We use cookies to improve your experience on our website. By clicking “Accept all’, you agree to the use of all cookies. Privacy policy
December 28, 2023

Unlocking GDPR Compliance in Webflow: The Impact of the Trans-Atlantic Data Privacy Framework (TADPF)

Legal
by Corbinian Buchberger
Corbinian Buchberger

At Creative Mules, we recognized the potential of Webflow compared to other CMS systems like Typo3 or WordPress early on. For the past five years, it has been our primary solution for all in-house development, and we have also achieved Webflow Expert partner status.

However, because their servers are located in the United States, concerns about adhering to the General Data Protection Regulation (GDPR) frequently emerged. Navigating the complexities of data protection while harnessing Webflow's creative capabilities has proven to be challenging. This often involves avoiding native forms and establishing detailed data processing agreements. But the landscape has evolved with the introduction of the "Trans-Atlantic Data Privacy Framework" (TADPF). This framework is not a distant promise; it is already in effect and is set to transform how we perceive Webflow's alignment with GDPR requirements.

In this article, together with Dr. Christian Teupen, Lawyer and member of the Society for Data Protection and Data Security (GDD) in Bonn, we will delve into TADPF and examine how it is bringing a heightened level of seriousness to Webflow's role in GDPR compliance, ensuring that data protection standards are met without compromising on design excellence.

The Arrival of the TADPF

The TADPF represents an adequacy decision in accordance with Article 45 (1) of the GDPR. Consequently, the United States is once again categorized as a "safe third country" within the framework of data protection law. This means that, for data transfers to entities located in the U.S., no additional authorization mechanisms are necessary. However, it's important to note that the TADPF differs from other adequacy decisions in that its scope is somewhat limited. Similar to the predecessor system of the Privacy Shield, the benefits of the TADPF are extended solely to data recipients who have voluntarily undergone a self-certification process. This process entails a commitment to adhere to a comprehensive set of data protection requirements.

Webflow and TADPF

U.S. companies are now eligible to pursue certification under the TADPF. Upon obtaining certification, these companies can avail themselves of the advantages conferred by the EU Commission's adequacy decision.

Furthermore, there is now a database akin to the no-longer-existent Privacy Shield. This database enables users to search for U.S. companies that have successfully obtained TADPF certification, simplifying the process of confirming compliance with data protection requirements. Excitingly, Webflow is already included in this roster.

What This Means in Concrete Terms for Webflow

The impact of the Trans-Atlantic Data Privacy Framework (TADPF) on Webflow users is substantial and practical. Here's how it directly affects your Webflow experience:

  1. Native Forms are Back in Play: With the TADPF in place, Webflow now garners recognition as a safe data controller. This is fantastic news for Webflow users because it means that you can once again utilize Webflow's native forms without fretting over GDPR compliance. The hurdle that once deterred many from using these convenient forms has been cleared.
  2. GDPR Best Practices Still Apply: While the TADPF simplifies some aspects of GDPR compliance within Webflow, it doesn't exempt you from adhering to the broader GDPR best practices. For instance, it remains crucial to inform your website visitors through an opt-in cookie banner. This ensures that they have the choice to consent or decline the use of marketing and tracking cookies, a fundamental aspect of GDPR.
  3. Secure the legal basis:
    a) If you provide website hosting services through Webflow for your customers, it is essential to enter into both a data processing agreement with Webflow and a processing agreement with your customer.
    b) If you're the one responsible for developing your client's website, but they choose to host it on Webflow using their own account, it's crucial for your client to engage in a Data Processing Agreement with Webflow (same link as above)
  4. Transparency in Privacy Policy: Your website's privacy policy should transparently inform visitors about the usage of Webflow. This includes explaining how and why Webflow is utilized on your site, reinforcing your commitment to data protection and compliance with GDPR regulations. Here is a draft, offered by Dr. Christian Teupen in both German and English, illustrating how this could be structured.

By aligning your Webflow practices with the above principles, you can guarantee compliance with GDPR regulations and foster user trust. 

Webflow has now moved out of the gray area and can now be considered a dependable choice in terms of GDPR compliance. The information provided here reflects the current state, but for specific inquiries or in-depth consultations in this ever-evolving field of data protection, we recommend reaching out directly to Dr. Christian Teupen.

FAQ

No items found.