• Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
ITMediaLaw - Rechtsanwalt Marian Härtel
  • en English
  • de Deutsch
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
  • E-Books
  • Vertragsmuster
  • Kostenlose Vertragsmuster
Kurzberatung
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
  • E-Books
  • Vertragsmuster
  • Kostenlose Vertragsmuster
ITMediaLaw - Rechtsanwalt Marian Härtel

ITMediaLaw - Rechtsanwalt Marian Härtel > Data protection Law > Can Cloudflare be used permissibly?

Can Cloudflare be used permissibly?

7. November 2022
in Data protection Law
Reading Time: 3 mins read
0 0
A A
0
security 2168233 1280
Key Facts
  • The Schrems II decision against US SaaS providers is crucial for data protection in Germany.
  • Cloudflare could violate the GDPR if users' personal data is affected.
  • Cologne Higher Regional Court found that Cloudflare is liable for copyright infringements when using temporary DDoS.
  • Data encryption is a key point that Cloudflare mentions in its privacy policy.
  • Zendesk offers extensive encryption standards such as HTTPS/TLS for secure working.
  • It is currently not possible to select the storage location of the data with Cloudflare.
  • The use of Cloudflare should be carefully checked by data protection officers.

The issue of whether US SaaS providers can be used permissibly or whether products such as Jira, Zendesk, various CRM systems and others do not violate data protection law has actually been clear since the ECJ’s Schrems II decision(see here).

As things stand, you can find out how to offer SaaS system as a US provider in Germany in a longer article here.

By the way, this issue affects many popular WordPress plugins and services like Cloudflare. In the case of Cloudflare, it is especially true that the OLG Cologne has just ruled that the provider would be liable for copyright infringement(see this post). Because Cloudflare, at least if you use more than just the services to possibly prevent DDoS attacks, stores the content itself on their servers to provide caching and CDN services. What is not very problematic for a normal website that ONLY provides content, such as a blog or similar (apart from the copyright infringements relevant in the OLG Cologne case), is no longer so unproblematic for dynamic content and personal user data. This would affect, for example, forums, communities, and sites that you can log into. Although a CDN does not log user data as such, it does log the personal data that is entered when using the portal. At least, if the provider does not configure CDN usage properly and excludes dynamic user content.

In all places where Cloudflare’s caching or CND services are used, the storage on whichever Cloudflare servers is used is not only for the transmission of the requested information. However, due to the missing Privacy Shield requirements, this probably leads to the fact that a GDPR-compliant use of Cloudflare is not possible, at least if, as explained above, personal data of the users are affected. This is because a contract processing agreement is out of the question. And as pointed out in my article on offering SaaS services, the strict view is that corporate binding rules or standard contractual clauses are probably not possible either.

It might be possible to fully encrypt all data, as Amazon is apparently currently doing with AWS in the European data centers, but I couldn’t find anything about this at Cloudflare at the moment. The link to the privacy policy there does not work. A closer look reveals an English-language privacy statement that explains that the Privacy Shield is no longer used, but is very vague about the alternatives.

Thus, the only point to the encryption

10. DATA SECURITY, DATA INTEGRITY AND ACCESS

We take all reasonable steps to protect information we receive from you from loss, misuse or unauthorized access, disclosure, alteration and/or destruction. We have put in place appropriate physical, technical and administrative measures to safeguard and secure your information, and we make use of privacy-enhancing technologies such as encryption. If you have any questions about the security of your personal information, you can contact us at privacyquestions@cloudflare.com.

It may be doubted whether this is sufficient for an official data protection officer to scrutinize particularly strictly. Providers such as Zendesk are already much further ahead in this respect from their own testing for clients and regulate, for example:

Data-in-Transit encryption

All communications with Zendesk’s user interfaces and APIs are encrypted using industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure. For email, we use opportunistic TLS by default. Transport Layer Security (TLS) is a protocol for secure encryption and delivery of email that prevents eavesdropping between mail servers as long as peer services support this protocol. Exceptions to encryption include, but are not limited to, use of product-integrated SMS features and third-party applications, integrations, or services that Subscribers use at their discretion.

 

Data-at-Rest Encryption

Service data is encrypted on AWS using data-at-rest encryption (AES-256).

 

There is also the problem that, as far as I know at the moment, Cloudflare, unlike AWS etc., does not allow you to choose where the data is stored. While a website operator would have to provide this information, he will probably not receive an answer from Cloudflare.

Conclusion: The use of Cloudflare should be well thought through by your own data protection officer.

Tags: AmazonBlogCopyright infringementCorporateData protection LawE‑mailInformationMailPortalPrivacySaasServerserviceSicherheitStandard contractual clausesUrheberrecht

Beliebte Beträge

Data leak in startup practice: GDPR reporting and damage limitation

dsgvo
29. April 2025

Young start-ups and solopreneurs often focus on agile development and rapid growth - but a data leak can put an...

Read moreDetails

Data protection, anonymity and third-party chatter: GDPR risks and solutions for OnlyFans Creator

Data protection, anonymity and third-party chatter: GDPR risks and solutions for OnlyFans Creator
12. May 2025

OnlyFans has revolutionized the income opportunities for adult content creators - but with success comes legal challenges. In particular, data...

