Processing of EU user PII after EU-US Privacy Shield invalidation

Thank you for reaching out about the Court of Justice of the European Union’s (“CJEU’s”) recent decision invalidating the EU-US Privacy Shield paradigm in the “Schrems II” case (Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems). First, we want to assure you that this decision does not change the strong data privacy protections Cloudflare has in place for the personal data that we process on your behalf.

Following the Schrems II decision, Standard Contractual Clauses (SCCs) remain unaffected and a valid transfer mechanism under GDPR. Consequently, Cloudflare will continue to utilize the SCCs mechanism, which are included in our standard Data Processing Addendum (DPA) to transfer personal data outside the EEA and adequate countries. So, if you haven’t already, we recommend you accept the current Cloudflare DPA that we have made available in the customer Dashboard. When you are in your Dashboard, please go to the Configurations tab, and then Preferences. Please review and accept the DPA there. You can find more information about our DPA here.

Respect for privacy and protection of personal data are at the core of our business, and we take our obligations under GDPR very seriously. We are continuing to monitor ongoing developments in this space and will ensure our ongoing compliance with the EU GDPR Articles 44 and 46. During this time, we will continue to follow our commitments under existing DPAs and our commitments under the SCCs.