How to respect GDPR data subjects’ rights in Matomo
Under the General Data Protection Regulation (GDPR), data subjects have specific privacy rights, which they can exercise by contacting the data controller:
- Right to be informed
- Right of access
- Right to erasure
- Right to rectification
- Right to data portability
- Right to object
- Right to withdraw consent
- Right to restrict processing
- Rights related to automated decision-making and profiling
1 – Right to be informed
If you process personal data in your Matomo instance, you need to inform users at the point of the data collection through a clear and transparent privacy notice.
Learn more about how to write a GDPR-compliant Privacy Notice.
2 – Right of access
Check the identity of the data subject first
If a visitor asks you to get access to their personal data, you have the responsibility to check their identity.
To verify their identity, you could for example, see if the email address from the request matches the one registered by Matomo (in the case you are using the User ID feature to process email addresses). For this you can use the GDPR feature described below.
Note that if you anonymise the personal data, then you cannot search for a data subject as it is not a personal data anymore.
How to exercise the right of access in Matomo
The GDPR Tools in Matomo can help you fulfil data subject access requests.
-
Open Matomo settings
> Privacy > GDPR Tools:
-
Based on the information provided by the data subject, you will be able to search all the data you are processing about this data subject:
-
And get all the information associated with the data subject (visits, time of the visits, actions performed on the website, ecommerce orders etc.)
-
After you have verified each visit that belongs to the data subject you want to export the data for, click on “EXPORT SELECTED VISITS” to pull out the data.
-
This will download a file with all the necessary data which you can send the data subject by email. If you are using the User ID with an email address and you search the data subject by “User ID = email address”, make sure to only send any exported information to the same email address that you looked up the data for.
3 – Right to erasure (Right to be forgotten)
To delete information of a given user, you will have to follow this procedure:
-
Open Matomo settings
> Privacy > GDPR Tools.
-
Search for a data subject:
-
Once selected, click on DELETE SELECTED VISITS:
-
Inform the data subject that you have properly deleted their personal data and ask for confirmation that they received your message.
Important: The right to erasure is not absolute — conditions and exceptions apply, such as when data is required for legal obligation, public interest, or defence against claims.
4 – Right to rectification
If you are presented with a request to rectify the data of a data subject, we recommend to use the right to erasure instead. If, for a specific reason you really need to exercise this right and you self-host your Matomo, the only way is to access the Matomo database. To do so, you will need to understand how the Matomo database is working.
Whenever rectification is requested, controllers should document the correction process to ensure compliance.
5 – Right to data portability
Individuals have the right to ask for and receive a copy of their personal data in a structured, commonly used, and machine-readable format. Please verify their identity first as described in 2 – Right to access.
To exercise this right:
-
Open Matomo settings
> Privacy > GDPR Tools.
-
Search for a data subject:
-
Once found, click on EXPORT SELECTED VISITS to download the data:
-
Send the data to the data subject if you are sure about their identity and ask them to confirm that they received it.
6 – Right to object
Individuals have the right to object to the processing of their personal data at any time, if processing is based on:
- Legitimate interest; or
- Direct marketing – this right is absolute, which means that when it is exercised, you must stop processing their personal data for direct marketing purposes immediately, with no exceptions.
If you are processing personal data in the UK and EU countries, using Matomo cookies or JS tracking tools that fall under the ePrivacy laws, the processing will be based on consent and the right to object does not apply. In those EEA/EU countries, where some forms of website analytics are either consent-exempt (e.g., France, Spain, Italy) or do not require consent unless you are processing certain categories of data or use it for marketing (e.g., Switzerland, Iceland, Bulgaria), you may be processing some personal data on the legitimate interest basis (e.g., in order to mask or anonymise IP address).
In such cases, the individual has to be able to object to the processing of their personal data. Matomo provides an opt-out feature that allows users to prevent further tracking. It consists of an iframe that you can insert on a web page where users would expect to find it, most likely in your privacy policy page.
To access this feature:
- Open Matomo settings
> Privacy > Users opt-out
- Tweak the HTML code according to your website. Learn more about customising the opt-out form.
- Copy/paste it on your website where users expect to see it (for example, the privacy policy page).
- Test that it is working correctly.
7 – Right to withdraw consent
This right applies only if you are processing personal data based on consent. You may ask for consent using either the Matomo consent feature or a Consent Management Platform (CMP) or cookie banner.
Under GDPR, if a user gave their consent, you must provide them a way to withdraw it, as easily as they gave it. To remove their consent, the user needs to perform a specific action, for example clicking on a button, “I do not want to be tracked anymore”. Learn more about how to setup the Matomo consent feature.
You can also click on Matomo settings and then click on Asking for consent under the Privacy section.
If tracking consent was given via a Consent Management Platform (CMP) or cookie banner, the consent withdrawal may occur via your CMP or banner.
8 – Right to restrict processing (Art. 18)
Individuals have the right to request a temporary halt to the processing of their personal data in specific circumstances:
- Data accuracy of the date is contested;
- Data processing is unlawful;
- Data is no longer needed but the individual requires it to remain; or
- Objection to processing based on legitimate interests is made.
During this restriction, the organisation can store the data but must not process it further unless the individual consents or there is a legal justification. Matomo Cloud does not provide a built-in “pause processing” button, but you can effectively restrict processing by:
- Enabling the Opt-Out Feature and directing the user to opt-out of tracking or directing them to withdraw their tracking consent (where prior consent to tracking is required).
- Manually exporting data using Matomo’s GDPR Tools for review and storage.
- Temporarily deleting the data from the Matomo instance as described in the 3 – Right to erasure section, until restriction is lifted completely.
Important Note:
- In Matomo Cloud, once data is deleted, it cannot be reimported. If restriction is only temporary, alternative storage outside of Matomo may be necessary.
- Matomo On-Premise allows reimporting of data if needed.
9 – Right related to automated decision-making and profiling
Matomo does not inherently make automated decisions about individuals (e.g., approving loans, hiring, or determining access to services). It can be used to track user interactions, behaviour, and segmentation, but:
- By default, Matomo does not create user profiles beyond session-based or aggregated data.
- Profiling may occur if advanced tracking features (e.g., User ID tracking, goal conversions, custom dimensions) are used to build detailed visitor profiles.
When does automated decision-making apply?
If a Matomo customer integrates Matomo with other tools to trigger automated actions based on user behaviour, this could constitute automated decision-making under GDPR. Examples include:
- Sending Matomo data to another system that automatically assigns scores, personalises ads, or restricts access to services.
- Segmenting users in Matomo and applying automated rules that impact individuals’ rights or opportunities.
Matomo can assist customers in complying with their Art 22 obligations, by providing tools assisting in transparency:
- Visitor specific data exports (E.g. User Id , Visitor Log or User Profiles); and
- Data export features.