Piwik

# open source web analytics

http://piwik.org/

Les articles publiés sur le site

  • Lawful basis for processing personal data under GDPR with Matomo

    30 avril 2018, par InnoCraft

    Disclaimer: this blog post has been written by digital analysts, not lawyers. The purpose of this article is to explain what is a lawful basis and which one you can use with Matomo in order to be GDPR compliant. This work comes from our interpretation of the following web page from the UK privacy commission: ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. GDPR may be also known as DSGVO in German, BDAR in Lithuanian, RGPD in Spanish, French, Italian, Portuguese. This blog post contains public sector information licensed under the Open Government Licence v3.0.

    The golden rule under GDPR is that you need to have a lawful basis in order to process personal data. Note that it is possible to not process personal data with Matomo. When you do not collect any personal data, then you do not need to determine a lawful basis and this article wouldn’t apply to you.

    “If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle.“

    Source: ICO, based on article 6 of GDPR.

    As you may process personal data in Matomo, you have to:

    1. define a lawful basis.
    2. document your choice.
    3. inform your visitor about it in a privacy notice.

    Even if you think you don’t process personal data, we recommend reading this post about personal data in Matomo (personal data may be hidden in many ways).

    Note that if you are processing special category data (ethnic origin, politics, religion, trade union membership…) or criminal offence data; extra responsibilities are applied, and we will not detail them in this blog post.

    1 – Define a lawful basis

    There are 6 different lawful bases all defined within article 6 of the GDPR official text:

    1. Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
    2. Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
    3. Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.
    4. Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
    5. Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
    6. Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party; except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

    As you can see, most of them are not applicable to Matomo. As ICO is mentioning it within their documentation:

    “In many cases you are likely to have a choice between using legitimate interests or consent.”

    “Consent” or “Legitimate interests”: which lawful basis is the best when using Matomo?

    Well, there is no right or wrong answer here.

    In order to make this choice, ICO listed on their website different questions you should keep in mind:

    • Who does the processing benefit?
    • Would individuals expect this processing to take place?
    • What is your relationship with the individual?
    • Are you in a position of power over them?
    • What is the impact of the processing on the individual?
    • Are they vulnerable?
    • Are some of the individuals concerns likely to object?
    • Are you able to stop the processing at any time on request?

    From our perspective, “Legitimate interests” should be used in most of the cases as:

    • The processing benefits to the owner of the website and not to a third party company.
    • A user expects to have their data kept by the website itself.
    • Matomo provides many features in order to show how personal data is processed and how users can exercise their rights.
    • As the data is not used for profiling, the impact of processing personal data is very low.

    But once more, it really depends; if you are processing personal data which may represent a risk to the final user, then getting consent is for us the right lawful basis.

    If you are not sure, at the time of writing ICO is providing a tool in order to help you make this decision:

    Note that once you choose a lawful basis, it is highly recommended not to switch to another unless you have a good reason.

    What are the rights that a data subject can exercise?

    According to the lawful basis you choose for processing personal data with Matomo, your users will be able to exercise different rights:

    Right to be informed Right of access Right to erasure Right to portability Right to object Right to withdraw consent
    Legitimate interests X X X X
    Consent X X X X X

     

    • Right to be informed: whatever the lawful basis you choose, you need to inform your visitor about it within your privacy notice.
    • Right of access: as described in article 15 of GDPR. Your visitor has the right to access the personal data you are processing about them. You can exercise their right directly within the page “GDPR Tools” in your Matomo.
    • Right to erasure: it means that a visitor will be able to ask you to erase all their data. You can exercise the right to erasure directly within the page “GDPR Tools” in your Matomo.
    • Right to portability: it means that you need to export the data which concern the individual in a machine-readable format and provide them with their personal data. You can exercise  their right directly within the page “GDPR Tools” in your Matomo.
    • Right to object: it means that your visitor has the right to say no to the processing of their personal data. In order to exercise this right, you need to implement the opt-out feature on your website.
    • Right to withdraw consent: it means that your visitor can remove their consent at any time. We developed a feature in order to do just that. You can learn more by opening the page “Privacy > Asking for consent” in your Matomo.

    2 – Document your choice

    Once you choose “Legitimate interests” or “Consent” lawful basis, you will have some obligations to fulfill. From our interpretation, “Legitimate interests” means writing more documentation, “Consent” means a more technical approach.

