GDPR and Cloudflare

What i need to consider for GDPR compliance of my website while using Cloudflare?

This one may help

This website doesn’t process any data and not store any user information only have cookies. Then still need to fill DPA?

I’d suggest consulting legal council or a GDPR adviser. I would suggest
yes, as Cloudflare sets a cookie using your domain.

I’m based in the EU and am finalising my GDPR compliant ‘privacy notice’ before tomorrow’s deadline. There is a purpose in deadlines! I have agreed the Cloudflare DPA agreement referred to by Mark Meyer, but need to make mention of Cloudflare because obviously my site visitors will be giving Cloudflare their IP address and other data concerning their device and browser when connecting to my site.

The point of a privacy notice is that it is written in plain accessible language that gives concise clear information of what personal data you are collecting, what lawful basis you have for collecting such data, and what you do with the data. It is not meant to be written in legalese. Also you should provide the site visitor with a notice of his rights regarding the data collected about her/him. And a means of contacting the person responsible.

Merely logging IP addresses, times of access, and user agents constitutes personal data under the GDPR. Obviously any server is likely to be doing so by default. However collecting such logs serves my “legitimate interests”, which is a lawful purpose, so long as the only thing I do with the data is monitor the server activity to ensure it is working as intended and that the traffic doesn’t pose a security risk. If I was selling or giving the data to a third party then it would be hard to argue that I had a “legitimate interest” in processing the data in that way without the explicit consent of all the website’s visitors.

Now, I run my own VPS and know that no one else can access the server, and I don’t do anything improper with the data. However I need to account for Cloudflare’s access to my site visitor’s data. I could refer them to “Cloudflare’s EU-U.S. Privacy Shield Framework Statement” - Cloudflare's Privacy Policy , which seems to cover some of the territory, but it’s really some more basic information I need to supply. So I’ve listed a few questions. Any answer’s would help me complete my notice.

  1. Does Cloudflare maintain logs of IP addresses and other data of visitors passing through Cloudflare’s servers to my origin server?
  2. For what purpose does Cloudflare collect this data? (I mean I obviously know to protect against malicious traffic and to effect running a CDN. But any other purpose?)
  3. And how does it process this data? (Does it use automated decision making that could effect a living person in any other way than making the particular internet connection they intended when their data was captured?)
  4. For how long does Cloudflare keep this data?
  5. Does Cloudflare keep this data securely?
  6. Does Cloudflare pass this data to any third parties?


This should answer your questions (Effective from 25th May. :

Just a few quotes. You should read this completely. You should also have received an E-Mail a few weeks ago about an update on the PP and GDPR


End Users:

Cloudflare provides web optimization and security services that our Customers use to improve and protect their websites, including a reverse proxy, pass-through security service, and a content distribution network. Because Cloudflare is a reverse proxy, our IP addresses may appear in WHOIS and DNS records for websites using our Services. We are a conduit for information controlled by others. It is our Customers and their users who are responsible for the content transmitted across our network (e.g., images, written content, graphics, etc.).
We collect End Users’ information when they use our Customers’ websites, web applications, and APIs. This information may include but is not limited to IP addresses, system configuration information, and other information about traffic to and from Customers’ websites (collectively, “Log Data”). We collect and use Log Data to operate, maintain, and improve our Services in performance of our obligations under our Customer agreements. For example, Log Data can help us to detect new threats, identify malicious third parties, and provide more robust security protection for our Customers.


Cloudflare only processes personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized. As a general matter, for all categories of data we collect except Resolver User data, we may use the information we collect (including personal information, to the extent applicable) to:

provide, operate, maintain, improve, and promote the Website and Services;
enable you to access and use the Website and Services;
process and complete transactions, and send you related information, including purchase confirmations and invoices;
send transactional messages, including responses to your comments, questions, and requests; provide customer service and support; and send you technical notices, updates, security alerts, and support and administrative messages;
send commercial communications, in accordance with your communication preferences, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events about us and our partners; and send other news or information about us and our partners. See Section 8 below for information on managing your communication preferences.
process and deliver contest or sweepstakes entries and rewards;
monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes;
comply with legal obligations as well as to investigate and prevent fraudulent transactions, unauthorized access to the Services, and other illegal activities;
personalize the Websites and Services, including by providing features or content that match your interests and preferences; and
process for other purposes for which we obtain your consent.
Resolver Users. We use information we collect from Resolver Users to operate and improve the Cloudflare Resolver, such as to assist us in our debugging efforts if an issue arises. We will not combine the information collected from DNS queries with any other Cloudflare or third party data in any way that can be used to identify individual end users. Learn more.

Information from Third Party Services. We may combine information we collect as described above with personal information we obtain from third parties. For example, we may combine information entered on a Cloudflare sales submission form with information we receive from a third-party sales intelligence platform vendor to enhance our ability to market our Services to Customers or potential Customers.

And another one:

Regarding deadlines: We (not Cloudflare) have trained our employees about a year ago.

Oh: if you are not running a business: private persons and their pages are not affected by GDPR afaik.

Thanks Mark for your reply, Excuse my lateness in replying. I had actually seen the information you quoted, though my concern was fairly obviously to do with my obligations to my visitors as they might be affected through my use of Cloudflare, rather than Cloudflare’s obligations to me. I did find something mildly helpful in Cloudflare’s privacy policy here: Cloudflare's Privacy Policy , from which I cobbled together something that will serve for now. What I really wanted to do is write something concise, simple, to the point and specific. Where often such statements are general, wordy and unspecific.
Just so you know my comments about deadlines were not aimed at anyone but myself. Faced with an issue that is difficult I invariably leave it until the deadline is upon me before responding. Thank you for your help. Bill

This topic was automatically closed after 14 days. New replies are no longer allowed.