Streaming live at 10am (PST)

Webflow & GDPR | Hosting in EU + Privacy Statement needed

@StuM thanks for the link to Vlads respond about how visitor traffic is handled in the webflow hosting. The link doesn’t work anymore though (https://forum.webflow.com/t/how-webflow-handles-visitor-traffic-and-form-submissions-for-published-websites/59713)

I’m urgently researching information on that subject, since my company might get into legal problems because of the webflow hosting and I need to know how webflow treats data from visitors.

Is there a new source of information or why was the post deactivated for the general user?

I’d suggest contacting webflow support for this one. I remember they have a full process for this and to be fully gdpr compliant I think there are agreements required between them and you. Including the privacy statements. I don’t remember all the details and for what I’ve done I’ve not needed it. So I never revisted it. When it first came out though it was confusing and convoluded. I’m guessing they have streamlined the process.

jeremy

1 Like

I’ve gone to https://webflow.typeform.com/to/nM8vLH.
This is for a data processing agreement (DPA) which is one of the more important things you need to have for the GDPR.

Furthermore i’ve linked to https://webflow.com/legal/privacy which also has some insights into the privacy and data handling.

Still there is a possible issue about the location of the servers that hold the ‘user-data’.
As far as i know, it’s not 100% clear where the servers are, or more specific on which server your data is. Generally i’ve settled and communicated to my clients it’s still US regulations even if the servers ‘might’ be in the EU for example. With an extra link to the DPA i signed with Webflow did suffice for now.

Hope you can find some more info on the supplied links.

Also mention-able and in line with the GDPR:

  • disable view of form submissions and user data for the site designer
  • option to move site to separate account for a client only
  • option for enabling IP anonymization for Google Analytics
  • option for 2FA
  • option for removal of database entries and personal data
3 Likes

Thanks a lot for both of your fast replies and help @jbleroux & @icexuick.

I’ll have to take care of signing the DPA with webflow for my own company still.
Doing research at the moment too though for a webshop we are about to build with Webflow and I have to make sure, that our client doesn’t get into legal trouble by running a Webflow Ecommerce website. Especially since customers are going to leave very critical information about themselves when purchasing a product.

So looks like I have to go and put some extra energy into modifying our privacy statement, that the shop won’t get targeted. Thanks for the tips @icexuick that will help quite a bit.

1 Like

All my customers are US Only. Do I need a GDPR statement in case an EU person or entity lands on my site?

@rjbiccum yup, every website that can be accessed by an EU resident has to comply. The people who made the law clearly don’t quite get how the internet works :joy:

2 Likes

Add a popup with a button to continue to the site with: “I hereby confess that i’m an US citizen and not from any other country” :stuck_out_tongue_closed_eyes:

Anybody any new insights on the GDPR or relevant/big cases/sued companies?
Here in The Netherlands it’s almost off the (news)radar and in my local vicinity there have not been any ‘problems’ for business.

Usually SSL/GDPR and privacy statement are things that make a company look more professional and also that https:// sites get ‘improved’ rating/value in search-engines is often enough to do the works.

But still a lot of companies underestimate the (full) idea of it: They think that adding SSL and making visitor tracking anonymous and removing some form fields with personal data is it.

Just visited the dentist and the whole waiting room could hear the girl at the desk (on the phone) talking loudly with a patient and she was repeating all kinds of personal data. That’s essentially also GDPR.

Well… the aim of the GDPR is well intended. The actual (real) impact and practicality are still something else.

1 Like

Hello All,

I still do get some questions about the data location and ownership.

For the EU businesses that want to be GDPR compliant, they need 100% guarantee that the data is stored in the EU and that they are 100% owner of this data.

So since a couple of years we (kinda) know there are Webflow dataservers in the EU, but they possibly also exist in the US as well. That should/might not be a problem, but as far as i know, there isn’t this 100% guarantee that the US could confiscate data (under rules in f.e. the US Privacy Shield).

Can someone tell me more about this? Is there a way to get this done, perhaps written in a new DPA between Webflow and the Webflow User/Designer? Or perhaps this could even be done on a per project/website basis? (select which websites need this).

Even though GDPR’s main aim is to take careful actions with data and processing and you need to be able to prove that you’re working carefully with (user)data, not per se that every inch/corner of (f.e.) your website is 100% ‘watertight’ - still some clients in the EU want this.