    What should I do if I am processing personal data with Matomo based on “Legitimate interests?

    ICO is providing a checklist for “Legitimate interests”, below is our interpretation:

    • Check that legitimate interests is the most appropriate lawful basis.

    Our interpretation: document and justify why you choose this lawful basis in particular. This tool from ICO can help you.

    • Understand your responsibility to protect the individual’s interests.

    Our interpretation: you need to take all the measures in order to protect your users privacy and data security. Please refer to our guide in order to secure your Matomo installation.

    • Conduct a legitimate interests assessment (LIA) and keep a record of it to ensure that you can justify your decision. This document is composed of a set of questions on those 3 key concerns: 1) purpose, 2) necessity, 3) balancing.

    1) Purpose:

    • Why do you want to process the data – what are you trying to achieve?
    • Who benefits from the processing? In what way?
    • Are there any wider public benefits to the processing?
    • How important are those benefits?
    • What would the impact be if you couldn’t go ahead?
    • Would your use of the data be unethical or unlawful in any way?

    2) Necessity:

    • Does this processing actually help to further that interest?
    • Is it a reasonable way to go about it?
    • Is there another less intrusive way to achieve the same result?

    3) Balancing:

    • What is the nature of your relationship with the individual?
    • Is any of the data particularly sensitive or private?
    • Would people expect you to use their data in this way?
    • Are you happy to explain it to them?
    • Are some people likely to object or find it intrusive?
    • What is the possible impact on the individual?
    • How big an impact might it have on them?
    • Are you processing children’s data?
    • Are any of the individuals vulnerable in any other way?
    • Can you adopt any safeguards to minimise the impact?
    • Can you offer an opt-out?
    • Identify the relevant legitimate interests.
    • Check that the processing is necessary and there is no less intrusive way to achieve the same result.
    • Perform a balancing test, and be confident that the individual’s interests do not override those legitimate interests.
    • Use individuals’ data in ways they would reasonably expect, unless you have a very good reason.

    Our interpretation: use those data to improve user experience for example.

    • Do not use people’s data in ways they would find intrusive or which could cause them harm, unless you have a very good reason.

    Our interpretation: ask yourself if this data is representing a risk for the individuals.

    • If you process children’s data, take extra care to make sure you protect their interests.
    • Consider safeguards to reduce the impact where possible.

    Our interpretation: Check if your web hosting provider is providing appropriate safeguards.

    • Consider whether you can offer an opt out.

    Our interpretation: Matomo is providing you the opt-out feature.

    • If your LIA identifies a significant privacy impact, consider whether you also need to conduct a DPIA.

    Our interpretation: A DPIA can easily be conducted by using this software from the French privacy commission.

    • Regularly review your LIA and update it when circumstances change.
    • Include information about your legitimate interests in your privacy information.

    As you see, going for “Legitimate interests” requires a lot of written documentation. Let’s see how “Consent” differ.

    What should I do if I am processing personal data with Matomo based on “Consent”?

    As previously mentioned, using “Consent” rather than “Legitimate interests” is more technical but less intense in terms of documentation. Like for “Legitimate interests”, ICO is providing a checklist for “Consent” which is divided into 3 key categories: 1) asking for consent, 2) recording consent, and 3) managing consent.

    1. Asking for consent:
      1. Check that consent is the most appropriate lawful basis for processing.
      2. Make the request for consent prominent and separate from your terms and conditions.
      3. Ask people to positively opt in. Don’t use pre-ticked boxes or any other type of default consent.
      4. Use clear, plain language that is easy to understand.
      5. Specify why you want the data and what you are going to do with it.
      6. Give individual (‘granular’) options to consent separately to different purposes and types of processing.
      7. Name your organisation and any third party controllers who will be relying on the consent.
      8. Tell individuals they can withdraw their consent.
      9. Ensure that individuals can refuse to consent without detriment.
      10. Avoid making consent a precondition of a service.
      11. If you offer online services directly to children, only seek consent if you have age-verification measures (and parental-consent measures for younger children) in place.
    2. Recording consent:
      1. Keep a record of when and how you got consent from the individual.
      2. Keep a record of exactly what you told them at the time.
    3. Managing consent:
      1. Regularly review consents to check that the relationship, the processing and the purposes have not changed.
      2. Have processes in place to refresh consent at appropriate intervals, including any parental consent.
      3. Consider using privacy dashboards or other preference-management tools as a matter of good practice.
      4. Make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
      5. Act on withdrawals of consent as soon as you can.
      6. Don’t penalise individuals who wish to withdraw consent.

