JStatsMATOMO · ANALYTICS · JOOMLA 4 & 5

Privacy & law · Knowledge

GDPR basics: what does a Joomla site owner owe?

Even a plain Joomla site processes personal data – server logs, contact forms, comments, analytics – and therefore lives inside the GDPR, not next to it.

The core duties are manageable: a complete privacy policy, a processing agreement with the hoster, data minimisation, and working answers to visitor rights. This page is a map, not legal advice.

The duty map for a typical Joomla site

Start with the inventory: what does the site actually process? Server logs at the hoster, form submissions, user accounts if registration is open, newsletter addresses, analytics data, embedded third-party content. Each item needs a legal basis (mostly legitimate interest or consent), a sentence in the privacy policy answering four questions – which data, what purpose, which legal basis, how long stored – and, where a service provider processes for you, a data processing agreement: the one with your hoster is the classic gap. Then minimise: forms ask only what the reply needs; comments work without mandatory websites; analytics runs self-hosted and cookieless where possible (the neighbouring questions cover exactly that setup – it is the single biggest GDPR simplifier for a Joomla site). Finally, be answerable: visitors may request access, correction or deletion, and a reply is due within a month – for a small site that is no bureaucracy, just knowing where user data lives (Joomla's user manager, the form component's storage, Matomo). Do this once systematically – ideally with professional review – and the GDPR becomes annual maintenance instead of background dread.

Key facts

Related questions

All knowledge topics