Essentially I run a website which is a microblog for anyone to use. The user who creates the content does so on one domain which requires login, stores a cookie etc..
The reader (user) of the blog content does so on a separate domain which does not:
- Attempt to set cookies or store any data outside of the page session such as
localstorage
. - Utilise any analytics trackers from any party.
- Host advertisements either in the form of personalised or otherwise.
The reader's entire interaction is with the website itself. It is however served through a CDN which keeps logs for a short period of time to prevent DDoS attacks and other abuse which comes under recital 49 of GDPR:
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
In my privacy policy I state to the user that no cookies, analytics trackers or PII is collected other than by my CDN provider for the above purpose.
I can't offer an opt-out to tracking as none takes place. Log files that are available to myself from the CDN are kept for three days and the IP address is entirely redacted i.e. 0.0.0.0
. Is there anything specifically that I do have to mention to the reader if I am not collecting any data other than that required to serve the website to them?
Note: The website is created and hosted within the UK but has a worldwide audience. The majority of readers are within the US.
I have done a few days of searching around on top of my existing understanding of GDPR but can't find much information in the case of not collecting information. And this answer covers the user of CDN's specifically.