User IP address processing (GDPR)

Hi,

let’s say user A from Germany visits our site which is proxied through CloudFlare CDN. He connects to CloudFlare Edge Servers in Germany.
Is his IP being processed in other countries as well or does it stay inside the EU?

Thanks in advance.

From theDPA

In connection with the Service, the parties anticipate that Cloudflare may process outside of the European Economic Area (“EEA”) and the United Kingdom, certain Personal Data in respect of which the Customer or any member of the Customer Group may be a data controller or data processor, as applicable, under applicable EU and UK Data Protection Laws.

The community is probably not the best place to get legal advice. You can find relevant contact details for Germany here.

1 Like

I’d second @michael’s statement that legal advice would be the best path forward in this case.

As for your concrete question

  1. As far as the Cloudflare presence in EU datacentres is concerned, EU regulations and local law should apply. Nonetheless you wont have a guarantee that requests will go via an EU or even a local datacentre.
  2. Address will be forwarded to the origin. Should the origin be outside of the European Union, then the requesting IP address will also leave the EU - in addition to any potential routing outside the EU.
  3. On top of that, requests are visible in the dashboard as well and that information is unlikely to be taken only from particular datacentres either but will be most likely aggregated in one central place (quite likely outside of the EU).

In short, it depends what you mean by “processed outside the EU” but we can safely assume that the addresses of requests will leave the EU.

Though, again, legal advice would be the best course of action.

This may be of interest:

1 Like

Thank you, @michael for sharing that here, appreciate it.