New Relic and Data Protection – What Website Operators Need to Know

If a website operator uses New Relic for Application Performance Monitoring (APM) and observability, it processes technical telemetry data (errors, load times, data volumes, database queries) for the purpose of system monitoring, error analysis and product improvement on the basis of legitimate interests. New Relic Inc. (USA), certified under the Data Privacy Framework (DPF), acts as a processor and transfers data to the USA with corresponding transfer mechanisms.

This guide is aimed at website operators who use New Relic for website and application monitoring and therefore need a GDPR-compliant privacy policy.

A. Purpose and Function of New Relic

New Relic is an observability platform for Application Performance Monitoring (APM), with a focus on:

• Application Performance Monitoring (APM): Real-time monitoring of website or app performance (response times, error rates, database queries)
• Browser Monitoring: Capture of client-side performance metrics (page load time, rendering, JavaScript errors)
• Real User Monitoring (RUM): Tracking of real user behaviour and their performance experience
• Log Management: Collection and analysis of server logs
• Infrastructure Monitoring: Monitoring of servers, containers, network
• Alerting & Incidents: Automatic notifications in case of problems

Integration function on the website:

1. JavaScript Agent (Browser Monitoring): A small JavaScript snippet is implemented on every page
2. Agent Libraries: For backend monitoring, agents are installed in the website's programming language (Node.js, Python, Java, Ruby, PHP, etc.)
3. API & Webhooks: The website application sends performance data directly to New Relic
4. Real-time dashboard: The developer/DevOps engineer sees real-time metrics and errors in the New Relic console

Typical data flow:

• User visits the website (JavaScript Agent is loaded)
• Agent captures performance data (page load time, JavaScript errors, network latencies)
• Agent sends data to New Relic servers in the USA (anonymised, without personal data)
• Developer sees dashboard in New Relic with all metrics
• In the event of an error: alert is sent, developer can analyse the problem

B. Mandatory Disclosures in the Privacy Policy on New Relic

The GDPR requires: purposes (Art. 13(1)(c)), legal bases (Art. 13(1)(a)), categories of recipients (Art. 13(1)(e)), third-country transfers (Art. 13(1)(f)) and retention period (Art. 13(2)(a)).

Perspective on New Relic integration: Many website operators write nothing at all about New Relic in their privacy policy or write "New Relic monitors the website" – this is too vague. Instead, the following should be transparent:

• What is New Relic (APM tool for website operators)?
• Which technical data is collected (load times, errors, network performance)?
• For what purpose (website optimisation, error analysis)?
• On the basis of which legal basis (legitimate interests)?
• Where is the data processed (USA with DPF)?
• Is personal data processed (normally no – New Relic is anonymised)?

Particularly important: New Relic collects no personal data by default – only technical telemetry. Therefore, the compliance requirement is lower than for tools such as Braze or Zendesk.

C. Provider of New Relic: New Relic Inc.

Legal name: New Relic, Inc.

Country of seat: USA

Privacy Policy: https://newrelic.com/termsandconditions/privacy

DPA link: https://newrelic.com/termsandconditions/dataprotection

DPF status: Yes, DPF-certified. New Relic Inc. is certified under the EU-U.S. Data Privacy Framework (DPF), the Swiss-U.S. DPF and the UK Extension to the DPF (https://newrelic.com/blog/observability/eu-us-dpf-international-transfers). The DPF ensures an adequate level of data protection for transfers from the EU to the USA.

You can verify the certification at: https://www.dataprivacyframework.gov/s/participant-search

Data Processing Agreement (DPA): New Relic offers a Data Protection Addendum (DPA). This is available at https://newrelic.com/termsandconditions/dataprotection. The DPA regulates:

• New Relic's role as processor (Art. 28 GDPR)
• Security standards (encryption, access control)
• Data Privacy Framework and Standard Contractual Clauses (SCC) as transfer mechanisms
• Sub-processor management
• Support for data subject rights

The DPA must be signed in order to use New Relic in a GDPR-compliant manner.

D. Data Processing by New Relic – Workflow

E. Data Collected when Using New Relic

When integrating New Relic, the website operator collects the following types of data – important: New Relic collects NO personal data by default:

Technical telemetry data (standard):

• Page load times (in milliseconds)
• JavaScript errors and stack traces
• Network latencies
• Database query duration
• CPU and memory usage
• Request rates (requests per minute)
• Error rates
• User agent (aggregated, not assigned to individual users)
• IP-based geolocation (aggregated, not for individual users)
• Session IDs (not personal)
• HTTP status codes
• Time spent on pages (aggregated)

Custom events (if configured by the website operator):

• If the website operator tracks additional events (e.g. "User started checkout"), personal data may optionally be included
• However, these must be explicitly parameterised by the website operator and transmitted to New Relic – not standard

This data can be classified into the following standardised data class types:

• Web server log data: IP address (aggregated), HTTP status, response time, user agent
• Technical telemetry data: Error rates, load times, CPU/memory, database query duration
• Device data: Device type, operating system (aggregated, not for individual users)
• Browser information: Browser name, version (aggregated)
• Rough location data: IP-based location at country/region level (aggregated)

Important: Personal data is not included by default. If the website operator has defined custom events with names, e-mail or similar, this data is personal and must be treated accordingly.