      3 – Inform your visitor about it in a privacy notice

      Privacy notices are an important part within the GDPR process. Read our blog post dedicated to privacy notices to learn more.

      We really hope you enjoyed reading this blog post. Please have a look at our Matomo GDPR guide for more information.

    The post Lawful basis for processing personal data under GDPR with Matomo appeared first on Analytics Platform - Matomo.

  • GDPR compliance for Matomo’s Premium Features like Heatmaps & Session Recording, Form Analytics, Media Analytics & co

    27 avril 2018, par InnoCraft

    The General Data Protection Regulation (EU) 2016/679, also referred to as RGPD in French, Datenschutz-Grundverordnung, DS-GVO in German, is fast-approaching. It is now less than 30 days until GDPR applies to most businesses around the world on 25th May 2018. If you haven’t heard of this new regulation yet, I recommend you check out our GDPR guide which we continue to expand regularly to get you up to speed with it.

    GDPR compliance in Matomo

    We are currently adding several new features to Matomo to get you GDPR ready. You will have for example the possibility to delete and export data for data subjects, delete and anonymize previously tracked data, anonymize the IP address and location, ask for consent, and more. A beta version with these features is already available. We will release more blog posts and user guides about these features soon and just recently published a post on how to avoid collecting personal information in the first place soon.

    If you are still using Piwik, we highly recommend you update to a recent version of Matomo as all versions of Piwik will NOT be GDPR compliant.

    GDPR compliance for premium features

    InnoCraft, the company of the makers of Matomo, are offering various premium features for your self-hosted Matomo so you can be sure to make the right decisions and continuously grow your business. These features are also available on the cloud-hosted version of Matomo.

    If you are now wondering how GDPR applies to these features, you will be happy to hear that none of them collect any personal information except for possibly Heatmaps & Session Recording and the WooCommerce integration. All of them also support all the new upcoming GDPR features like the possibility to export and delete data. It is important that you update your Matomo Premium Features to the latest version to use these features.

    Making Heatmaps & Session Recording GDPR compliant

    We have added several new features to make it easy for you to be GDPR compliant and in many cases you might not even have to do anything. Some of the changes include:

    • Keystrokes (text entered into form fields) are no longer captured by default.
    • You may enable the capturing of keystrokes, and all keystrokes will be anonymized by default.
    • You may whitelist certain form fields to be recorded in plain text. However, fields that likely contain personal or sensitive information like passwords, phone numbers, addresses, credit card details, names, email addresses, and more will be always anonymized to protect user privacy. (this has always been the case but we have now included many more fields).

    How personal information may still be recorded

    Nevertheless, Heatmaps and Session Recordings may still record personal or sensitive information if you show them as part of the regular website as plain text (and not as part of a form field). The below example shows an email address for a paypal account as well as a name and VAT information as a regular content.

    To anonymize such information, simply add a data-matomo-mask attribute to your website:

    <span data-matomo-mask>example@example.com</span>

    You can read more about this in the developer guide “Masking content on your website”.

    WooCommerce Integration

    The WooCommerce integration may record an Order ID when a customer purchases something on your shop. As the Order ID is an identifier which could be linked with your shop to identify an individual, it may be considered as personal information. Matomo now offers an option to automatically anonymize this Order ID so it is no longer considered as personal information. To enable this feature, log in to your Matomo and go to “Administration => Anonymize Data”.

    GDPR compliance for third party plugins on the Matomo Marketplace

    The Matomo Marketplace currently features over 80 free plugins. Over 50 of them are compatible with the latest Matomo 3.X version and most of them should support Matomo’s new GDPR features out of the box. If you are concerned by GDPR and are not sure if a third party plugin stores any personal information, we highly recommend you ask the developer of this plugin about the compliance.

    You can find a link to the plugin’s issue tracker by going to a plugin page and then clicking on “Github” on the bottom right.

    If you are a plugin developer, please read our developer guide “GDPR & How do I make my Matomo plugin compliant”.

