Data protection under control: Matomo web analysis now also in Germany

Data protection under control: Matomo web analysis now also in Germany

On July 18, 2025, the use of Matomo, a web analysis tool, will become increasingly important for numerous federal authorities in Germany. The Federal Ministry of Finance provides information about the functional aspects and the legal framework in which Matomo is used. In accordance with the specifications, Matomo records key figures for web analysis that are used to improve the structures and designs of websites.

Matomo is operated locally on the service provider's servers in Germany. This ensures that no data is transferred to third parties. Operation is based on the consent of the users in accordance with Article 25 Paragraph 1 of the Telecommunications Telemedia Data Protection Act (TTDSG). This means that users must provide consent before the matomo.js script is executed.

Data collected and data protection

When using Matomo, various information is collected from the user's device. This includes, among other things, the device type, the device brand, the screen resolution as well as the operating system and browser used. A special feature of Matomo is that no cookies are stored on the users' devices. Instead, data such as shortened IP addresses, URLs accessed and length of stay are collected. The raw data is stored for 30 days and then automatically deleted. These measures are part of the data protection concept designed in accordance with the General Data Protection Regulation (GDPR).

To ensure privacy protection, the user's IP address is not completely stored because the last two octets are obscured. In addition, Matomo is configured so that no additional personal data is collected. Many authorities use Matomo to operate in a data-efficient manner and in accordance with the legal requirements as set out in Section 3 BDSG and Section 25 TDDG.

Technical framework conditions and requirements

Technically speaking, Matomo allows the creation of user profiles to analyze users' navigation behavior. This is particularly important for optimizing websites. It is important that access to the information is regulated by the consent of the users. The transmission of the collected data is considered a technical need and therefore falls under the exception according to Section 25 Paragraph 2 No. 2 TDDG for the provision of the website.

Checking and documenting the use of Matomo is essential in order to meet legal requirements. In order to legitimize a change in the purpose of data processing, there must be a new legal basis. Website providers are therefore called upon to regularly check their services and ensure that all data minimization and “privacy by design” requirements are met.

For further information about users' rights and data protection officers, the relevant contact details are available on the data protection pages of the respective services. These measures help to ensure transparency and security in the handling of user information.

For detailed information on the use of Matomo, interested readers can read the reports Federal Ministry of Finance as well as the BFDI consult.