Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Yandex.Cloud CDN is the content delivery network operated by Yandex, mainly serving Russia and the CIS region, with significant data transfer implications for European websites.
Yandex.Cloud CDN is the content delivery network of Russian provider Yandex. It distributes static and dynamic resources from edge points of presence and is mainly used to accelerate websites that target Russia and other Russian speaking markets. When a European website routes traffic through this CDN, every request from a European visitor is first sent to a Yandex edge node before the content is served.
Yandex.Cloud CDN itself does not require cookies to operate. The edge nevertheless processes the visitor IP address, request URL, user agent and referrer to deliver content and to apply caching and security rules. Operational logs may be retained for analytics and abuse prevention. Any cookies seen on the page are coming from the origin website, not from the CDN.
Russia has no adequacy decision under the GDPR. Sending personal data of EU visitors through Yandex.Cloud CDN therefore qualifies as a transfer to a third country and falls under chapter V of the regulation. The Schrems II case law requires Standard Contractual Clauses, a transfer impact assessment and supplementary measures whenever the destination country lacks an adequacy decision and offers wide intelligence access powers.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Given the transfer profile, the safest approach for an EU site is explicit informed consent before the visitor''s requests are routed through Yandex points of presence. Combine this consent with SCCs signed with Yandex.Cloud and document the assessment that justifies the transfer. If consent is refused, fall back to an EU based CDN such as Cloudflare with EU only routing, BunnyCDN or Akamai with EU traffic settings.
Russian Federal Law 152 FZ on Personal Data and a series of laws on access by security services significantly limit what supplementary measures can achieve. End to end encryption between visitor and origin reduces exposure of payload data, but the IP address and request metadata seen at the edge are still processed in country. EU data protection authorities have publicly cautioned against routing EU traffic through Russian infrastructure since 2022.
For European audiences, prefer an EU based CDN. If you must use Yandex.Cloud CDN, restrict it to specific geographies, sign SCCs, complete and archive a transfer impact assessment, document the transfer in your privacy notice, and obtain unambiguous consent before the first request reaches the edge. Review the deployment annually and after every major change in Russian legislation.
Websites using Yandex.Cloud CDN must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended. Yandex.Cloud CDN routes visitor IP addresses, user agents and request metadata through points of presence largely outside the EEA, including Russia, a country without an adequacy decision. Assess transfer risk, document the SCCs in place and decide whether supplementary measures are sufficient or whether an EU based CDN should be preferred.
Sample consent text
This site uses Yandex.Cloud CDN to deliver assets faster. Doing so involves transferring your IP address and request metadata to Yandex servers, which may be located in Russia. By accepting, you consent to this transfer to a country without a European Commission adequacy decision.
Third-party domains contacted
yandex.cloudcdn.yandexcloud.netstorage.yandexcloud.netmc.yandex.ruCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| yandexuid | Functional / Tracking | 10 years | A long lived Yandex visitor identifier that may appear on pages also using Yandex Metrica or Yandex.Auth alongside the CDN. |
| _ym_uid | Analytics | 1 year | Yandex Metrica visitor identifier that frequently coexists with Yandex.Cloud CDN deployments. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Yandex.Cloud CDN itself does not set client cookies. Any cookie present on a page served through the CDN comes from your origin website or from other third party services embedded in the page.
For European visitors, yes. Even though no cookies are set by the CDN, sending the visitor IP and request metadata to a Russian operated infrastructure is a transfer to a third country and requires informed consent in addition to SCCs and a transfer impact assessment.
Strictly necessary CDN delivery and security relies on legitimate interest under article 6(1)(f) GDPR. The international transfer to Russia, which has no adequacy decision, requires consent under article 6(1)(a) and an article 49 derogation or appropriate safeguards under chapter V.
Yes. The bulk of Yandex.Cloud points of presence are located in Russia and the CIS region. EU visitor IP addresses, request URLs and user agents are processed at those edges, which constitutes a third country transfer under the GDPR.
Yes. The combination of a third country transfer, large scale processing of visitor metadata and the risk profile of Russian intelligence access laws meets the thresholds in WP248 and most national DPA guidance, so a DPIA and a documented transfer impact assessment are expected.
Sign SCCs, complete a transfer impact assessment, configure the CDN to limit logs, enforce TLS, restrict the CDN to non sensitive assets, gate it behind a CMP, document the transfer and offer an EU based fallback whenever consent is refused.
EU friendly options include Cloudflare with EU only routing, BunnyCDN, Fastly with EEA endpoints, KeyCDN, Akamai with EU traffic settings and self hosted edge servers in EU data centres.
Add a clear paragraph in your privacy notice explaining that traffic is routed through Yandex points of presence outside the EEA, including Russia. List the categories of metadata processed at the edge, name the safeguards in place and link to the consent mechanism that gates this routing.