Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Alibaba Cloud CDN is the global content delivery network operated by Alibaba Cloud. It accelerates websites and applications through 3200+ edge nodes worldwide and includes anti DDoS, WAF and image optimisation. For EU operators, Alibaba Cloud CDN does not set tracking cookies and is strictly necessary for delivery, so no end user consent is required, but the transfer of personal data to China for management and support raises serious GDPR transfer concerns that require Standard Contractual Clauses, a transfer impact assessment and supplementary measures.
Alibaba Cloud CDN is the global CDN of Alibaba Cloud (Aliyun). It operates more than 3200 edge nodes across Europe, North America, Asia, the Middle East, Africa and Oceania. It serves cached static assets, accelerates dynamic content, terminates TLS, blocks DDoS traffic and applies a web application firewall. It also offers image and video optimisation and edge scripting features.
IP address, TLS handshake data, user agent, request method, path, status code, response size, latency, WAF events, geo signals, bot signals. No tracking cookies are written by the CDN itself. Logs may flow to a central management plane operated by Alibaba Cloud teams.
Operating a CDN is strictly necessary, so article 5(3) ePrivacy does not require consent for end users. The main concern is the international transfer dimension. Alibaba Cloud has Chinese ownership and operates a management plane that may be accessed from China. China lacks an EU adequacy decision and is subject to laws (PIPL, DSL) that grant the State extensive access powers. Transfers to China require SCCs and a robust transfer impact assessment.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No end user consent is needed for the CDN itself. The customer must inform visitors in the privacy notice that Alibaba Cloud CDN is used and that connection metadata may transit through edge nodes outside the EEA, including China.
Transfers to China involve a third country without an adequacy decision. Sign the Alibaba Cloud International DPA with SCCs, document supplementary measures (EU only edge regions, TLS, log encryption, restriction of Chinese support access to EU customer data), and perform a transfer impact assessment factoring in PIPL and DSL state access provisions. EU operators with sensitive use cases may prefer European CDNs.
Sign the DPA with SCCs, restrict the CDN to EU edge regions where feasible, encrypt origin traffic, set short retention on logs, document Alibaba Cloud CDN as a sub processor in the privacy notice, run a TIA, and reassess the supplier when handling highly sensitive personal data (health, finance, EU public sector).
Websites using Alibaba Cloud CDN must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended due to the transfer of EU visitor connection metadata to China through the management plane. Document the data flows, the SCCs in place, encryption, the absence of an adequacy decision for China, and supplementary measures (EU only edge selection, restricted Chinese access). Evaluate whether Alibaba Cloud is the appropriate choice for EU sensitive use cases.
Sample consent text
Our website is delivered through the Alibaba Cloud CDN. Alibaba Cloud CDN does not set tracking cookies. Some management of the service involves processing in China and Singapore, governed by Standard Contractual Clauses. No consent is required for this strictly necessary delivery and security processing.
Third-party domains contacted
alicdn.comaliyuncs.comkunlun.comalibabacloud.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| aliyun_wal | session | session | Optional security cookie set by the Alibaba Cloud WAF during a challenge. Strictly necessary, exempt from consent. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Alibaba Cloud CDN does not set tracking cookies on visitors. It can pass through origin cookies and may set a temporary security cookie when WAF challenges are used. Such security cookies are strictly necessary and exempt from consent.
No. A CDN is a strictly necessary intermediary delivering the requested content. Article 5(3) ePrivacy does not require consent. However, the operator must inform users in the privacy notice that data may transit through nodes outside the EEA, including China.
Performance of contract between operator and visitor for content delivery, legitimate interest in security. The transfer to a third country is governed by Standard Contractual Clauses and a documented transfer impact assessment.
Yes, the management plane and global operations can involve processing in China and Singapore. China is not adequate under GDPR and is covered by PIPL and DSL, which authorise state access. Strong supplementary measures, restriction to EU edges and a thorough TIA are required.
A DPIA focused on the transfer is recommended, especially in sensitive industries (health, finance, public sector). Document the data flows, SCCs, supplementary measures and the residual risk of state access.
Sign the Alibaba Cloud International DPA with SCCs, restrict to EU edge regions when possible, encrypt origin traffic, set short retention on logs, document the vendor as a sub processor, run a TIA and consider EU based alternatives for sensitive data.
EU friendly alternatives include Cloudflare with EU Data Localisation Suite, Bunny.net (Slovenia), Fastly with EU controls, Akamai with EU regions, Gcore (Luxembourg), KeyCDN (Switzerland) and Scaleway Edge Services (France).
You typically do not list Alibaba Cloud CDN in the cookie policy because no tracking cookies are set. List it in the privacy notice as a CDN sub processor with transfer to China under SCCs. If WAF challenge cookies are used, list them as strictly necessary.