Cloudflare worker and GDPR compliance

Hi there,

I am using Cloudflare worker to post a simple html form. Now that workers run around the world, I do not think I have any control over it. The GDPR restricts the transfer of data outside of the EU. While the worker only receives the request and posts it to an api, it is still processing the info.

How can I make sure using workers does not put me at risk with EU GDPR compliance? Can I select from which reactor I want to run the worker?

Or if anyone has another recommendation or solution to this.

Thanks


Not sure if my question is in apropriate category if you are a moderator and feel it needs to be in a differenct category do not hesitate to move to the apropriate category thanks

Hi @Cloudflare

Why GDPR questions are ignored. This is a serious issue i just realise put business at risk of GDPR violations and fine while using Cloudflare workers

Any thing here to help clear how GDPR compliant one can be while using workers?

thanks

You wouldn’t want to rely on legal advice from a public community - you should contact your own lawyer(s) and review https://www.cloudflare.com/trust-hub/ with them.

Specifically for GDPR, there is https://www.cloudflare.com/trust-hub/gdpr/ which contains resources like https://www.cloudflare.com/static/162b424995e0940c10b4e2156e289980/How_Cloudflare_helps_address_data_protection_and_locality_obligations_in_Europe_-_June_2022.pdf

Compliance with regulations is not a black & white matter and entirely depends on yourself, your business, what data you are processing and how you’re doing it - that isn’t something that the community can answer. You should review the available resources with a business associate or your own legal team who can make an informed decision.

It’s often members of the technical support team, engineering teams or billing teams who frequent the community - not the legal team who can give you the right information. It’d be irresponsible for people who are associated with Cloudflare to give you advice if they’re not qualified to do so.

1 Like

hi @KianNH

I recently find out as told by IT team and verified by DPO. My question in the community is Does Cloudflare run workers from any where in the world or it can be GDPR compliant and run worker from within eu without transfering out side of EU.

Otherwise workers are a ticket for fines to anyone using worker to process any personal data ( name, email, Ip etc.) almo st all forms have name and email field so basically you have to choose btween GDPR and Cloudflare worker.

Cloudflare Data Localization Suite

Can you confirm if this is available for workers as it seems like on workers i have no control and the worker GDPR complaince is not mentioned in the documentations. Cloudflare workers are not GDPR compliant by default. So, via this post i would like to notify others to take note before risking GDPR compliance.

thanks

Workers are not unique in this. Even if your origin server is in one country, user’s traffic will first hit the nearest colo to them which won’t necessarily be within the EU.

GDPR doesn’t make any blanket restrictions on data being strictly within the EU and that’s been common knowledge since GDPR came into action, I hope your IT team or DPO hasn’t told you that.

Cloudflare complies with the ‘standard contractual clauses approved by the European Commission’ which is referenced here: What rules apply if my organisation transfers data outside the EU? | European Commission

Our Self-Serve Subscription Agreement incorporates our standard DPA by reference. And to the extent the personal data we process on behalf of a self-serve customer is governed by the GDPR, then our DPA incorporates the EU standard contractual clauses for this data. Therefore, no action is required to ensure that the standard contractual clauses are in place. Our DPA also incorporates the additional safeguards described above.

This is all referenced, as mentioned before, on Cloudflare’s website - https://www.cloudflare.com/gdpr/introduction/

This has been discussed on the community before, EU Hosting to be GDPR compatible - #5 by michael

Interpreting GDPR as ‘all data must be processed within the EU’ is woefully inaccurate.

1 Like

Hi @KianNH

So sum up your response Cloudflare Data Localization Suite is not available for workers. Can you please confirm this?

Thanks

That is not what is being said.

Cloudflare state that their data processing is compatible with GDPR.

If you want or need additional controls over the location of data processing, then the Data Localisation Suite offers several options. This includes Workers. These are an Enterprise only features, and attract a 30% uplift in the fees you pay.

1 Like

Hi @michael

Do you know for sure if, for example, a visitor from France who will hit the nearest point in France for website loading, when submitting an html form which is using a Cloudflare worker at the backend, uses the same point in France?

If a user visits from the United States, I don’t care where his or her data is processed. However, if the user is from the European Union, I must notify the user in policy that the submitted form data will be processed outside of the EU. If a worker runs in the same location as the visitor, then it is compliant for me and requires no disclaimer that we transfer data outside of the EU. Other than workers, I have nothing else that processes data outside the EU from a website hosted on Cloudflare pages.

Thanks

Why? Why would it be suddenly okay to handle data in the US, if a European visitors hits a US datacenter?

1 Like

Hi @sandro

I dont think a CDN will serve a european user website from USA as it suppose to serve from the nearest location. So there is no point in discussing if eu visitor hits US datacenter. question is for eu visitors who will obviously hit eu point and not USA.

If however Cloudflare does server eu clients from USA than it is pointless to use their CDN in EU. But i dont think this is the case.

thanks

You never have a guarantee that you won’t be routed via the US and European (just like Asian) users were already routed via the US. So my question still stands :wink:

ok thats new info to me which means using Cloudflare worker eu client data will be transfered outside eu. One have no control over it unless you willing to spend 200+ for a static site

I strongly suggest you seek better briefings on the GDPR. If you’re based in the EU, all of your processing of personal data, including that of persons and entities outside of the EU, is subject to the requirements of the GDPR. It is by no means sufficient for compliance to split the world into categories of “follow GDPR” and “not follow GDPR”. In particular, if your solution for compliance is “process all data inside the EU”, that really means all, and not just that of EU citizens.