Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OpenStreetMap (OSM) is the leading open data project for geographic data, operated by the non profit OpenStreetMap Foundation in the United Kingdom. The free OSM tile server and its EU commercial mirrors set no cookies and respect strict privacy policies.
OpenStreetMap is the largest collaborative open geographic database, founded in 2004 and operated by the OpenStreetMap Foundation, a non profit registered in the United Kingdom. The database is built by more than 10 million contributors editing roads, buildings, footpaths and points of interest under the Open Database License (ODbL). It powers public maps on government, education, news, tourism and ecommerce websites and is the data source behind Mapbox, MapTiler, Stadia Maps, Apple Maps, Facebook Maps and many others.
The standard tile server (tile.openstreetmap.org) is hosted on bare metal infrastructure in the UK (Imperial College London), Germany (Hetzner Falkenstein) and the Netherlands. No cookies are set. The visitor IP is processed only to deliver the requested tiles and to enforce the OSMF tile usage policy (no scraping, no commercial heavy use). Logs are kept for a maximum of 14 days then anonymised. The OSMF privacy policy is available at osmfoundation.org and is reviewed yearly by the OSMF Operations Working Group.
The free tile server is intended for low traffic personal or educational use. Commercial sites should use one of the EU based mirrors: Stadia Maps (Sweden), MapTiler (Switzerland), Geoapify (Germany), OSM France (Paris), Tracestrack (Estonia) or self host with OpenMapTiles, TileServer GL or Protomaps PMTiles. All these options keep OSM as the data source while distributing the rendering load and providing commercial support, attribution requirements and an SLA.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
OpenStreetMap fits the strictly necessary exemption of ePrivacy art. 5(3) because no cookie is set. Legitimate interest under GDPR art. 6(1)(f) covers the routing IP processing. The Munich Google Fonts ruling does not apply because the data stays in the European Economic Area or in the UK, which benefits from a Commission adequacy decision since 2021. No DPIA is required for the standard use case. Nominatim (the OSM geocoder) shares the same posture, with the additional consideration that search queries containing personal addresses are processed by the OSMF in the EU and UK.
Use Leaflet or MapLibre GL JS as the JavaScript library, point the tile URL to an EU based commercial mirror or self host using Protomaps PMTiles for full control, attribute OpenStreetMap as required by the ODbL license, list the chosen tile provider as a sub processor in the privacy notice and document the EU residency. For geocoding, use a dedicated EU based provider like Geoapify, Photon (Komoot, self hosted) or MapTiler rather than hammering the free Nominatim service.
Websites using OpenStreetMap must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for OpenStreetMap because the data flow is minimal (IP for routing, no cookies, no tracking). A DPIA may be recommended only if you operate a high traffic site that hammers the free OSM tile server (which violates the tile usage policy) or if you embed third party geocoding (Nominatim heavy use, Photon, Geoapify) that may transmit search queries containing personal addresses.
Sample consent text
Our website displays maps powered by OpenStreetMap, an open data project operated by the OpenStreetMap Foundation (United Kingdom non profit). The map tiles come from EU based servers (UK, Germany, Netherlands) and no cookies are written. Your IP address is processed only for routing and not used for tracking. No consent is required.
Third-party domains contacted
openstreetmap.orgtile.openstreetmap.orga.tile.openstreetmap.orgb.tile.openstreetmap.orgc.tile.openstreetmap.orgnominatim.openstreetmap.orgosmfoundation.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| none on tile.openstreetmap.org | First party (OpenStreetMap tile server) | N/A | The standard OSM tile server sets no cookies. The osm_session cookie is set only when a user logs into the openstreetmap.org editing interface, which is not the case for embedded maps |
OpenStreetMap uses cookies for user preferences — inform visitors with a consent banner.
None on the standard tile server. The openstreetmap.org main site sets a session cookie (osm_session) only when the visitor logs into the editing interface; the tile.openstreetmap.org endpoint used for embedding maps sets no cookie.
No. The standard tile server sets no cookies, the data flow stays inside the European Economic Area (or in the UK under adequacy) and the IP is logged briefly only for tile usage policy enforcement. No consent banner is required.
Legitimate interest of the publisher (GDPR art. 6(1)(f)) to render the map and contract (art. 6(1)(b)) when the map is necessary to deliver the requested service. The strictly necessary exemption of ePrivacy art. 5(3) applies because nothing is stored on the visitor device.
No. The standard tile server is hosted on bare metal in the UK (Imperial College London), Germany (Hetzner Falkenstein) and the Netherlands. The UK benefits from a Commission adequacy decision. Commercial mirrors are also EU based (Stadia in Sweden, MapTiler in Switzerland, Geoapify in Germany, OSM France in Paris).
No for the standard use case. A DPIA is recommended only if you saturate the free tile server (violation of the tile usage policy) or use Nominatim at high volume with freeform queries containing personal addresses.
Use Leaflet or MapLibre GL JS, point the tile URL to an EU based commercial mirror (Stadia Maps, MapTiler, Geoapify) for production traffic, attribute OpenStreetMap as required by the ODbL license, list the chosen tile provider in the privacy notice, and self host with Protomaps PMTiles if you need full data control.
Mapbox (US, commercial), Apple Maps via MapKit JS, Google Maps Platform, HERE Maps (Netherlands, commercial), TomTom Maps (Netherlands, commercial), Bing Maps (US). For open data with EU residency, OpenStreetMap is the gold standard.
State that the map is powered by OpenStreetMap data and rendered by the chosen tile provider. List the tile provider as a sub processor with its EU location. Confirm no cookies are set and no data is transferred outside the EU. Add the ODbL attribution required by the licence.