I am using Cloudflare worker to post a simple html form. Now that workers run around the world, I do not think I have any control over it. The GDPR restricts the transfer of data outside of the EU. While the worker only receives the request and posts it to an api, it is still processing the info.
How can I make sure using workers does not put me at risk with EU GDPR compliance? Can I select from which reactor I want to run the worker?
Or if anyone has another recommendation or solution to this.
Thanks
Not sure if my question is in apropriate category if you are a moderator and feel it needs to be in a differenct category do not hesitate to move to the apropriate category thanks
You wouldnât want to rely on legal advice from a public community - you should contact your own lawyer(s) and review https://www.cloudflare.com/trust-hub/ with them.
Compliance with regulations is not a black & white matter and entirely depends on yourself, your business, what data you are processing and how youâre doing it - that isnât something that the community can answer. You should review the available resources with a business associate or your own legal team who can make an informed decision.
Itâs often members of the technical support team, engineering teams or billing teams who frequent the community - not the legal team who can give you the right information. Itâd be irresponsible for people who are associated with Cloudflare to give you advice if theyâre not qualified to do so.
I recently find out as told by IT team and verified by DPO. My question in the community is Does Cloudflare run workers from any where in the world or it can be GDPR compliant and run worker from within eu without transfering out side of EU.
Otherwise workers are a ticket for fines to anyone using worker to process any personal data ( name, email, Ip etc.) almo st all forms have name and email field so basically you have to choose btween GDPR and Cloudflare worker.
Cloudflare Data Localization Suite
Can you confirm if this is available for workers as it seems like on workers i have no control and the worker GDPR complaince is not mentioned in the documentations. Cloudflare workers are not GDPR compliant by default. So, via this post i would like to notify others to take note before risking GDPR compliance.
Workers are not unique in this. Even if your origin server is in one country, userâs traffic will first hit the nearest colo to them which wonât necessarily be within the EU.
GDPR doesnât make any blanket restrictions on data being strictly within the EU and thatâs been common knowledge since GDPR came into action, I hope your IT team or DPO hasnât told you that.
Our Self-Serve Subscription Agreement incorporates our standard DPA by reference. And to the extent the personal data we process on behalf of a self-serve customer is governed by the GDPR, then our DPA incorporates the EU standard contractual clauses for this data. Therefore, no action is required to ensure that the standard contractual clauses are in place. Our DPA also incorporates the additional safeguards described above.
Cloudflare state that their data processing is compatible with GDPR.
If you want or need additional controls over the location of data processing, then the Data Localisation Suite offers several options. This includes Workers. These are an Enterprise only features, and attract a 30% uplift in the fees you pay.
Do you know for sure if, for example, a visitor from France who will hit the nearest point in France for website loading, when submitting an html form which is using a Cloudflare worker at the backend, uses the same point in France?
If a user visits from the United States, I donât care where his or her data is processed. However, if the user is from the European Union, I must notify the user in policy that the submitted form data will be processed outside of the EU. If a worker runs in the same location as the visitor, then it is compliant for me and requires no disclaimer that we transfer data outside of the EU. Other than workers, I have nothing else that processes data outside the EU from a website hosted on Cloudflare pages.
I dont think a CDN will serve a european user website from USA as it suppose to serve from the nearest location. So there is no point in discussing if eu visitor hits US datacenter. question is for eu visitors who will obviously hit eu point and not USA.
If however Cloudflare does server eu clients from USA than it is pointless to use their CDN in EU. But i dont think this is the case.
You never have a guarantee that you wonât be routed via the US and European (just like Asian) users were already routed via the US. So my question still stands
ok thats new info to me which means using Cloudflare worker eu client data will be transfered outside eu. One have no control over it unless you willing to spend 200+ for a static site
I strongly suggest you seek better briefings on the GDPR. If youâre based in the EU, all of your processing of personal data, including that of persons and entities outside of the EU, is subject to the requirements of the GDPR. It is by no means sufficient for compliance to split the world into categories of âfollow GDPRâ and ânot follow GDPRâ. In particular, if your solution for compliance is âprocess all data inside the EUâ, that really means all, and not just that of EU citizens.
