How to make Matomo GDPR compliant in 12 steps
▻https://matomo.org/blog/2018/04/how-to-make-matomo-gdpr-compliant-in-12-steps
InnoCraft, April 3, 2018 in Privacy
Important note: this blog post has been written by digital analysts, not lawyers. The purpose of this article is to briefly show you where Matomo is entering into play within the GDPR process. This work comes from our interpretation of the UK privacy commission: ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information.
The General Data Protection Regulation (EU) 2016/679, also referred to RGPD in French, Datenschutz-Grundverordnung, DS-GVO in German, is a regulation on data protection and privacy for all individuals within the European Union. It concerns organizations worldwide dealing with EU citizens and will come into force on the 25th May 2018.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. It includes cookies, IP addresses, User ID, location, and any other data you may have collected.
We will list below the 12 steps recommended by the UK privacy commissioner in order to be GDPR compliant and what you need to do for each step.
The 12 steps of GDPR compliance according to ICO and how it fit with Matomo
As mentioned in one of our previous blog post about GDPR, if you are not collecting any personal data with Matomo, then you are not concerned about what is written below.
If you are processing personal data in any way, here are the 12 steps to follow along with some recommendations on how to be GDPR compliant with Matomo:
1 – Awareness
Make sure that people within your organization know that you are using Matomo in order to analyze traffic on the website/app. If needed, send them the link to the “What is Matomo?” page.
2 – Information you hold
List all the personal data you are processing with Matomo within your record of processing activities. We are personally using the template provided by ICO which is composed of a set of 30 questions you need to answer regarding your use of Matomo. In the near future, we will write a blog post specifically for this. Please be aware that personal data may be also tracked in non-obvious ways for example as part of page URLs or page titles.
3 – Communicating privacy information
a – Add a privacy notice
Add a privacy notice wherever you are using Matomo in order to collect personal data. Please refer to the ICO documentation in order to learn how to write a privacy notice. In the near future, we will write a blog post about this part. Make sure that a privacy policy link is always available on your website or app.
b – Add Matomo to your privacy policy page
Add Matomo to the list of technologies you are using on your privacy policy page and add all the necessary information to it as requested in the following checklist.
4 – Individuals’ rights
Make sure that your Matomo installation respects all the individuals’ rights. To make it short, you will need to know the features in Matomo that you need to use to respect user rights (right of access, right of rectification, right of erasure…). These features are currently in development and will be released soon.
5 – Subject access requests
Make sure that you are able to answer an access request from a data subject for Matomo. For example, when a person would like to access her or his personal data that you have collected about her or him, then you will need to be you able to provide her or him with this information. We recommend you design a process for this like “Who is dealing with it?” and check that it is working. If you can answer to the nightmare letter, then you are ready. The needed features for this in Matomo will be available soon.
6 – Lawful basis for processing personal data
There are different lawful basis you can use under GDPR. It can be either “Legitimate interest” or “Explicit consent”. Do not forget to mention it within your privacy policy page.
7 – Consent
Users should be able to remove their consent at any time. By chance, Matomo is providing a feature in order to do just that: add the opt-out feature to your privacy policy page.
We are currently also working on a feature that allows you optionally to require consent. This will be useful if a person should be only tracked after she or he has given explicit consent to be tracked.
8 – Children
If your website or app is targeted for children and you are using Matomo, extra measures will need to be taken. For example you will need to write your privacy policy even more clear and moreover getting parents consent if the child is below 13. As it is a very specific case, we strongly recommend you to follow this link for further information.
9 – Data breaches
As you may be collecting personal data with Matomo, you should also check your “data breach procedure” to define if a leak may have consequences on the privacy of the data subject. Please consult ICO’s website for further information.
10 – Data Protection by Design and Data Protection Impact Assessments
Ask yourself if you really need to process personal data within Matomo. If the data you are processing within Matomo is sensitive, we strongly recommend you to make a Data Protection Impact Assessment. A software is available from the The open source PIA software helps to carry out data protection impact assessment, by French Privacy Commissioner: CNIL.
11 – Data Protection Officers
If you are reading this article and you are the Data Protection Officer (DPO), you will not be concerned by this step. If that’s not the case, your duty is to provide to the DPO (if your business has a DPO) our blog post in order for her or him to ask you questions regarding your use of Matomo. Note that your DPO can also be interested in the different data that Matomo can process: “What data does Matomo track?” (FAQ).
12 – International
Matomo data is hosted wherever you want. So according to the location of the data, you will need to show specific safeguard except for EU. For example regarding the USA, you will have to check if your web hosting platform is registered to the Privacy Shield: privacyshield.gov/list
Note: our Matomo cloud infrastructure is based in France.
That’s the end of this blog post. As GDPR is a huge topic, we will release many more blog posts in the upcoming weeks. If there are any Matomo GDPR topic related posts you would like us to write, please feel free to contact us.