Is there any guidance on Matomo and GDPR compliance?
Matomo says that it can be configured to anonymize the data that is tracked and with that, GDPR is not an issue.
The DHIS2 Docs on Matomo config state that the data is anonymized… so are we in the clear on GDPR?
DHIS2: Settings configuration - DHIS2 Documentation
Matomo GDPR info: Settings configuration - DHIS2 Documentation
Hi @chase.freeman .
Thanks for your interest on this. Matomo was added some versions ago in order to provide implementations with the capabilities to capture / monitor analytics related to the mobile devices that might not be found on other logs.
The application will send by default anonymised analytics to our servers that we keep during 3 months in order to improve the development of the app. As an example I am showing you here the typical stats for a user where you can see some information about the profile and the session:
We cannot link this to any user as the user ID (blurred in the image) is a locally generated unique value that we don’t know and therefore we cannot trace back. As you see we get other information like which Android version, screen size and the actions on the App (right column collapsed).
The idea behind being able to set your instance of Matomo is to be able to collect this statistics about the usage on your own server. So far we don’t provide access to our analytics server to any implementation and we are unlikely to change that.
Regarding GDPR, we did our checks and it seems that as we are not capable of linking the user to the information we collect we should be safe. However, if you would implement this in your server and there is away for you to correlate that information (via analysis of other logs) you might need to put other measures in place like being able to delete the information as per user requests.
I hope it helps. I am pinging @Jaime as he might be more precise or correct something in case I am wrong.
Great thanks Jaime. I’ve setup a Matomo instance and confirm all of the things you stated.