Following the abolition of the Privacy Shield (agreement between the EU and the USA that allowed data transfer to the USA for certified companies) in 2020 as part of the ECJ ruling “Schrems II”, the use of Webflow was somewhat problematic.
However, there is now a new adequacy decision between the EU and the USA concerning data transfer, namely the so-called EU/US Data Privacy Framework, which came into force on 10.07.2023. Webflow is already certified as active participant so that a corresponding data transfer to Webflow is permitted.
But what does that mean exactly? Can all Webflow applications now be used without restrictions? What exactly should you still pay attention to? We answer this question in the following article.
1. Third party providers of Webflow must also be considered
The fact that Webflow is certified according to the EU/US Data Privacy Framework is very good news. However, you must also consider whether the US third-party providers used by Webflow (Fastly, Amazon CloudFront and Cloudflare) are certified accordingly. This is because if only one of these providers is not certified (as of September 2023, all three companies are certified), it would be illegal to transfer data despite the adequacy decision.
2. Detailed description in the privacy policy
This also leads us to the next point, namely the detailed description of the facts in the privacy policy. This need persists accordingly, even though the EU/US Data Privacy Framework is now finally here and Webflow and the US third-party providers used by Webflow are certified. Within the privacy policy, the user must be informed about all relevant data protection processes. This means that he must also be informed about the use of third-party providers by Webflow and their certification according to the EU/US Data Privacy Framework.
3. Alternative forms are no longer necessary
Since data transfer to Webflow is permitted, it is also no longer necessary to install alternative form providers. You can therefore use the Webflow forms, but you must ensure that a corresponding data processing agreement has been concluded with Webflow (see next point).
4. You should also pay attention to this
- In any case, complete the Data Processing Addendum with Webflow. You can do this via the website https://webflow.com/legal/dpa carry out.
- Despite the now permitted data transfer, always observe the principles of data minimization and data economy, which are a central principle of data processing under the GDPR. This means that no unnecessary data should be collected. For example, you should still use the Host Google Fonts locally.
- If you use other US applications on your Webflow website (such as Google Maps, Google Analytics, etc.), it is always necessary to check whether the company concerned is certified under the EU/US Data Privacy Framework and whether, despite certification, use is only possible with the appropriate consent of the user (e.g. as in the case of Google Analytics).