What is GDPR? FAQ - New to Matomo - Matomo Analytics Platform

The General Data Protection Regulation (GDPR) sets the rules for collecting and handling personal data in the following regions:

The European Union (EU),
Countries in the European Economic Area (EEA) that are outside the EU, and
The United Kingdom (UK).

Since Brexit, the UK follows its own version of GDPR, called the UK GDPR. It is like the EU’s GDPR but applies specifically to individuals in the UK.

This guide will help you understand if the General Data Protection Regulation (GDPR) applies to you. For simplicity, references to the EU or GDPR in this guide include all three regions and their respective versions of the GDPR.

Learn how to become GDPR compliant with Matomo Analytics

GDPR applies to any organisation that collects or processes personal data if it:

Has a presence in the EU:

This includes any stable setup, like an office or local representative, where data processing happens or decisions about data are made.

Does not have a presence in the EU but targets people in the EU by:

Offering goods or services (even for free) specifically to EU residents; or
Tracking or monitoring the behaviour of people while they are in the EU.

GDPR defines “personal data” broadly, covering any information that can directly or indirectly identify a person. Examples of personal data include:

Email addresses, names, phone numbers, payment information.
Comments, purchase history, geolocation, IP addresses, MAC addresses, visitor identifiers.
Behavioural data like pages visited, time spent on a website, and browsing patterns.

Data like a random ID may not qualify as personal data unless combined with other identifiers (e.g., IP address, geolocation, cookie IDs).

GDPR does not apply to fully anonymised data that cannot identify a person.
However, it does apply to the collection and processing of data before it is anonymised or aggregated.

You are exempt from GDPR if:

You do not process personal data:

This applies only if you never collect personal data for anonymisation.

You have no presence in the EU/EEA/UK and:

Do not offer goods or services to people in these regions.
Do not monitor the behaviour of individuals in these regions.
Simply using aggregated website analytics without individual profiling or targeted advertising does not count as monitoring behaviour.

Check if your organisation has a presence in the EU/EEA/UK.
Assess your digital interactions with individuals in these regions (e.g., targeting goods or services).

Matomo’s default configuration processes personal data, such as IP addresses (masked) and visitor IDs. If GDPR applies, you must ensure Matomo is configured for compliance by:

Minimising data collection.
Masking or anonymising IP addresses and geolocation.
Respecting data subject rights (e.g., access, deletion).
Limiting data retention periods.

Matomo is designed to help meet GDPR requirements while prioritising user privacy.

If you need to comply with GDPR, refer to our GDPR guide.
To find out how to set up Matomo to minimise the data you collect, read more on configuring the Privacy Settings.
To find out how to configure Matomo to the aggregated, anonymised version approved by CNIL, visit Matomo Analytics – Exemption – Guide de configuration.

The General Data Protection Regulation (GDPR) is also known in other countries as:

Austria: Datenschutz-Grundverordnung (DSGVO)
Belgium: algemene verordening gegevensbescherming / règlement général sur la protection des données (RGPD)
Bulgaria: Общ регламент относно защитата на данните
Croatia: Opća uredba o zaštiti podataka
Cyprus: Γενικός Κανονισμός για την Προστασία Δεδομένων
Czech Republic: obecné nařízení o ochraně osobních údajů
Denmark: generel forordning om databeskyttelse
Estonia: isikuandmete kaitse üldmäärus
Finland: yleinen tietosuoja-asetus
France: règlement général sur la protection des données (RGPD)
Germany: Datenschutz-Grundverordnung (DSGVO)
Greece: Γενικός Κανονισμός για την Προστασία Δεδομένων
Hungary: általános adatvédelmi rendelet
Ireland: An Rialachán Ginearálta maidir le Cosaint Sonraí / General Data Protection Regulation (GDPR)
Italy: regolamento generale sulla protezione dei dati (RGPD)
Latvia: Vispārīgā datu aizsardzības regula
Lithuania: Bendrasis duomenų apsaugos reglamentas (BDAR)
Luxembourg: règlement général sur la protection des données (RGPD) / Datenschutz-Grundverordnung (DSGVO)
Malta: Regolament Ġenerali dwar il-Protezzjoni tad-Data
The Netherlands: algemene verordening gegevensbescherming
Poland: ogólne rozporządzenie o ochronie danych
Portugal: Regulamento Geral sobre a Proteção de Dados (RGPD)
Romania: Regulamentul general privind protecția datelor
Slovakia: všeobecné nariadenie o ochrane údajov
Slovenia: Splošna uredba o varstvu podatkov
Spain: Reglamento general de protección de datos (RGPD)
Sweden: Dataskyddsförordning

Outside the EU (EEA-only and the UK)

Iceland: Almenn persónuverndarreglugerð
Liechtenstein: Datenschutz-Grundverordnung (DSGVO)
Norway: Personvernforordningen
The United Kingdom: UK General Data Protection Regulation (UK GDPR)

Conclusion

GDPR compliance depends on your business structure, data collection practices, and target audience. Matomo equips you with the tools to align with GDPR while safeguarding user privacy. If in doubt, consult privacy advisors to ensure your data practices meet all legal requirements.

Next FAQ: How to exercise user rights in Matomo

Who needs to follow the GDPR?

Has a presence in the EU:

Does not have a presence in the EU but targets people in the EU by:

What data does GDPR apply to?

Does GDPR apply to anonymous information?

When does GDPR not apply?

You do not process personal data:

You have no presence in the EU/EEA/UK and:

Do I need to comply with GDPR if I use Matomo?

To determine GDPR applicability

The GDPR is also known as…

Outside the EU (EEA-only and the UK)

Conclusion

Feedback on this page