Read moreDetails

Data protection and anonymity for OnlyFans creators, agencies, brokers and chatter agencies

Data protection and anonymity for OnlyFans creators, agencies, brokers and chatter agencies
10. May 2025

OnlyFans and similar platforms for erotic content are booming - but as their popularity grows, so do the data protection...

Read moreDetails

Legally compliant archiving of emails: legal requirements and practical implementation

Legally compliant archiving of emails: legal requirements and practical implementation
14. March 2025

It is impossible to imagine modern corporate communication without e-mail. It is not only used for the rapid exchange of...

Read moreDetails

Risks when hosting personal data on US cloud servers

Risks when hosting personal data on US cloud servers
18. February 2025

Hosting personal data on cloud servers from US providers poses significant risks for European companies, particularly with regard to compliance...

Read moreDetails

SaaS contract for marketing tools

da785cff1bca5b6897d0d4cacf7359ff
15. November 2024

When I helped set up CPMStar, one of the first major gaming marketing agencies in Germany, a few years ago,...

Read moreDetails

BGH ruling on damages for data protection breaches

BGH: Women also gamble on first-person shooters
8. December 2024

The ruling by the German Federal Court of Justice (BGH) on November 18, 2024 has put an abrupt end to...

Read moreDetails

New cookie regulation: a step towards simplifying digital consent?

Esport: Sports Committee of the BT meets Wednesday
8. December 2024

On September 4, 2024, the Federal Government adopted the Consent Management Ordinance (EinwV). This new ordinance is based on Section...

Read moreDetails

Multi-tenant architectures in the SaaS sector: data separation and compliance requirements

6e405ef66c83bf9de2066fb73a1deafc
9. November 2024

Multi-tenant architectures are the backbone of modern SaaS solutions, as they enable efficient use of resources and scalability. However, they...

Read moreDetails
drafting contracts for saas companies tips from an it law expert

Software-as-a-Service contract (SaaS contract)

11. April 2025

Most important points A SaaS contract regulates the provision of software as an online service instead of a locally installed...

Read moreDetails
Gambling vs. Skillgaming, a small demolition

State Treaty on Gaming – GlüStV

26. June 2023
Investment stock corporation with variable capital

Investment stock corporation with variable capital

16. October 2024
15a709c0 6010 4f76 ac22 64fa52191622 204239877

Family Office

29. March 2025
Step action

Counterclaim

24. June 2023

Podcast Folgen

Das Metaverse – Rechtliche Herausforderungen in virtuellen Welten

Das Metaverse – Rechtliche Herausforderungen in virtuellen Welten

25. September 2024

In dieser faszinierenden Episode tauchen wir tief in die rechtlichen Aspekte des Metaverse ein. Als Rechtsanwalt und Technik-Enthusiast beleuchte ich...

KI im Rechtssystem: Auf dem Weg in eine digitale Zukunft der Justiz

KI im Rechtssystem: Auf dem Weg in eine digitale Zukunft der Justiz

13. October 2024

In dieser faszinierenden Podcastfolge tauchen wir tief in die Welt der künstlichen Intelligenz (KI) und ihre Auswirkungen auf unser Rechtssystem...

Startups und Innovation in Deutschland – Herausforderungen und Chancen

Startups und Innovation in Deutschland – Herausforderungen und Chancen

25. September 2024

In dieser aufschlussreichen Podcast-Episode wird ein tiefgreifender Blick auf die Startup- und Innovationslandschaft in Deutschland und Europa geworfen. Die Diskussion...

Rechtliche Herausforderungen im Gaming-Universum: Ein Leitfaden für Entwickler, Esportler und Gamer

Was wird 2025 für Startups juristisch bringen? Chancen? Risiken?

24. January 2025

In dieser spannenden Episode des itmedialaw-Podcasts tauchen wir tief in die rechtlichen Entwicklungen ein, die die Startup-Welt im Jahr 2025...

  • Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Contact
  • Leistungen
    • Support with the foundation
    • Focus areas of attorney Marian Härtel
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Games law consulting
    • Support and advice of agencies
    • Legal advice in corporate law: from incorporation to structuring
    • Cryptocurrencies, Blockchain and Games
    • Investment advice
    • Booking as speaker
    • Legal compliance and expert opinions
    • Legal advice in corporate law: from incorporation to structuring
    • Contract review and preparation
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
    • Agile and lean law firm
    • Focus on start-ups
    • Principles as a lawyer
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Why a lawyer and business consultant?
    • Focus on start-ups
    • How can I help clients?
    • Team: Saskia Härtel – WHO AM I?
    • Testimonials
    • Imprint
  • Videos
    • Video series – about me
    • Information videos – about Marian Härtel
    • Videos on services
    • Blogpost – individual videos
    • Shorts
    • Third-party videos
    • Podcast format
    • Other videos
  • Knowledge base
  • Podcast
  • Blogposts
    • Lange Artikel / Ausführungen
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Labour law
    • EU law
    • Corporate
    • Competition law
    • Copyright
    • Tax
    • Internally
    • Other
  • en English
  • de Deutsch
Kostenlose Kurzberatung