    The post GDPR compliance for Matomo’s Premium Features like Heatmaps & Session Recording, Form Analytics, Media Analytics & co appeared first on Analytics Platform - Matomo.

  • How to complete your privacy policy with Matomo analytics under GDPR

    25 avril 2018, par InnoCraft

    Important note: this blog post has been written by digital analysts, not lawyers. The purpose of this article is to show you how to complete your existing privacy policy by adding the parts related to Matomo in order to comply with GDPR. This work comes from our interpretation of the UK privacy commission: ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information. This blog post contains public sector information licensed under the Open Government Licence v3.0.

    Neither the GDPR official text or ICO are mentioning the words ‘privacy policy’. They use the words ‘privacy notice’ instead. As explained within our previous blog post about “How to write a privacy notice for Matomo”, the key concepts of privacy information are transparency and accessibility which are making the privacy notice very long.

    As a result, we prefer splitting the privacy notice into two parts:

    • Privacy notice: straight to the point information about how personal data is processed at the time of the data collection. This is the subject of the our previous blog post.
    • Privacy policy: a web page explaining in detail all the personal data you are processing and how visitors/users can exercise their rights. This is the blog post you are reading.

    Writing/updating your privacy policy page can be one of the most challenging task under GDPR.

    In order to make this mission less complicated, we have designed a template which you can use to complete the privacy policy part that concerns Matomo.

    Which information should your privacy policy include?

    ICO is giving a clear checklist about what a privacy policy has to contain when the data is obtained from the data subject:

    1. Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer.
    2. Purpose of the processing and the legal basis for the processing.
    3. The legitimate interests of the controller or third party, where applicable.
    4. Any recipient or categories of recipients of the personal data.
    5. Details of transfers to third country and safeguards.
    6. Retention period or criteria used to determine the retention period.
    7. The existence of each of data subject’s rights.
    8. The right to withdraw consent at any time, where relevant.
    9. The right to lodge a complaint with a supervisory authority.
    10. Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.
    11. The existence of automated decision-making, including profiling and information about how decisions are made, the significance and the consequences.

    So in order to use Matomo with due respect to GDPR you need to answer each of those points within your privacy policy.

    Matomo’s privacy policy template

    You will find below some examples to each point requested by GDPR. Those answers are just guidelines, they are not perfect, feel free to copy/paste them according to your needs.

    Note that this template needs to be tweaked according to the lawful basis you choose.

    1 – About Matomo

    Note: this part should describe the data controller instead, which is your company. But as you may already have included this part within your existing privacy policy, we prefer here to introduce what is Matomo.

    Matomo is an open source web analytics platform. A web analytics platform is used by a website owner in order to measure, collect, analyse and report visitors data for purposes of understanding and optimizing their website. If you would like to see what Matomo looks like, you can access a demo version at: https://demo.matomo.org.

    2 – Purpose of the processing

    Matomo is used to analyse the behaviour of the website visitors to identify potential pitfalls; not found pages, search engine indexing issues, which contents are the most appreciated… Once the data is processed (number of visitors reaching a not found pages, viewing only one page…), Matomo is generating reports for website owners to take action, for example changing the layout of the pages, publishing some fresh content… etc.

    Matomo is processing the following personal data:

    Pick up the one you are using:

    • Cookies
    • IP address
    • User ID
    • Custom Dimensions
    • Custom Variables
    • Order ID
    • Location of the user

    And also:

    • Date and time
    • Title of the page being viewed
    • URL of the page being viewed
    • URL of the page that was viewed prior to the current page
    • Screen resolution
    • Time in local timezone
    • Files that were clicked and downloaded
    • Link clicks to an outside domain
    • Pages generation time
    • Country, region, city
    • Main Language of the browser
    • User Agent of the browser

    This list can be completed with additional features such as:

    • Session recording, mouse events (movements, content forms and clicks)
    • Form interactions
    • Media interactions
    • A/B Tests

    Pick up one of the two:

    1. The processing of personal data with Matomo is based on legitimate interests, or:
    2. The processing of personal data with Matomo is based on explicit consent. Your privacy is our highest concern. That’s why we will not process any personal data with Matomo unless you give us clear explicit consent.

    3 – The legitimate interests

    This content applies only if you are processing personal data based on legitimate interests. You need here to justify your legitimate interests to process personal data. It is a set of questions described here.

