How to complete your privacy policy with Matomo analytics under GDPR

Contents

Important note: this blog post has been written by digital analysts, not lawyers. The purpose of this article is to show you how to complete your existing privacy policy by adding the parts related to Matomo in order to comply with GDPR. This work comes from our interpretation of the UK privacy commission: ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information. This blog post contains public sector information licensed under the Open Government Licence v3.0.

Neither the GDPR official text or ICO are mentioning the words ‘privacy policy’. They use the words ‘privacy notice’ instead. As explained within our previous blog post about “How to write a privacy notice for Matomo”, the key concepts of privacy information are transparency and accessibility which are making the privacy notice very long.

As a result, we prefer splitting the privacy notice into two parts:

  • Privacy notice: straight to the point information about how personal data is processed at the time of the data collection. This is the subject of the our previous blog post.
  • Privacy policy: a web page explaining in detail all the personal data you are processing and how visitors/users can exercise their rights. This is the blog post you are reading.

Writing/updating your privacy policy page can be one of the most challenging task under GDPR.

In order to make this mission less complicated, we have designed a template which you can use to complete the privacy policy part that concerns Matomo.

Which information should your privacy policy include?

ICO is giving a clear checklist about what a privacy policy has to contain when the data is obtained from the data subject:

  1. Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer.
  2. Purpose of the processing and the legal basis for the processing.
  3. The legitimate interests of the controller or third party, where applicable.
  4. Any recipient or categories of recipients of the personal data.
  5. Details of transfers to third country and safeguards.
  6. Retention period or criteria used to determine the retention period.
  7. The existence of each of data subject’s rights.
  8. The right to withdraw consent at any time, where relevant.
  9. The right to lodge a complaint with a supervisory authority.
  10. Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.
  11. The existence of automated decision-making, including profiling and information about how decisions are made, the significance and the consequences.

So in order to use Matomo with due respect to GDPR you need to answer each of those points within your privacy policy.

Matomo’s privacy policy template

You will find below some examples to each point requested by GDPR. Those answers are just guidelines, they are not perfect, feel free to copy/paste them according to your needs.

Note that this template needs to be tweaked according to the lawful basis you choose.

1 – About Matomo

Note: this part should describe the data controller instead, which is your company. But as you may already have included this part within your existing privacy policy, we prefer here to introduce what is Matomo.

Matomo is an open source web analytics platform. A web analytics platform is used by a website owner in order to measure, collect, analyse and report visitors data for purposes of understanding and optimizing their website. If you would like to see what Matomo looks like, you can access a demo version at: https://demo.matomo.cloud.

2 – Purpose of the processing

Matomo is used to analyse the behaviour of the website visitors to identify potential pitfalls; not found pages, search engine indexing issues, which contents are the most appreciated… Once the data is processed (number of visitors reaching a not found pages, viewing only one page…), Matomo is generating reports for website owners to take action, for example changing the layout of the pages, publishing some fresh content… etc.

Matomo is processing the following personal data:

Pick up the one you are using:

  • Cookies
  • IP address
  • User ID
  • Custom Dimensions
  • Custom Variables
  • Order ID
  • Location of the user

And also:

  • Date and time
  • Title of the page being viewed
  • URL of the page being viewed
  • URL of the page that was viewed prior to the current page
  • Screen resolution
  • Time in local timezone
  • Files that were clicked and downloaded
  • Link clicks to an outside domain
  • Pages generation time
  • Country, region, city
  • Main Language of the browser
  • User Agent of the browser

This list can be completed with additional features such as:

  • Session recording, mouse events (movements, content forms and clicks)
  • Form interactions
  • Media interactions
  • A/B Tests

Pick up one of the two:

  1. The processing of personal data with Matomo is based on legitimate interests, or:
  2. The processing of personal data with Matomo is based on explicit consent. Your privacy is our highest concern. That’s why we will not process any personal data with Matomo unless you give us clear explicit consent.

3 – The legitimate interests

This content applies only if you are processing personal data based on legitimate interests. You need here to justify your legitimate interests to process personal data. It is a set of questions described here.

Processing your personal data such as cookies is helping us identify what is working and what is not on our website. For example, it helps us identify if the way we are communicating is engaging or not and how we can organize the structure of the website better. Our team is benefiting from the processing of your personal data, and they are directly acting on the website. By processing your personal data, you can profit from a website which is getting better and better.

Without the data, we would not be able to provide you the service we are currently offering to you. Your data will be used only to improve the user experience on our website and help you find the information you are looking for.

4 – Recipient of the personal data

The personal data received through Matomo are sent to:

  • Our company.
  • Our service provider: name and contact details of the web hosting provider.

Note: If you are using the Matomo Analytics Cloud by InnoCraft the service provider is “InnoCraft, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand“. (Matomo cloud privacy policy)

5 – Details of transfers to third country and safeguards

Matomo data is hosted in Name of the country.

If the country mentioned is not within the EU, you need to mention here the appropriate safeguards, for example: our data is hosted in the United States within company XYZ, registered to the Privacy Shield program.

Note: The Matomo Analytics Cloud by InnoCraft is currently hosted in Germany and Ireland for backup. If you are using the cloud-hosted solution of Matomo, use “German” as name of the country.

6 – Retention period or criteria used to determine the retention period

We are keeping the personal data captured within Matomo for a period of indicate here the period.

Justify your choice, for example: as our data is hosted in France, we are applying the French law which defines a retention period of no more than 13 months. You can set the retention period in Matomo by using the data retention feature.

7 – The existence of each of the data subject’s rights

If you are processing personal data with Matomo based on legitimate interest:

As Matomo is processing personal data on legitimate interests, you can exercise the following rights:

  • Right of access: you can ask us at any time to access your personal data.
  • Right to erasure: you can ask us at any time to delete all the personal data we are processing about you.
  • Right to object: you can object to the tracking of your personal data by using the following opt-out feature:

Insert here the opt-out feature.

If you are processing personal data with Matomo based on explicit consent:

As Matomo is processing personal data on explicit consent, you can exercise the following rights:

  • Right of access: you can ask us at any time to access your personal data.
  • Right to erasure: you can ask us at any time to delete all the personal data we are processing about you.
  • Right to portability: you can ask us at any time for a copy of all the personal data we are processing about you in Matomo.
  • Right to withdraw consent: you can withdraw your consent at any time by clicking on the following button.

8 – The right to withdraw consent at any time

If you are processing personal data under the consent lawful basis, you need to include the following section:

You can withdraw at any time your consent by clicking here (insert here the Matomo tracking code to remove consent).

9 – The right to lodge a complaint with a supervisory authority

If you think that the way we process your personal data with Matomo analytics is infringing the law, you have the right to lodge a complaint with a supervisory authority.

10 – Whether the provision of personal data is part of a statutory or contractual requirement; or obligation and possible consequences of failing to provide the personal data

If you wish us to not process any personal data with Matomo, you can opt-out from it at any time. There will be no consequences at all regarding the use of our website.

11 – The existence of automated decision-making, including profiling and information about how decisions are made, the significance and the consequences

Matomo is not doing any profiling.

That’s the end of our blog post. We hope you enjoyed reading it and that it will help you get through the GDPR compliance process. If you have any questions dealing with this privacy policy in particular, do not hesitate to contact us.

Enjoyed this post?
Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month
Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.

Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.