GDPR unclarity

Short version:
My hosting provider’s Privacy Policy says nothing about them storing my visitors’ IPs and data in some server log. Should I care about that for GDPR compliance?

Long version:
I contacted iFastNet to ask about a Data Processing Agreement (for GDPR compliance). They handwaved towards their Privacy Policy, which only talks about how they deal with MY data when using THEIR services. For example, me using their dashboard. But as far as I can tell, it says nothing about whether they store any of other people’s data who use my iFastNet-hosted website. E.g., is there a server log somewhere storing visitor’s IPs - apart from the log I have access to?

So I asked iFastNet again, this time specifically about their GDPR compliance, which got me this knee-slapper:

We are based law o the UK and no longer need to live to EU laws regarding GDPR, we use the English data protection set of laws.

So I thought I’d check here, where answers are typically so much better than iFastNet’s useless support. And I see that InfinityFree’s Privacy Policy also doesn’t seem to mention anything apart from MY usage of THEIR services.

I’m guessing that InfinityFree can’t give stronger guarantees than iFastNet, and iFastNet is looking much-less-than-reliable. And so to ensure GDPR compliance I need to dump iFastNet.

Am I wrong?

You can say in your policy that “our Service Provider (Assuming you define the term) may collect identifiable information from you at their own discretion, including but not limited to your internet protocol (IP) address, identifiable browser characteristics, and other related information. For more information that our Service Provider may collect, store, and use, please visit their privacy policy located at . Please note that by using the Service, you agree to the supplemental terms provided by our Service Provider at the aforementioned link. You additionally waive the Service of any responsibility, legal or otherwise, regarding the collection of your data by our Service Provider.”

Or something along those lines.

I am NOT a legal expert, and the information above does not constitute legal advice. Seek the opinion of a qualified legal agent before using anything outlined above, or use it at your own risk. I assume no responsability

Thank you, for AFAIU, I’m still responsible of making sure that my providers follow the GDPR.
If one could just waive stuff like that, everyone would do it and there would be no need for the Data Processing Agreement.

Data processors cannot waive GDPR, its a law.

Unless the Processor is outside of GDPR restrictions, does not service users within GDPR jurisdiction, and does not pass any PII though GDPR jurisdiction.

I am still not a legal expert, however much I want to be one, and the information above still does not constitute legal advice. Seek the opinion of a qualified legal agent before using anything outlined above, or use it at your own risk. I assume no responsibility

Exactly. A lot of the data processing done is done by iFastNet, and as you are aware, they don’t have a DPO. And since they don’t have a DPO, we can’t give you a DPO, because we can’t tell you how your data is being used if we don’t know it ourselves.

I’m not a lawyer, but I agree it would be better for both our own as well as our users’ GDPR compliance if we had stronger guarantees. From talking with iFastNet, I do get the sense that they design their platform with privacy in mind and so their execution of their data handling is GDPR compliant. However, their transparency leaves something to be desired.

This one is simple: we don’t store access logs for websites on free hosting. The data is immediately aggregated into the total hits counter of your account, which doesn’t contain any PII.

Admin, IIUC, you should have a DPA with iFastNet, right? Are you just assuming that that sense you get about their data handling is enough instead of an actual DPA?

Have you had any legal challenge to test if that’s enough?

Technically yes, I believe.

From what I understood, No. What I interpreted is that the Admin does not have a DPA because iFastNet doesn’t have one either, and therefore cannot create an accurate DPA that would represent the policies (or lack thereof) that are (or are not) in place and and should (or should not) be upheld.

I cannot speak for the Admin, but from my 2+ years on this forum, we’ve had a few users complain about GDPR but it mostly ends in a “we’re so sorry but if you don’t like it find somewhere else” and then the user is not seen again in the forum. This doesn’t count for the emails sent to the Compliance email address. None of us forum members (besides the Admin) have access to it.

And I would put the whole legal disclaimer here but I really don’t want to type that on my phone or copy/paste it.

I don’t think that’s how it works. The DPA is a contract to ensure that a data processor does what it should do. One doesn’t just “create” it unilaterally.

I guess things work until they don’t. If one day there’s a hack or data leak and someone comes looking for legal answers, things will get interesting.

