GDPR and Matomo Analytics FAQ - New to Matomo

This guide is for general information purposes only, and it is not intended to constitute legal advice or be a substitute for it. Please consult your privacy advisors, who can assess your overall data processing and compliance context. This information may change as laws and regulations evolve.

For more details on privacy compliance, refer to the Matomo ePrivacy Directive for national implementations and website analytics. For general information on the GDPR, its application and scope, read more about What is GDPR?

If you do process personal data and fall into the territorial and material scope of the GDPR, follow these steps to ensure compliance.

1. Awareness

Ensure that the stakeholders in your organisation know Matomo Analytics is being used to analyse traffic on your websites or apps. This includes informing management, IT staff, and any department involved in data processing. If necessary, share the link to “What is Matomo?”.

2. Understand what data you collect and process

Review and understand the personal data that your organisation collects, including the data that Matomo collects.
Internally document the data in a Record of Processing Activities (ROPA). This record should include among other things:
- The type of data collected (e.g., IP addresses, cookie identifiers, page URL or page titles, User ID and custom personal data, Ecommerce order IDs, location data, Heatmaps and Session Recordings);
- Purposes of processing;which the data is processed;
- The legal basis for processing (e.g., consent, legitimate interest).
- Retention periods.
- Security measures in place.
The types of data and their scope will depend on your Matomo configuration.

Use the ROPA template provided by ICO, which comprises a set of 30 questions regarding your data processing and use of Matomo. Additionally, this article walks you through the list of questions, specifically in the use case of Matomo Analytics. Remember that personal data may be tracked in non-obvious ways, for example, as part of page URLs or page titles.

3. Determine your role

Identify whether your organisation acts as a data controller or processor. Your obligations under the GDPR will be different if you are a controller or processor.

If you are a website owner and use Matomo On-Premise, you are the controller. Since Matomo On-Premise is based on your servers, we do not process the personal data for you, and we are not a processor. You may have other processors (e.g., your hosting services provider).
If you are the website owner and use Matomo Cloud, we are your data processors, and our processing is governed by the DPA. Some agencies using Matomo for clients may act as processors on behalf of their clients (who are controllers).

4. Know the lawful basis

Under GDPR, you must have a lawful basis for processing personal data.

There are six different lawful bases you can use under GDPR, but two of them apply to the use of Matomo Analytics: legitimate interest (narrow scope) or consent:

Legitimate Interest:

You can only rely on legitimate interest provided you carry out a Legitimate Interest Assessment, and
When it comes to cookies or trackers, only for:
- functional, strictly necessary cookies or trackers; or
- use of analytics that is consent-exempt under specific ePrivacy laws.

Required unless exempt under national ePrivacy laws;
Certain types of processing can only be carried out on the basis of prior consent. For example:
- Tracking individual visitor profiles,
- Using live recordings of visitor sessions,
- Using the personal data to present ads, measure advertising conversion,
- Sharing the data with third parties such as Google.

Clearly state the lawful basis in your privacy policy page.

5. Inform data subjects

a) Create or update your privacy notice (or privacy policy)

Make sure that your organisation has a privacy notice or privacy policy that is always available to the data subjects on your website or app via a link from your website. Make sure that the policy includes all GDPR required elements. Please refer to the website of the supervisory authority relevant to you. Most will provide examples of privacy notices or even privacy notice generators for businesses.

Your organisation’s privacy policy must be detailed and correctly reflect its personal data processing practices. We recommend you have it reviewed by both technical and legal experts to ensure it is correct. Keep it up to date.

We provide a Privacy Policy for Matomo users, which you may review and use as a reference. Since privacy policies differ between organisations and depend on your specific data processing activities, we do not recommend copying it directly. Instead, ensure your policy aligns with your organisation’s legal obligations and privacy practices.

b) Add Matomo to your privacy policy

Explain that you use Matomo Analytics and add all the necessary information as listed in the ICO checklist. The privacy policy should state that you use Matomo Analytics and, if your organisation uses Matomo Cloud, then InnoCraft Limited, creators of Matomo, are your processors (or subprocessors). You can also add the link to our DPA.