    Processing your personal data such as cookies is helping us identify what is working and what is not on our website. For example, it helps us identify if the way we are communicating is engaging or not and how we can organize the structure of the website better. Our team is benefiting from the processing of your personal data, and they are directly acting on the website. By processing your personal data, you can profit from a website which is getting better and better.

    Without the data, we would not be able to provide you the service we are currently offering to you. Your data will be used only to improve the user experience on our website and help you find the information you are looking for.

    4 – Recipient of the personal data

    The personal data received through Matomo are sent to:

    • Our company.
    • Our web hosting provider: name and contact details of the web hosting provider.

    Note: If you are using the Matomo Analytics Cloud by InnoCraft the web hosting provider is “InnoCraft, 150 Willis St, 6011 Wellington, New Zealand“.

    5 – Details of transfers to third country and safeguards

    Matomo data is hosted in Name of the country.

    If the country mentioned is not within the EU, you need to mention here the appropriate safeguards, for example: our data is hosted in the United States within company XYZ, registered to the Privacy Shield program.

    Note: The Matomo Analytics Cloud by InnoCraft is currently hosted in France. If you are using the cloud-hosted solution of Matomo, use “France” as name of the country.

    6 – Retention period or criteria used to determine the retention period

    We are keeping the personal data captured within Matomo for a period of indicate here the period.

    Justify your choice, for example: as our data is hosted in France, we are applying the French law which defines a retention period of no more than 13 months. You can set the retention period in Matomo by using the following feature.

    7 – The existence of each of the data subject’s rights

    If you are processing personal data with Matomo based on legitimate interest:

    As Matomo is processing personal data on legitimate interests, you can exercise the following rights:

    • Right of access: you can ask us at any time to access your personal data.
    • Right to erasure: you can ask us at any time to delete all the personal data we are processing about you.
    • Right to object: you can object to the tracking of your personal data by using the following opt-out feature:

    Insert here the opt-out feature.

    If you are processing personal data with Matomo based on explicit consent:

    As Matomo is processing personal data on explicit consent, you can exercise the following rights:

    • Right of access: you can ask us at any time to access your personal data.
    • Right to erasure: you can ask us at any time to delete all the personal data we are processing about you.
    • Right to portability: you can ask us at any time for a copy of all the personal data we are processing about you in Matomo.
    • Right to withdraw consent: you can withdraw your consent at any time by clicking on the following button.

    8 – The right to withdraw consent at any time

    If you are processing personal data under the consent lawful basis, you need to include the following section:

    You can withdraw at any time your consent by clicking here (insert here the Matomo tracking code to remove consent).

    9 – The right to lodge a complaint with a supervisory authority

    If you think that the way we process your personal data with Matomo analytics is infringing the law, you have the right to lodge a complaint with a supervisory authority.

    10 – Whether the provision of personal data is part of a statutory or contractual requirement; or obligation and possible consequences of failing to provide the personal data

    If you wish us to not process any personal data with Matomo, you can opt-out from it at any time. There will be no consequences at all regarding the use of our website.

    11 – The existence of automated decision-making, including profiling and information about how decisions are made, the significance and the consequences

    Matomo is not doing any profiling.

     

    That’s the end of our blog post. We hope you enjoyed reading it and that it will help you get through the GDPR compliance process. If you have any questions dealing with this privacy policy in particular, do not hesitate to contact us.

    The post How to complete your privacy policy with Matomo analytics under GDPR appeared first on Analytics Platform - Matomo.

  • How to get your Matomo plugin ready for GDPR

    24 avril 2018, par Matomo Core Team

    Are you developing a plugin for your self-hosted Matomo? Have you maybe published a plugin on the Matomo Marketplace? Then we highly recommend you read this article.

    On 25th May 2018, new privacy regulations become effective called GDPR (General Data Protection Regulation) which applies to businesses worldwide. It is also known under different wordings in other countries, for example to RGPD in French and Datenschutz-Grundverordnung, DS-GVO in German.

    If your plugin is storing any personal information or tracks or imports any data, we highly recommend you give the GDPR guide a read. You may also want to read our blog as we are releasing new content about GDPR regularly.

    In Matomo 3.5.0, we will introduce new features for GDPR and we implemented it in a way that most – but not all – plugins will support these features out of the box without having to do anything.

