If you are processing personal data of European citizens through Matomo, even if your company is located outside Europe, you need to fulfill GDPR obligations and this guide will help you.

GDPR overview

The General Data Protection Regulation (GDPR) is a regulation which strengthen and unify data protection for all individuals within the European Union (EU).

If you take steps to ensure no personal data is collected in Matomo, then you may not need to be concerned by the GDPR (when you anonymize IP address, user IDs, geolocation data, etc.).

GDPR compliance is a long process composed of several obligations:

  • Respect user rights
  • Documentation
  • Security procedures

The GDPR is also known as…

The General Data Protection Regulation (GDPR) is also known in other countries under these wordings:

  • Austria: Datenschutz-Grundverordnung (DSGVO)
  • Belgium: algemene verordening gegevensbescherming / règlement général sur la protection des données (RGPD)
  • Bulgaria: Общ регламент относно защитата на данните
  • Croatia: Opća uredba o zaštiti podataka
  • Cyprus: Γενικός Κανονισμός για την Προστασία Δεδομένων
  • Czech Republic: obecné nařízení o ochraně osobních údajů
  • Denmark: generel forordning om databeskyttelse
  • Estonia: isikuandmete kaitse üldmäärus
  • Finland: yleinen tietosuoja-asetus
  • France: règlement général sur la protection des données (RGPD)
  • Germany: Datenschutz-Grundverordnung (DSGVO)
  • Greece: Γενικός Κανονισμός για την Προστασία Δεδομένων
  • Hungary: általános adatvédelmi rendelet
  • Ireland: An Rialachán Ginearálta maidir le Cosaint Sonraí / General Data Protection Regulation (GDPR)
  • Italy: regolamento generale sulla protezione dei dati (RGPD)
  • Latvia: Vispārīgā datu aizsardzības regula
  • Lithuania: Bendrasis duomenų apsaugos reglamentas (BDAR)
  • Luxembourg: règlement général sur la protection des données (RGPD) / Datenschutz-Grundverordnung (DSGVO)
  • Malta: Regolament Ġenerali dwar il-Protezzjoni tad-Data
  • The Netherlands: algemene verordening gegevensbescherming
  • Poland: ogólne rozporządzenie o ochronie danych
  • Portugal: Regulamento Geral sobre a Proteção de Dados (RGPD)
  • Romania: Regulamentul general privind protecția datelor
  • Slovakia: všeobecné nariadenie o ochrane údajov
  • Slovenia: Splošna uredba o varstvu podatkov
  • Spain: Reglamento general de protección de datos (RGPD)
  • Sweden: allmän dataskyddsförordning
  • The United Kingdom: General Data Protection Regulation (GDPR)

How to exercise user rights in Matomo

To be compliant with GDPR, a data subject can exercise the different rights below:

  1. Right to be informed
  2. Right of access
  3. Right to erasure
  4. Right to rectification
  5. Right to data portability
  6. Right to object
  7. Right to withdraw consent

1 – Right to be informed

If you are processing personal data, you need to inform users at the point of the data collection with a clear privacy notice.

This privacy notice needs to include at a minimum:

  • the reasons why you are processing the personal data
  • for how long
  • who the different parties you are going to share them with are
  • a completed privacy policy page.

Learn more in our detailed article How to write a privacy notice for GDPR.

2 – Right of access

Check the identity of the data subject first

If a visitor asks you to get access to her or his personal data, you have the responsibility to check her/his identity.

In order to check her or his identity you could for example see if the email address from the request match the one registered by Matomo (in the case you are using the User ID feature to process email addresses). For this you can use the GDPR feature described below.

Note that if you anonymize the personal data, then you cannot search for a data subject as it is not a personal data anymore.

How to exercise the right of access in Matomo

A brand-new feature has been developed in order to fulfill such data subject access requests, you will find it within Administration → Privacy → GDPR tools:

Once there, based on the information provided by the data subject, you will be able to search all the data you are processing about this data subject in particular:

And get all the information associated with the data subject (visits, time of the visits, actions performed on the website, ecommerce orders etc.)

After you have verified each visit that belongs to the data subject you want to export the data for, click on “EXPORT SELECTED VISITS” to pull out the data.

This will download a file with all the necessary data which you can send the data subject by email. If you are using the User ID with an email address and you search the data subject by “User ID = email address”, make sure to only send any exported information to the same email address that you looked up the data for.

3 – Right to erasure

In order to delete information of a given user, you will have to follow this procedure:

  • Click on administration (the wheel logo at the top right of Matomo’s backend)
  • Click on “GDPR tools” under the Privacy category
  • Search for a data subject:

  • Once selected, click on DELETE SELECTED VISITS:

  • Inform the data subject that you have properly deleted their personal data and ask for confirmation that they received your message.

4 – Right to rectification

If you are presented with a request to rectify the data of a data subject, we recommend you to use the right to erasure instead. If for a specific reason you really need to exercise this right and you self host your Matomo, the only way is to access the Matomo database. To do so, you will need to understand how the Matomo database is working.

5 – Right to data portability

A user has the right to ask to get a copy of their personal data. Please check first their identity as described in “2 – Right to access”.
In order to exercise the following right:

  • Click on administration (the wheel logo at the top right of Matomo’s backend)
  • Click on “GDPR tools” under the Privacy category
  • Search for a data subject:

  • Once found click on EXPORT SELECTED VISITS:

  • Send the data to the data subject if you are sure about their identity and ask them to confirm that they received it.

6 – Right to object

This right applies only if you are processing based on legitimate interests lawful basis.
A user has to be able to object to the processing of their personal data. You can easily offer this feature by including our opt-out feature.
It consists of an iFrame that you can insert on a web page where users would expect to find it, most likely in your privacy policy page.
To access this feature:

  • Click on administration (the wheel logo at the top right of Matomo’s backend)
  • Click on “Users Opt-out” under the Privacy category
  • Tweak the HTML code according to your website (learn more)
  • Copy/Paste it on your website where users expect to see it (for example, the privacy policy page)
  • Test that it is properly working

This right applies only if you are processing personal data based on consent and using the Matomo consent feature.

Under GDPR, if a user gave you her/his consent, you have to provide them a way to withdraw it.

In order to remove her/his consent the user needs to perform a specific action, for example: clicking on a button “I do not want to be tracked anymore”.

Learn more about how to setup the Matomo consent feature. You can also click on Administration (the wheel logo at the top right of Matomo’s backend), and then click on “Asking for consent” under the Privacy section.

Awareness & documentation

Inform your users clearly and transparently, and make sure your colleagues are aware of the data being collected and how it is used:

  1. Inform your visitors through a clear privacy notice whenever you’re collecting personal data.
  2. Inform your users in your privacy policy about what data you collect and how the data is used.
  3. Make your team aware that you are using Matomo Analytics and what data is being collected by your analytics platform.
  4. Document your use of Matomo within your information asset register.

Security procedures

Inform your users clearly and transparently, and make your colleagues aware of the data being collected and how it is used:

  1. Apply our security recommendations in order to keep your Matomo data safe.
  2. Check that you have a written contract with the company providing you the Matomo server or hosting which ensures appropriate safeguards are provided.
  3. Include Matomo in your data breach procedure.
  4. Include Matomo in your data privacy impact assessment (DPIA), if applicable.

GDPR Resources

Any questions?

Many answers and more information about Matomo you can find here:

We are social

Follow us: