Data Privacy FAQ

Last change on 2021-11-17 • Created on 2020-03-18

Introduction

Data privacy is an important topic here at Hetzner. This article provides answers to common questions regarding this topic.

Web hosting packages and managed servers:

Which data is stored in the log files?

For our customers' websites, the log files store, among other things, the IP address, the browser visitors use, the time and date of the visits, and the system that visitors use. We at Hetzner Online only store pseudonymised IP addresses of visitors to the website. At the web server level, this happens by default by storing an IP address <123.123.123.XXX> in the log file instead of the visitor's actual IP address, for example, <123.123.123.123>. The XXX is a random value between 1 and 254, so it is no longer possible to establish the true identity of the visitor.

How long does Hetzner Online store log files?

  • Mail server log: Hetzner Online stores these log files for 7 days.
  • Apache log: Customers can configure the length of time to store their log files. They can configure this themselves by going to their account on konsoleH. To do this, go to Administration > Maintenance > Account Maintenance and then click on Activate own rules to change this setting.
  • Backups: Hetzner Online stores encrypted backups for 14 days.

If you do not want to record log files, please add a file named.no-logs to your account.

Data processing

When is there an official order or commission for data processing?

As soon as you or your customer stores personal data on a server with us, it is defined as an order or commission for data processing according to Article 28 of the GDPR (General Data Protection Regulation, a European Union regulation). If this applies to you, you are required by law to complete a Data Processing Agreement (DPA).

Where can I find the Data Processing Agreement (DPA)?

For our web hosting products and managed servers:

Please log into konsoleH with your customer account. Under the menu item Administration on the left side, you will find the menu item Account details. And underneath that you will see Data processing.

Or go directly here.

For the following products: dedicated root server, Hetzner Cloud server, colocation server, auction server, vServer, and storage box

You can find the new DPA form when you log into your customer account.

If you do not have an account yet with us, and would like to view the DPA in advance, please send an email to <data-protection@hetzner.com>.

How should I fill out the Data Processing Agreement (DPA)?

At the top of the form, you will first see the information about yourself/your company that we have stored. You will also see your existing contracts here.

In the section called Types of data, you can add additional categories of data for different types of personal data that you have stored with us. You can either choose from the examples already listed or add other categories.

In the section called Affected People, you have a similar choice. You can either select from the list of affected groups of people or add other types of people who are affected.

If you need to add anything to Types of data or Affected People after you finish the DPA, you can simply create a new agreement and delete the old one. Or you can create a completely separate DPA. You can have up to six different DPAs at the same time. If you need more than 6 for any reason, please contact our data protection officer at <data-protection@hetzner.com>.

After the Affected People section, you will see a new section with the title Data Processing Agreement in Accordance with Article 28 of the General Data Protection Regulation (GDPR). This is the actual DPA itself, which you can download.

The next text section is called Technical and organizational measures in accordance to Art. 32 GDPR and Amendments. Here you will find the technical and organizational measures regarding information security. You can also download this section and/or preview it.

Once you have consented to the DPA, our system will automatically create your digital DPA. The DPA will include your personal data, the content of the DPA itself, Appendix 1 with the Types of data and Affected People, and Appendix 2 with the Technical and organizsational measures in accordance to Art. 32 GDPR and Amendments.

The contract will include our automated signature. All you have to do is print out the DPA, sign it, and put it somewhere safe with any other data protection documents you have.

If you have any questions, please contact us at <data-protection@hetzner.com>.

Information about data protection and our new Ashburn location

Hetzner US LLC, as a subsidiary of Hetzner Online GmbH, provides data center services within the USA for the parent company, Hetzner Online.
This means that your existing contractual agreement and customer relationship will continue to be exclusively with us (Hetzner Online GmbH), and your personal data will not be passed on.

We have prepared the following examples for you to illustrate this:

Case study 1: You rent products just within the EU (in Germany and/or Finland):
The server location Ashburn (USA) is left out in this example. Your customer master data is stored and processed within Germany (EU).

Case study 2: You rent products within the EU and in the USA:
Your customer master data continues to be stored and processed exclusively within Germany (EU). This has not changed due to the new location. Hetzner Online GmbH concludes the standard contractual clauses (SCCs) with Hetzner US LLC, which enables you to use the servers at the Ashburn location in a GDPR-compliant manner even in compliance with the Schrems II agreement.

It is up to you as the customer to decide which data you store on the instances in the USA and whether or not you encrypt this data as a precaution.
We regularly receive inquiries from the authorities. If you as a customer use the server for any illegal purposes, we assume that we may receive inquiries from the US authorities or that we may receive other forms of judicial requests such as warrants or subpoenas. If this happens, and only if this happens, authorities are obliged to cooperate on the basis of international agreements. The SCCs in the link regulate the obligations of the involved parties.

US authorities do not have direct access to your server or its content in the EU. US authorities have to comply with the regulations of the EU legislation.

Conclusion:
In summary, you as a customer do have influence - to a certain extent - on shaping who has access to the data on your servers. EU and US authorities do have to follow the laws and legal procedures in requesting data. However, this may give you a false sense of security since some authorities have been known to stretch or violate agreements. If you require a web hosting company that has absolutely no connections to the USA, then unfortunately, we may no longer be the best choice for you. Since Hetzner US LLC is part of the Hetzner Group, there certainly is a connection. We hope that we have explained things clearly from our point of view using the two above case studies.

Still have questions? Contact support.

If you still have questions after reading this, please write a support request using your account on Robot/Cloud Console/konsoleH. Mention that you have a data protection or data privacy question. Our support team will then forward your question to our data protection officer, who will be happy to help you. If you are not yet a customer, and you have questions about this topic, please write to info@hetzner.com.

Table of Contents