No, of course gut feeling isn’t a substitute for a legal agreement. We should have a DPO and iFastNet should have a DPO. But they don’t, so we don’t.

I could have chosen not to do business with iFastNet unless they provided a DPO. So could all of their other customers. I decided to proceed anyway. I too would have liked things to be different, but they aren’t.

But that was my decision. You’re free to make your own decision and choose how important a DPO is for you.

I think a DPO is important too, but I don’t value it as highly as you do.

A DPO is just a document that describes what iFastNet should do with the data we provide them. It doesn’t prove that it’s actually what they do, and doesn’t guarantee that they do it well. That’s why audits and certifications exists, and I’m not aware of iFastNet having done either of those things.

If a hack were to ever happen, it happens somewhere, and through a fault of someone. I trust the legal system that it will place blame with those actually responsible. Not blame the victim because they don’t have the right paperwork.

And AFAIK, most data leaks never make it to law suits, outside of the most severe and prolific ones.

For commodity services, DPOs are usually established by the service provider, and the client just has the choice to either accept it or find a different party. That’s legally debatable in it’s own right, but a hosting provider having a million different agreements for a million different websites is just not doable.

Reading you, it sounds like having a DPA is optional. I didn’t get that meaning anywhere else.

As for whether it’s doable to have it with a million different websites, for example Cloudflare has a default DPA in their self-serve subscription agreement. Akismet has a DPA such that you can download, sign and return. Both for free users.

Notably, hosting provider Nexcess’ ToS include this pearl:

Customer may not utilize any Services with Customer Data that is subject to GDPR protection until such time as the Parties have executed a DPA.

So for them it’s not only possible, but mandatory.

Note, I hate the oh-so-American idea of signing contracts just to cover my ass, and this seems to me to be the case with the DPA. However, it’s not like I’m going to improve the situation (mine or anyone else’s) by ignoring the current status in my blog. So…

The letter of the law is quite clear that any time data processing takes place, there should be a data processing agreement. The reality is that it’s very often not the case, and that enforcement is basically non-existent.

Exactly: default DPA. Which means Cloudflare establishes these terms unilaterally. Not bespoke for every individual account. That’s what I just said.

The key difference here is that these providers all target enterprise customers too. Sure, they have plans for smaller customers too, but if you have big customers who demand strong legal protections, and you’ve already documented your processes to customers, it’s not such a stretch to also offer this information to smaller customers.

For companies that target individuals and small businesses, it’s much more rare to find them. A quick look through the sites of a few well known hosting providers, I see that Siteground doesn’t appear to have a DPA either, and for HostGator I’m unable to even find much of a privacy policy at all. Go Daddy on the other hand does have one.

There are also plenty of sites and apps that just use some generic website privacy policy template, that goes to great lengths about cookies, analytics and access logs, but doesn’t say a word about all the (sometimes sensitive) data being submitted through their platform.

A DPA shouldn’t just be CYA paperwork. The idea of a DPA is that the original entity which collects the data (which on your website is you) is responsible for all processing that takes place on it. You need to tell your visitors how their data is being used. Which means you also need to know how your sub-processors are using the data you give them, because you’re responsible for the (mis)use of that data.

Regardless, we don’t have a DPA, and we can’t have one until iFastNet has one, because of how much processing they are doing. What that means for our relation, that’s up to you. If you want a DPA, then you need to choose a provider that has one. If you want to host your website with us, you need to accept that we don’t have a DPA.

The only thing you can’t do is demand that we provide you with legal guarantees that we simply cannot give you. That’s just not how the world works.

Thank you for your insights. I don’t agree with how you describe some things, but I guess none of us is a lawyer, so . To be clear, I wouldn’t demand anything from a free service. iFastNet is not free, though.

enforcement is basically non-existent.

I found this enforcement tracker site interesting: https://enforcementtracker.com/
Maybe that’s a drop on the ocean; maybe not. I do see “private individuals” being fined, though, even though the couple of cases I browsed were egregious. Still, I see comments on a pattern of adversarial enforcement: someone is unhappy with a site, attacks it through the GDPR. Risky for a blog that might mention, or even criticize third parties.

For completeness, Hostgator’s DPA is indeed linked to in their ToS. Same for SiteGround’s.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.