F. Purposes of Use when Using New Relic

When using New Relic, technical data is processed for the following purposes:

Primary purposes:

• Function provision: Provision of the monitoring dashboard and APM features
• Security and error analysis: Identification of bugs, performance problems, security vulnerabilities
• General product improvement: Analysis of website performance, identification of bottlenecks, optimisation recommendations
• Alerting and notifications: Warning in case of performance degradation or errors
• Trend analysis: Comparison of performance over time, capacity planning
• Compliance and auditing: Documentation of website performance for SLA evidence

Secondary purposes (if activated):

• Product improvement by New Relic: New Relic uses anonymised data to improve its own product
• Analytics: Industry benchmarks, comparisons with other customers (anonymised)

G. Legal Bases for New Relic

Step 1: Categorisation of New Relic New Relic is a processor (Art. 28 GDPR). The website operator is the controller. Since New Relic collects no personal data by default, the GDPR requirement is lower than for tools such as Braze or Zendesk.

Step 2: Applicable legal bases

1. Legitimate interests (Art. 6(1)(f) GDPR) – primary:

   • The website operator has a strong legitimate interest in monitoring and optimising its website
   • Error analysis and performance monitoring are necessary for operational security and user-friendliness
   • The interests of the website operator clearly outweigh the interests of the user, since:
     • Data is anonymised/aggregated (no major intrusion)
     • User expects websites to be optimised
     • Troubleshooting is necessary for stable operation

2. Contract performance (Art. 6(1)(b) GDPR) – secondary:

   • If the website operator has a customer relationship with users (sale, subscription), performance data may be necessary to improve the service
   • Not primary, since users do not receive an explicit "performance monitoring" service

Particularity – § 25 TDDDG and cookies: If the New Relic Agent also sets cookies (e.g. for session tracking), opt-in consent is required (§ 25(1) TDDDG). This is independent of the privacy policy and requires:

• Cookie banner with selection "New Relic Monitoring" (not pre-ticked)
• Explicit opt-in before agent loading
• Documentation of consent

Important: Pure performance data without cookies does not require consent, only mention in the privacy policy.

H. Special Features and Notes on New Relic

1. New Relic collects no personal data by default This is a major advantage over marketing tools:

• The standard case: Only technical telemetry (errors, load times, etc.)
• No names, e-mails, IP addresses of individual users (only aggregated)
• Therefore the data protection requirement is significantly lower

But caution: If the website operator has defined custom events with personal data, these must be treated as personal data.

2. New Relic is DPF-certified New Relic uses the Data Privacy Framework (DPF) for third-country transfers. This means:

• Data is transferred to the USA
• New Relic has self-certified that it meets the DPF requirements
• In the event of invalidation of the DPF, New Relic has Standard Contractual Clauses (SCC) as automatic fallback

You should mention in your privacy policy: "New Relic is Data Privacy Framework certified and uses SCC as fallback."

3. DPA is mandatory You must have a Data Processing Agreement (DPA) with New Relic. Available at: https://newrelic.com/termsandconditions/dataprotection. The DPA must be signed.

4. Retention period and retention New Relic stores data by default for 30 days. Then automatic deletion. You can optionally:

• Buy Extended Retention (up to 13 months)
• Or export data and store locally

This is a major difference compared to other tools and simplifies GDPR compliance.

5. Cookies and § 25 TDDDG If the New Relic Agent sets cookies (which is normally the case):

• You need opt-in consent (§ 25(1) TDDDG)
• A cookie banner must offer "New Relic Monitoring" as a separate option
• Default should be off (not pre-ticked)

This is independent of the privacy policy and concerns the consent mechanism.

6. Data subject rights Since New Relic collects no personal data by default:

• Data subjects cannot request "their" data (there is none)
• Exception: If custom events contain personal data, data subject rights must be supported

7. Sub-processors New Relic uses sub-processors for hosting (AWS, Azure). Check the New Relic sub-processor list and document this in your privacy policy or privacy policy annexes.

I. FAQ on New Relic

J. Conclusion and Recommendation on New Relic

New Relic is a technical monitoring tool with low data protection complexity, since it collects no personal data by default:

• Legitimate interests are sufficient as legal basis
• No explicit consent required (except for cookies)
• Short retention period (30 days standard)
• No complexity with sub-processor consent as with marketing tools

Tool-specific text templates ("New Relic monitors the website") are too short and do not explain why and how the data is used.

Recommendation: Use a topic-oriented structure:

• Section "Website monitoring and performance" with description of the tool
• Clear information: "New Relic collects technical data, no personal data"
• Section "Third-country transfers" with reference to DPF/SCC
• Section "Your rights" (with note: normal data subject rights apply, since no personal data)
• Cookie banner with separate option for "New Relic Monitoring" (if cookies are set)

Make sure that:

• The DPA with New Relic is signed
• The New Relic Agent is correctly configured (no custom events with personal data)
• The cookie setting in the banner offers "New Relic Monitoring"
• The retention period is documented in the privacy policy