2

Essentially I run a website which is a microblog for anyone to use. The user who creates the content does so on one domain which requires login, stores a cookie etc..

The reader (user) of the blog content does so on a separate domain which does not:

  • Attempt to set cookies or store any data outside of the page session such as localstorage.
  • Utilise any analytics trackers from any party.
  • Host advertisements either in the form of personalised or otherwise.

The reader's entire interaction is with the website itself. It is however served through a CDN which keeps logs for a short period of time to prevent DDoS attacks and other abuse which comes under recital 49 of GDPR:

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

In my privacy policy I state to the user that no cookies, analytics trackers or PII is collected other than by my CDN provider for the above purpose.

I can't offer an opt-out to tracking as none takes place. Log files that are available to myself from the CDN are kept for three days and the IP address is entirely redacted i.e. 0.0.0.0. Is there anything specifically that I do have to mention to the reader if I am not collecting any data other than that required to serve the website to them?

Note: The website is created and hosted within the UK but has a worldwide audience. The majority of readers are within the US.

I have done a few days of searching around on top of my existing understanding of GDPR but can't find much information in the case of not collecting information. And this answer covers the user of CDN's specifically.

Improve this question

1 Answer 1

Reset to default
2

Sounds like you're pretty much set.

Serving a website inherently involves processing of personal data. You have minimized this processing to what you consider the minimum, taking into account your obligation to ensure the security of processing. Your security measures are likely to be covered by an overriding legitimate interest (taking into account Recital 49). Offering an opt-out is likely not appropriate since it would defeat the purpose of these security measures. That is, the data subjects still have a right to contact you and object to the legitimate interest per Art 21, but the objection can most likely be denied.

All your website visitors are protected by the UK GDPR because you, the data controller, are in the UK (GDPR applies to all your processing activities per Art 3(1)).

From the scenario you describe, two GDPR compliance obligations have to be pointed out.

  • You are still required to provide a privacy notice per Art 13 GDPR. However, since your processing activities are fairly limited, that notice will be comparatively short. Read the ICO's guide on the right to be informed for further details and a checklist. I strongly recommend using that checklist and/or just reading Art 13 and Art 15 GDPR instead of relying on some privacy policy generator.

  • You are serving the website as a CDN. Presumably, this CDN acts as a data processor on your behalf. You would then need to make sure that an appropriate contract is in place that binds them as your data processor, in line with Art 28 GDPR. Again, the ICO has guidance on such contracts.

To the degree that the use of the CDN involves data exports into other countries, you would also need to assess whether this is a “restricted transfer”, possibly requiring further protections. The ICO has a page about international transfers, though you can skip the Brexit-specific parts. Note in particular that the United States are not covered by an “adequacy decision” and that the old Privacy Shield is invalid. If you are making a restricted transfer that is not covered by an existing adequacy decision, you will have to make a transfer risk assessment. The ICO does not publish guidelines for such an assessment, but an EU GDPR transfer impact assessment template is available from the IAPP. If the assessment shows that the risks of the transfer are sufficiently small, the transfer can be made on the basis of standard contractual clauses (SCCs). In 2022, the UK has published a new International Data Transfer Addendum (IDTA) to augment/replace the old EU SCCs, though the EU SCCs remain valid for a transition period.

Improve this answer
1
  • Thanks for the answer. I have Art 13 and 28 covered. I'll have a look into the IDTA as I was unaware of it!
    – William Isted
    Commented May 9, 2022 at 13:00

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .