How to write a GDPR-compliant Privacy Notice

This guide provides general information, not legal advice. For up-to-date information specific to your business, refer to the website of the relevant supervisory authority and discuss your regulatory compliance needs with your legal advisors.

Background

A privacy notice is a key document to inform individuals how your organisation collects, uses, stores, and protects their personal data.

Under the General Data Protection Regulation (GDPR), organisations must provide clear and transparent privacy notices covering all processing activities that affect the relevant data subjects.

For example, your privacy notice should detail how you process personal data across different activities, such as:

• Website Analytics (Matomo Analytics)
• Marketing and email communications
• User account registrations
• Customer support and contact forms
• Ecommerce transactions
• HR data processing of applicants submitted via your website (if applicable).

A GDPR-compliant privacy notice ensures visitors to your website understand how their data is handled in each of these cases.

Key Principles of a GDPR Privacy Notice

• Transparency: The notice should be concise, transparent, and written in plain language that users can easily understand. This is especially important if your visitors include children.
• Accessibility: It should be easy to find, such as in the website footer or during data collection (e.g., in sign-up forms).
• Layered approach: Avoid overwhelming readers with excessive information. Provide a short summary with key details and allow users to expand sections for more information. Recommended privacy notice practices include a layered approach, just-in-time notices, and dashboards.

What to include in a GDPR-compliant Privacy Notice

Your privacy notice should include the following sections:

1. Identity and Contact Details of the Data Controller

Clearly identify who is responsible for processing the personal data:

• Your company name,
• Your contact details (email, address, phone), and
• Contact information for your Data Protection Officer (DPO), if applicable.

Example:
“This privacy notice is issued by [Company Name], located at [Company Address]. If you have any questions regarding your data, you can contact us at [Email] or our Data Protection Officer at [DPO Email].”

2. Types of Personal Data Collected

List all applicable categories of personal data processed, covering different activities, including for example:

• Marketing and newsletters: e.g., name, email address, marketing preferences.
• User accounts: e.g., username, password, email, login activity.
• Ecommerce transactions: e.g., billing details, order history, shipping address.
• Customer support: e.g., name, email, chat messages, support request details.

• Matomo Analytics:
  When you visit our website, we collect the following personal data using Matomo Analytics: IP address, User ID, first-party cookies, geolocation, pages visited, time spent, referrer URLs, browser type, Ecommerce Order ID, downloaded files, browser details, etc. List the personal data that your configuration of Matomo collects (refer to What data does Matomo track?).

• If you process the IP address solely to fully anonymise it, you should also disclose this in your privacy notice. Although the IP address is anonymised immediately, the initial collection and processing of personal data (before anonymisation) still falls under data protection laws.
  For example, if you are processing website analytics based on the CNIL exemption, you can disclose:
  Example disclosure (if relying on CNIL exemption for analytics):
  We collect IP addresses solely for the purpose of anonymisation. This process occurs immediately after collection, and no identifiable IP address is stored or further processed.

• Consider if the IP address masked or anonymised in Matomo may also be present somewhere else in your databases outside Matomo environment.

3. Purpose and Legal Basis for Processing

You must explain why you process personal data and which legal basis applies under GDPR.

• If processing is based on legitimate interest, justify the interest pursued.
• If processing is based on consent, explain how users can withdraw consent.
• If processing is based on a statutory or contractual requirement, clarify the possible consequences of not providing the data.
• If data is used for other purposes (e.g., session recordings, ad conversion tracking), ensure transparency.

Examples of processing purposes and legal bases:

• User account management: “To provide secure access to user accounts” (contractual necessity).
• Transaction processing: “To process purchases and manage orders” (contractual necessity).
• Marketing emails: “To send promotional offers to users who have opted in” (consent).

Website Analytics (Matomo):

In most EEA countries, your use of Matomo Analytics (with some exceptions, such as log analytics) will require consent, irrespective of whether you process personal data or not (refer to the ePrivacy Directive, National Implementations and Website Analytics Guide).

We use Matomo Analytics to measure, collect, analyse and report visitors’ data for purposes of understanding and optimising our website based on your consent. You can withdraw your consent or change your preferences at any time by updating your preferences using our Consent Management Tool.

