Privacy Battles
Visitor Analytics
Privacy Score
100
%
⚔️
Matomo
Privacy Score
94
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

Visitor Analytics has appointed a Data Protection Officer who can be contacted at the following address: dpo@visitor-analytics.io.

Compliant
Partially Compliant
Not Compliant

DPO is external. It is ePrivacy GmbH who can be reached on privacy@matomo.org or by post.

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
Germany and Romania (EU)

Storage Facilities:
All analytics data is processed by German cloud provider Hetzner, in Germany.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
New Zealand 🇳🇿

Storage Facilities:
Servers, databases and logs are hosted in Frankfurt, Germany (cloud provider is AWS New Zealand). Offsite backups are stored in Dublin, Ireland.

Possibility to host Matomo Analytics on client premises.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

Data is never transferred outside the EU.

If ever, Visitor commits only to transferring personal data outside the EU if an adequate level of data protection is established.

Compliant
Partially Compliant
Not Compliant

The adequate level of protection in New Zealand has been approved by the European Commission.

Every transfer of personal data by Matomo to a country which is not a member state of either the EU or the EEA is submitted to prior consent of the controller.

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements providing the same protection level as set out in Visitor’s DPA: https://www.visitor-analytics.io/fileadmin/visitor-analytics/downloads/dpa/20210622_visitor-analytics_data-processing-agreement_en.pdf

Visitor has made public its of subprocessors: https://www.visitor-analytics.io/fileadmin/visitor-analytics/downloads/dpa/20210622_visitor-analytics_data-processing-agreement_en.pdf

Prior to adding new subprocessor or replacing an existing subprocessor, Visitor informs controllers and provides a reasonable deadline for them to object.

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements substantially similar to Matomo’s DPA: https://fr.matomo.org/matomo-cloud-dpa/

Matomo has made public its list of subprocessors: https://fr.matomo.org/matomo-cloud-privacy-policy/

Prior to modifying the list of subprocessors, the controller will be notified by email and is able to object.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

Visitor commits to notify controllers without undue delay after becoming aware of a security incident, to assist controllers in fulfilling their notification and communication obligations, and to take appropriate measures to mitigate the possible adverse effect of the incident.

Compliant
Partially Compliant
Not Compliant

In case of data breach, Matomo will inform without undue delay the controller by email and provide a description of the incident as well as periodic updates, including the impact on the controller.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Visitor Analytics will notify the concerned controller promptly (maximum 5 working days) in writing of any communication received from a data subject relating to its rights and will assist the controller within the scope of its ability to fulfil the request.

Compliant
Partially Compliant
Not Compliant

Data request will be forwarded to the controller without delay.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

Visitor assists controllers in ensuring compliance with their obligations in respect of DPIAs and prior consultation.

Compliant
Partially Compliant
Not Compliant

Matomo will provide assistance to the controller for DPIAs.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

Visitor ensures all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Compliant
Partially Compliant
Not Compliant

All employees required to access the personal data are deemed informed of the confidential nature of the personal data.

Security Policy

Compliant
Partially Compliant
Not Compliant

Visitor has obtained an ISO 27001 certification, for which a security policy is necessary.

Compliant
Partially Compliant
Not Compliant

Matomo doesn’t mention having a security policy.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:
Cloud security relying on Hetzner (CCTV, security team, physical access controls, etc.)

Other measures:
Regular data backup, IP address anonymisation (optional), intrusion detection controls, data encryption in transit, data access monitoring, authorization management, employee security training, firewalls, server redundancy, prohibition of permanent workstation storage of personal data.

Compliant
Partially Compliant
Not Compliant

Matomo doesn’t mention having a security policy.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Data encryption in transit (SSL).

Compliant
Partially Compliant
Not Compliant

Data is encrypted in transit (HTTPS) and at rest.

Restriction of access

Compliant
Partially Compliant
Not Compliant

Visitor allows access or processing of personal data  by employees for IT support and maintenance. The internal access to data (e.g., by employees) is regulated through the concept of least privilege.

A special script and encrypted keys are used to access personal data and audits are conducted to ensure controls are enforced.

Compliant
Partially Compliant
Not Compliant

A subset of employees has access to the products and to personal data via controlled interfaces. Access is enabled through “just in time” requests for access; all such requests are logged.

Backend production environment is accessible by a dedicated group of Privileged Users approved by senior management. Privileged Users may only access backend production environment via a bastion host (2 factor authentication and SSH to log in).

Reuse of data

Compliant
Partially Compliant
Not Compliant

Visitor Analytics is only providing data to each controller based on the Data Processing Agreement signed between the two parties and will not share personal data without the controller’s consent, except under certain limited circumstances, such as when required by law.

Compliant
Partially Compliant
Not Compliant

Matomo does not pursue its own purposes with this data processing.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

YES, Visitor doesn’t collect unnecessary cookies.

Cookies collected relate to ignoring a data subject’s visit on a website.

Compliant
Partially Compliant
Not Compliant

YES, if controller disables « cross domain tracking » and « third party cookies » functionalities.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU by an European cloud provider.

Compliant
Partially Compliant
Not Compliant

NO, when data is stored on controller premise.

NO, if controller enables data anonymization when using the Cloud solution.