EU users? It makes me feel like the unwanted third child.
My guess is that it’s just very very complicated matter, which involves tons of legal stuff, but also how to get this technically right.
Also it’s all still fairly new, especially for US-based businesses, so i think investigating each/every system that (in this case) Webflow uses, and in order to get the “GDPR-PROOF” Label on each and everyone which could involve all kinds of technical and/or legal changes, is a major(!) undertaking. This could very well take many months, if not, years to do well.
I’ve just built my first Webflow site and loved it so much was seriously thinking of building all new sites with it AND moving all my existing clients over to it over the next year. This major issue has stopped me in my tracks. Surely EU hosting would make all this pain go away?
Does anyone know - if the website doesn’t store any data (no web form data etc) then does it matter where it is hosted for GDPR compliance? Thanks in advance. Let’s hope we get a solution from Webflow soon.
Everyting is a bit vague, but even using google analytics is using users data. Some posts claimed people should stop using GA and GTM because that does not adhere to gdpr rules. I find it hard to believe but… who knows?
You can stop Google cookies until someone opts in using some of the more advanced cookie pop-up software, so that’s covered so long as you say it in your cookie/privacy policy. but Webflow commerce is sending more detailed data, also the forms etc.
You can anonymize Google Analytics tracking. This should be enough for the GDPR.
Though there are also custom settings you should check/set in your GA account, and disable all sharing of data with Google (f.e. to improve the GA user experience). I don’t have a link ready, but perhaps searching for “make analytics GDPR proof” will give you the right tutorials on what you have to disable in GA.
There are however alternatives to track your analytics and website usage. f.e. https://matomo.org/