In some cases, you may rely on legitimate interest to process website analytics, but privacy laws that permit consent exempt analytics, generally require data produced by the analytics to be aggregated and anonymised (refer to the ePrivacy Directive, National Implementations and Website Analytics Guide). Where required, include an opt-out as in the example shown below:

We use Matomo Analytics to measure, collect, analyse and report visitors’ data in aggregated and anonymised data sets for purposes of understanding and optimising our website based on legitimate interest.

4. Data Sharing & Third-Party Recipients

You must disclose whether data is shared with third parties, including all of your data processors.

Example (for Matomo Cloud customers):
“Matomo Cloud data is hosted by AWS Europe in Germany with backups in Ireland. Matomo is provided by InnoCraft Limited, a New Zealand company, who processes your personal data our behalf under the Matomo Cloud Data Processing Agreement (DPA) according to our instructions.” 

5. How Long Data is Retained

Explain how long you keep personal data before deletion or anonymisation.

Examples:

• User accounts: Retained as long as the account is active. Deleted after 2 years of inactivity.
• Marketing preferences: Retained until the user unsubscribes.
• Matomo Analytics data: Your personal data is stored for 13 months before automatic deletion.
  • Justify your choice, for example: as our data is hosted in France, we are applying the French law, which defines a retention period of no more than 13 months.
  • Retention period is configurable in Matomo. You can set the retention period in Matomo by using the Data Retention feature.

6. Data Transfers

If data is transferred outside the European Economic Area (EEA), describe the safeguards in place.

Example (for Matomo Cloud customers):
If you use Matomo Cloud but not Matomo On-Premise, you should disclose the following information:
“InnoCraft, the processor of Matomo Cloud Analytics data, is based in New Zealand, a country recognised by the EU adequate level of data protection.”

7. Data Subject Rights

In addition to the right to be informed, which is facilitated through a privacy notice, the GDPR grants individuals several other key data subject rights. Your privacy notice should inform individuals of their rights under GDPR. Note that available data rights depend on the legal basis on which the data is processed.

Right of Access – right to request a copy of their personal data
Right to Rectification – right to correct inaccurate data
Right to Erasure (“Right to be Forgotten”) – right to request data deletion
Right to Restrict Processing – right to temporarily halt data use
Right to Data Portability – right to receive data in a machine-readable format
Right to Object – right to object to data processing (e.g., Matomo tracking)
Right to Withdraw Consent – right to withdraw previously given consent (e.g., unsubscribe from emails)
Right not to be subject to automated decisions – right to challenge profiling-based decisions

You will need to advise the data subject how to exercise these rights.

Example:
To exercise any of the rights mentioned in this Privacy Policy and/or in the event of questions or comments relating to the use of Personal Data you may contact our privacy team: [insert email].

Right to complain – you will also need to advise individuals of their right to lodge a complaint with a supervisory authority.

Example:
“You have the right to lodge a complaint with a data protection authority, such as:

• UK: Information Commissioner’s Office: https://ico.org.uk/global/contact-us/
• EU: select the appropriate authority from the list provided by European Data Protection Board https://edpb.europa.eu/about-edpb/board/members_en“

8. Automated Decision-Making & Profiling (if applicable)

If applicable, explain any automated decision-making or profiling and its potential consequences.

Matomo Analytics itself does not perform automated decision-making.

9. Contact Information & Complaints

Provide details for users to raise concerns or file complaints with a supervisory authority.

Policy or notice?

GDPR does not distinguish between “privacy notice” and “privacy policy.” Traditionally, “notice” is for external users, while “policy” refers to internal privacy measures. However, many businesses use “privacy policy” for both. What matters is content accuracy, not the title.

Templates

Please refer to the website of the supervisory authority relevant to you. Many of them provide examples of privacy notices and privacy notice generators for businesses to use (e.g., Create your own privacy notice | ICO). 

Our Matomo.org website privacy policy can be found here: Privacy Policy. You may review and use it as a template (headings, structure). We do not recommend copying it directly, as privacy practices differ between organisations. Your privacy notice or policy must reflect and align with your organisation’s legal obligations and privacy practices. Matomo’s Cookie Notice is also available for your review.