Privacy Battles
Matomo
Privacy Score
94
%
⚔️
Google Analytics
Privacy Score
50
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

DPO is external. It is ePrivacy GmbH who can be reached on privacy@matomo.org or by post.

Compliant
Partially Compliant
Not Compliant

Google doesn't mention having a DPO but has a privacy dedicated help center which contact is available on its website: https://support.google.com/policies/answer/9581826?hl=en&visit_id=637842217867882507-4117401368&rd=1 

Privacy Policy

Compliant
Partially Compliant
Not Compliant
Compliant
Partially Compliant
Not Compliant

Regarding cloud & website: https://policies.google.com/privacy 

This policy however covers a broad scope that includes various Google applications and services (including Analytics), that makes it difficult to apprehend for both controllers and data subjects.

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
New Zealand 🇳🇿

Storage Facilities:
Servers, databases and logs are hosted in Frankfurt, Germany (cloud provider is AWS New Zealand). Offsite backups are stored in Dublin, Ireland.

Possibility to host Matomo Analytics on client premises.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
Ireland (EU)

Storage Facilities:
Google has cloud servers all over the world but (except for the US) doesn’t specify in which countries.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

The adequate level of protection in New Zealand has been approved by the European Commission.

Every transfer of personal data by Matomo to a country which is not a member state of either the EU or the EEA is submitted to prior consent of the controller.

Compliant
Partially Compliant
Not Compliant

Personal data is transferred outside the European Union whether this transfers are based on Adequacy decisions of the European Commission or Standard contractual clauses (SCCs).

However, SCCs have been deemed insufficient when transferring personal data to US servers by the European Court of Justice. This entails the necessity for complementary data protection measures. However, the French Data Protection Authority (CNIL) has considered complementary measures put in place by Google (User ID pseudonymisation, IP addresses anonymisation, etc.) not efficient enough for data protection against intelligence agencies.

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements substantially similar to Matomo’s DPA: https://fr.matomo.org/matomo-cloud-dpa/

Matomo has made public its list of subprocessors: https://fr.matomo.org/matomo-cloud-privacy-policy/

Prior to modifying the list of subprocessors, the controller will be notified by email and is able to object.

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements substantially similar to Google’s DPA: https://business.safety.google/intl/en/adsprocessorterms/

Google has made public its list of subprocessors:
https://business.safety.google/intl/en/adssubprocessors/

Before onboarding subprocessors, Google conducts an audit of the security and privacy practices of subprocessors to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.

‍30 days prior to modifying the list of subprocessors, the controller will be notified by email and is able to object by terminating the contract.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

In case of data breach, Matomo will inform without undue delay the controller by email and provide a description of the incident as well as periodic updates, including the impact on the controller.

Compliant
Partially Compliant
Not Compliant

If Google becomes aware of a Data Incident, Google will notify controllers promptly and without undue delay; and promptly take reasonable steps to minimise harm and secure personal data. Google will deliver its notification by email, phone call or an in-person meeting.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Data request will be forwarded to the controller without delay.

Compliant
Partially Compliant
Not Compliant

Rights of deletion and portability can be fulfilled by the controllers directly through the SaaS.

If Google receives a request from a data subject, controllers authorize Google to answer directly to the data subject’s request or to advise the data subject to submit their request to the appropriate controller.

Google commits to assist controllers in fulfilling their obligations to respond to requests for exercising the data subject’s rights.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

Matomo will provide assistance to the controller for DPIAs.

Compliant
Partially Compliant
Not Compliant

Google assists controllers in ensuring compliance with their obligations in respect of DPIAs and prior consultation.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

All employees required to access the personal data are deemed informed of the confidential nature of the personal data.

Compliant
Partially Compliant
Not Compliant

Google ensures all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security Policy

Compliant
Partially Compliant
Not Compliant

Matomo doesn’t mention having a security policy.

Compliant
Partially Compliant
Not Compliant

Google has obtained and maintained an ISO 27001 certification, for which a security policy is necessary.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:
Cloud security relying on Amazon New Zealand.

Other measures:
Users authentication, authorization management, virtual private cloud implementation, firewall rules, bug bounty program, security trainings for employees, encrypted data in transit (HTTPS) and at rest, access journaling and alerting, security incidents tracking, replication of data backups.

Compliant
Partially Compliant
Not Compliant

Google has obtained and maintained an ISO 27001 certification, for which a security policy is necessary.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Data is encrypted in transit (HTTPS) and at rest.

Compliant
Partially Compliant
Not Compliant

Data encryption in transit (HTTPS) and at rest (AES256).

Restriction of access

Compliant
Partially Compliant
Not Compliant

A subset of employees has access to the products and to personal data via controlled interfaces. Access is enabled through “just in time” requests for access; all such requests are logged.

Backend production environment is accessible by a dedicated group of Privileged Users approved by senior management. Privileged Users may only access backend production environment via a bastion host (2 factor authentication and SSH to log in).

Compliant
Partially Compliant
Not Compliant

Access to data by employees, contractors, and subcontractors is limited by strict access controls (authentication procedures, SSL, and security logs), restricting access only to authorized users.

Reuse of data

Compliant
Partially Compliant
Not Compliant

Matomo does not pursue its own purposes with this data processing.

Compliant
Partially Compliant
Not Compliant

Google shares personal data between its multiple service platforms (Adsense, etc.).

Concerning third parties, Google states it will not use or disclose any confidential information belonging to controllers without their prior written consent, except to fulfill its obligations under this Agreement or as required by law, regulation or court order.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

YES, if controller disables « cross domain tracking » and « third party cookies » functionalities.

Compliant
Partially Compliant
Not Compliant

NO, by default Google collects cookies and therefore visitors’ consent is necessary.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

NO, when data is stored on controller premise.

NO, if controller enables data anonymization when using the Cloud solution.

Compliant
Partially Compliant
Not Compliant

YES, even though Google offers an anonymisation option for IP addresses that can be activated by controllers, other personal data is still transferred on US servers by default (user ID, cookies).

Also, Google publishes a Transparency Report which is a list of demands based on FISA made by intelligence agencies:
https://transparencyreport.google.com/user-data/us-national-security