    Nevertheless, we recommend every plugin developer to check out our developer guide on how to make your plugin GDPR compliant to see what you need to do. A beta version of Matomo 3.5.0 is already available so you can test these new features. You can find them by logging in to your Matomo and going to “Administration => Privacy”.

    Please note that any version of Piwik will not be GDPR compliant, so it is recommended that your plugin supports the latest version of Matomo (3.5.0+).

    The post How to get your Matomo plugin ready for GDPR appeared first on Analytics Platform - Matomo.

  • How should I write my privacy notice for Matomo Analytics under GDPR ?

    24 avril 2018, par InnoCraft

    Important note: this blog post has been written by digital analysts, not lawyers. The purpose of this article is to show you an example of a privacy notice for Matomo under GDPR. This work comes from our interpretation of the UK privacy commission: ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information.

    A basic rule of thumb is that if you are not processing personal data, then you do not need to show any privacy notice. But if you are doing so, such as processing full IP addresses, then a privacy notice is required at the time of the data collection. Please note that personal data may also be hidden, for example, in page titles or page URLs.

    In this blog post, we will define what a privacy notice is according to GDPR and how to write it if you are using Matomo and you are processing personal data.

    What is a privacy notice under GDPR?

    One of the most important rights that a data subject has under GDPR, is the right to be informed about the collection and use of their personal data.

    Here is what ICO is saying about the privacy notice:

    “You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.”

    “When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.”

    Note that a privacy notice is different from a privacy policy.

    The privacy notice has to include:

    • the reasons why you are processing the personal data
    • for how long
    • who the different parties you are going to share them with are

    So whatever lawful basis you are using (explicit consent or legitimate interest), you need to have a privacy notice if you collect personal data.

    What does this privacy notice look like?

    ICO is providing best practices in order to display the information:

    • a layered approach
    • dashboards
    • just-in-time notices
    • icons
    • mobile and smart device functionalities

    Once more, it really depends on the data you are processing with Matomo. If you wish to track personal data on the entire website, you will probably have an upper or footer privacy notice such as:

    If you wish to process specific data, you could also insert just-in-time notices such as:

    What is the information you need to disclose to the final user?

    To us, there are two things to distinguish between the privacy notice and the privacy policy.

    According to ICO, the privacy notice needs to include the 3 following elements:

    • the reasons why you are processing the personal data
    • for how long
    • who are the different parties you are going to share them with

    But you also need to inform them about:

    • The name and contact details of your organisation.
    • The name and contact details of your representative (if applicable).
    • The contact details of your data protection officer (if applicable).
    • The purposes of the processing.
    • The lawful basis for the processing.
    • The legitimate interests for the processing (if applicable).
    • The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
    • The recipients or categories of recipients of the personal data.
    • The details of transfers of the personal data to any third countries or international organisations (if applicable).
    • The retention periods for the personal data.
    • The rights available to individuals in respect of the processing.
    • The right to withdraw consent (if applicable).
    • The right to lodge a complaint with a supervisory authority.
    • The source of the personal data (if the personal data is not obtained from the individual it relates to).
    • The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
    • The details of the existence of automated decision-making, including profiling (if applicable).

    Pretty long, don’t you think? In order to reduce it, you can either adopt a layered approach where your “pop-up” window will act as a drop down menu. Or from what we understood, page 5 of this document provided by ICO, a privacy notice can link to a more detailed document, such as a privacy policy page.

    Examples

    Let’s take the example of a website which tracks the non-anonymised full IP address, and using User ID functionality to keep track of logged-in users. Under GDPR, the owner of the website will have to choose either to process personal data based on “Legitimate interests” or on “Consent”. Here is how it will look like:

    Example of a privacy notice under GDPR Legitimate interests

    This site uses Matomo to analyze traffic and help us to improve your user experience.

    We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform. Please read our Privacy Policy to learn more.

    Example of a privacy notice under GDPR Consent

    This site uses Matomo to analyze traffic and help us to improve your user experience.

    We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform.

    [Accept] or [Opt-out]

    Please read our Privacy Policy to learn more.

    Once that information is provided to the user, you can then link it to your privacy policy where you will provide more details about it. Soon we will issue a blog post dealing with how to write a privacy policy page for Matomo.

    The post How should I write my privacy notice for Matomo Analytics under GDPR? appeared first on Analytics Platform - Matomo.

Navigation

Sites Web