Hopefully someone can help me out with these final steps in getting/making Webflow the, possibly best, solution to have both awesome and GDPR compliant websites in the EU.

2 Likes

Important read on this is: https://matomo.org/blog/2020/07/storing-data-on-us-cloud-servers-dont-comply-with-gdpr/?pk_campaign=homepage-banner&pk_source=homepage

I interpret this as: Having data (also) in the US will not fully comply to the GDPR. The privacy laws in the US are still not as they should be, and so data privacy in the US still is not good enough.

How can EU users of Webflow make use of this awesome platform and also comply to the GDPR data privacy rules?

2 Likes

There was an update on this in the form of a ruling of the European Court of Justice and it does not look good for current setup, as far as i can tell.

To comply to the GDPR, things with the Privacy Shield are (by far) not good enough.
There needs to be a specific/custom contract (SCC) between Webflow and the EU (or EER) user/owner of the data. This contract needs to be based on standard contractual clauses of the European Commission. More info on what needs to changed/be done is still in the works.

But in general, the US law is (according to the European Court of Justice) irreconcilable with the minimal requirements of data protection of the EU » Meaning that the transfer of (personal)data to the US is in fact illegal.

PS. This will also apply for the Brexit - If there isn’t a deal before the end of 2020, the UK will also be considered as a ‘not compliant’ country for data protection.

I’ll try to post the full details and document describing this ruling. It states pretty heavy problems/consequences for (global) data transfer to countries outside of the EER.

“The Court ruled that Decision 2016/1250 concerning the adequacy of the Protection provided by the EU-VS-Privacy Shield is invalid

Link to the Ruling of the European Court of Justice (in Dutch):

5 Likes

@icexuick i wish your voice could be heard. I’m afraid we, as non-american people, are being left aside in regards to the GDPR law.

2 Likes

Well ideally the whole law/privacy/data protection should be better all around the world. It’s for a good cause to be (much) more careful with this data.

But practically speaking, i think there should at least be good/specific and watertight contracts to be signed between f.e. a EU Webflow user and Webflow.

If i understand enough of the rulings, this is most likely something that needs to be done, and this contract should apply to the (EU) GDPR, not the US Privacy Shield. I even believe the whole Privacy Shield should not be in the same sentence as the GDPR.

It’s unfortunate for the EU/EER people that, they are ones that are fined for using their preferred software or online application of choice which happens to be located in the US
(The US is just an example, lots more countries aren’t on the ‘safe-list’ regarding the GDPR/Ruling of the Court of Justice.)

1 Like

This is a major issue - we really need an option to host on AWS Europe.

3 Likes

We really need something done about this. Many Webflow users in EU are still operating in full knowledge of this and taking the risk upon themselves.

I am keeping my Webflow subscription for now but I am steadily losing faith in them. To not even have a blog post about these changes or offer any advice for the EU users? It makes me feel like the unwanted third child.

5 Likes

Well there is stuff being done here - you can read here: Webflow, your EU customers need a statement (Privacy Shield)

So we’re (hopefully) not the unwanted child(s).

My guess is that it’s just very very complicated matter, which involves tons of legal stuff, but also how to get this technically right.

Also it’s all still fairly new, especially for US-based businesses, so i think investigating each/every system that (in this case) Webflow uses, and in order to get the “GDPR-PROOF” Label on each and everyone which could involve all kinds of technical and/or legal changes, is a major(!) undertaking. This could very well take many months, if not, years to do well.

2 Likes

That they’re looking at an EU hosted solution is great news. This is all a pain but would future proof things.

1 Like

The Webflow Statement is 8 weeks old now. Did I miss something or are there really no new Announcements on this topic?

@WebflowCommunityTeam is there any news on this ?

3 Likes

I’ve just built my first Webflow site and loved it so much was seriously thinking of building all new sites with it AND moving all my existing clients over to it over the next year. This major issue has stopped me in my tracks. Surely EU hosting would make all this pain go away?

Does anyone know - if the website doesn’t store any data (no web form data etc) then does it matter where it is hosted for GDPR compliance? Thanks in advance. Let’s hope we get a solution from Webflow soon.

2 Likes

Everyting is a bit vague, but even using google analytics is using users data. Some posts claimed people should stop using GA and GTM because that does not adhere to gdpr rules. I find it hard to believe but… who knows?

1 Like