There are many ways you can include information about Matomo in your privacy policy. Below we provide an example of description you could include in the section that discloses the recipients or categories of recipients of the personal data you collect:

“We use Matomo Analytics to measure, collect, analyse and report visitors’ data for purposes of understanding and optimising our website.” [If you do more, explain it, for example, if you use session recordings, or you use Matomo to measure advertising conversions, or export the data to Google].

We collect the following personal data using Matomo…[insert applicable from the list provided here, based on your Matomo configuration].

We process your personal data on the basis of [select applicable] [consent – Art. 6(1)(a) GDPR] [OR] [legitimate interest – Art.6.1(f) GDPR].

We store your data for [insert retention period according to your configuration].

Matomo does not use automated decision-making.“

“[If you use Matomo Cloud, but not Matomo On-Premise, you can add] Matomo Cloud data is hosted by AWS Europe in Germany with backups in Ireland. Matomo is provided by InnoCraft Limited, a New Zealand company, who processes your personal data for us on the basis of the Matomo Cloud Data Processing Agreement (DPA) according to our instructions.”

6. Data subjects’ rights

Ensure that your organisation respects all the data subjects’ rights and responds to any data subject request in the prescribed time. Matomo 3.5.0 and later includes privacy management tools to help Matomo customers in responding to data subject requests. Please refer to the GDPR guides for Matomo.

While this article does not allow us to go into details of how each data subject request response should be implemented, as an example, we suggest the following matters should be addressed in the context of responding to access requests:

Establish a process to handle access requests from data subjects, that include providing individuals with their personal data collected by your organisation using Matomo.
Data subjects must receive their personal information collected and processed by you in a clear, comprehensible format, supplemented with raw, unstructured data. Providing raw data only is not sufficient.
The data must be in full, provided in context, and true to the original.

We recommend designing a process that covers roles and responsibilities for dealing with all GDPR data subject requests. Matomo provides a tool to assist its customers in responding to data subject requests in Administration settings > Privacy > GDPR Tools.

If consent is required, it must meet the GDPR criteria of valid consent, be properly recorded, managed, and be easy for the data subjects to withdraw the consent. In the context of Matomo Analytics use, we discuss the consent to cookie (and similar tools) in the ePrivacy section.

8. Children

If your website or app targets children while using Matomo, you must adhere to stricter GDPR regulations to protect minors’ data:

Provide a clear, age-appropriate privacy policy.
Obtain verifiable parental consent if the child is below the national age of privacy consent:
- The GDPR sets this age at 16, but allows EU countries to set their own threshold, no lower than 13.
- For children under this age, consent from a person with parental responsibility is mandatory before any personal data is collected or processed.
- For example, in France, the digital age of consent is 15; in Germany, it remains at 16, requiring parental consent below this age.
When configuring Matomo, use privacy protecting features and ensure settings comply with parental consent.
To stay compliant, consider implementing an age verification mechanism and ensure your staff is trained to handle children’s data responsibly.
Regularly review guidance from applicable supervisory authorities to keep your practices aligned with the national interpretations of the GDPR.

9. Data breaches

As you may be collecting personal data with Matomo, it is important to review and test your data breach procedure.
Understand when to notify data subjects or authorities.
Read more about the ICO Personal Data Breaches.

10. Data Protection by Design and Data Protection Impact Assessments

Establish if you really need to process personal data within Matomo. If the data you are processing within Matomo is sensitive or high-risk, we strongly recommend you make a Data Protection Impact Assessment. Please discuss with your privacy consultant which DPIA template is best suited for your applicable supervisory authority. As an example, free, open source DPIA software is available from CNIL.

11. Data Protection Officers and Authorised Representatives

Find out if you are required by GDPR to appoint a DPO.
If you are based outside EU and UK, appoint an Art. 27 representative.
DPOs should consult the guide on What data does Matomo track? to find out what data Matomo can process.

12. International data transfers

Ensure that data transfers outside the EU comply with GDPR.
This can include using standard contractual clauses, binding corporate rules, or ensuring transfers are made to countries with adequate data protection laws.
Matomo On-Premise data is hosted on your servers, wherever you choose.
Matomo Cloud Data is hosted by AWS Europe in Germany.
InnoCraft Limited provide the Matomo Cloud services and are based in New Zealand (transfer based on adequacy decision).

Next FAQ: Configure Matomo Analytics for HIPAA compliance

Steps to comply with the GDPR