Akamai CDN and Data Protection – What Website Operators Need to Know

When a website operator uses Akamai as a Content Delivery Network (CDN), Akamai processes data for the purpose of storing and delivering content as well as for security and performance optimisation on the basis of legitimate interests. Akamai is one of the world's largest CDN providers and stores copies of website content on servers worldwide in order to achieve faster loading times. This guide is aimed at website operators and explains what information about Akamai as a CDN legally belongs in their own privacy policy.

A. Purpose and Function of Akamai CDN

A Content Delivery Network (CDN) is a distributed network of servers that geographically position website content closer to the user in order to shorten loading times and improve availability. Akamai operates such a CDN with thousands of edge servers worldwide.

When a visitor accesses a website whose content is delivered via Akamai, the request is not routed directly to the website operator's origin server, but to a geographically nearby Akamai server. This server stores a copy of the requested content and delivers it to the visitor. During delivery, Akamai automatically collects server log data such as IP addresses, URLs, referrer and technical metadata.

Integration is typically done via a DNS redirection (CNAME) or via a proxy service. The website operator changes the DNS setting of its domain so that requests are routed via Akamai servers, or uses Akamai as a proxy in front of its origin server.

B. Mandatory Disclosures in the Privacy Policy regarding Akamai CDN

Pursuant to Art. 13(1)(c) GDPR, a website operator must disclose the purposes of processing. Art. 13(1)(d) requires the legal bases, Art. 13(1)(e) the recipients or categories of recipients. Art. 13(1)(f) requires that third-country transfers (e.g. to the USA) be disclosed and justified.

Note: CDN processing is not tool-specific. A topic-oriented approach is better here: under "Hosting and Infrastructure" or "Website Provision", it should be explained that the website is hosted on distributed servers in order to improve performance and security. A recipient appendix to the privacy policy that lists all hosting and infrastructure partners creates clarity.

C. Provider of Akamai CDN

Legal name (Germany/EU): Akamai Technologies GmbH (for European customers)
Address (Germany): Parkring 20-22, 85748 Garching bei München, Germany
Legal name (worldwide): Akamai Technologies Inc.
Country of registered office: USA (Massachusetts)
Country of registered office of EU subsidiary: Germany
Role: Processor or joint controller, depending on the configuration

DPF status: Akamai Technologies Inc. (USA) is Data Privacy Framework (DPF) certified. This means that Akamai has committed to processing data of EU citizens in accordance with the DPF principles. Further information at https://www.akamai.com/legal/data-privacy-framework-policy-statement

Privacy policy: https://www.akamai.com/legal/privacy-statement

Data Processing Addendum (DPA): Akamai provides a DPA that website operators must conclude. The DPA regulates the processing of personal data as a processor, sub-processors, third-country transfers and security measures.

D. Data Processing by Akamai CDN – Sequence

E. Data Collected when Using Akamai CDN

Akamai automatically collects standard web server data when delivering content.

This data can be classified into the following standardised data categories:

• Web server log data: IP address, date/time/time zone, URL, HTTP method, HTTP status code, referrer, size of transmitted data, browser/OS/device, technical metadata
• Click paths: Pages visited, sequence of requested resources, dwell time per page (if included in the page load time header)
• Device data: Device type, operating system, screen resolution (partly derived from user agent)
• Browser information: Browser name, browser version, installed plugins
• Coarse location data: IP-based location at country/region level
• Technical telemetry data: Error messages, loading times, data volume, request rates, HTTP headers

This information is based on provider information and publicly accessible sources (Akamai documents its data collection in technical documentation and the DPA).

F. Purposes of Use when Using Akamai CDN

Akamai is generally used for the following purposes:

• Provision of functionality: Delivery of website content with optimised loading times, availability and global scalability
• Security and abuse protection: DDoS protection, attack detection/prevention, bot defence, spam filtering, fraud prevention
• General product improvement: Optimisation based on usage patterns, error detection and correction
• Compliance: Securing and proving security measures

G. Legal Bases for Akamai CDN

Akamai CDN is an infrastructure and security tool. The following legal bases are relevant for the data processing:

1. Legitimate interests (Art. 6(1)(f) GDPR): The use of a CDN to ensure website availability, security (DDoS protection) and performance generally constitutes a legitimate interest of the website operator. A balancing of interests is required, but typically shows that the operator's interests prevail.

2. Necessity for the performance of a contract (Art. 6(1)(b) GDPR): If website functionality depends on Akamai (e.g. SSL termination, caching), Art. 6(1)(b) can also be invoked.

Note: A case-by-case review is necessary. CDN use generally does not require explicit consent, but is justified through legitimate interests.

H. Special Features and Notes on Akamai CDN

• DPF certification: Akamai Inc. (USA) is DPF-certified, which simplifies the admissibility of third-country transfers to the USA. The website operator should refer to the DPF certification.
• Standard Contractual Clauses (SCCs): In addition to the DPF, Akamai relies on SCCs for third-country transfers. The DPA should document this.
• Sub-processors: Akamai works with sub-processors. A current list should be provided in the DPA or by Akamai.
• Log data retention: The retention period of log data should be clarified contractually to ensure compliance.
• Data security: Akamai implements extensive security measures (ISO 27001, penetration tests, etc.) and documents these in security reports.
• Opt-out options: Visitors have hardly any technical possibilities to bypass CDN use, except through general browser settings (tracking prevention, etc.).

I. FAQ on Akamai CDN

J. Conclusion and Recommendations on Akamai CDN

Akamai CDN is an indispensable infrastructure service for modern websites. From a data protection perspective, it is less critical than tracking or marketing tools, as no profile building or repurposing takes place. The data processing is typically justified through legitimate interests; explicit consent is not required.

The DPF certification of Akamai Inc. (USA) simplifies the justification of third-country transfers and reduces the data protection risk. Nevertheless, a complete Data Processing Addendum (DPA) between the website operator and Akamai should be in place.

A topic-oriented approach in the privacy policy that lists all CDN and hosting partners under "Hosting and Infrastructure" creates transparency. A recipient appendix to the privacy policy further increases clarity.