Open Web Analytics Data Protection – Legal Requirements for the Privacy Policy

Open Web Analytics (OWA) is an open-source, self-hosted web analytics framework. Unlike SaaS solutions such as Google Analytics or Matomo Cloud, data processing takes place on the website operator's own infrastructure. This has significant implications for data protection responsibility and the required privacy policies. This article explains the legal bases, data types and mandatory disclosures for Open Web Analytics data protection in the context of the GDPR and the TDDDG.

A. Purpose and Function of Open Web Analytics

Open Web Analytics is a web analytics framework developed by the open-source community. It is not hosted or managed by third parties, but installed and operated by the website operator on its own server.

Function:

• A JavaScript snippet is embedded in the website.
• The snippet captures user behaviour in the visitor's browser.
• Data is transferred to the website operator's own OWA server.
• Storage takes place in a local database (typically MySQL/MariaDB).
• Evaluation and reporting take place via the OWA interface in self-operation.

This self-hosted architecture fundamentally distinguishes OWA from SaaS analytics providers: there is no third-party provider in the GDPR sense who carries out the processing. The website operator is directly the controller within the meaning of Art. 4(7) GDPR.

B. Mandatory Disclosures of the Privacy Policy when Using Open Web Analytics

For the use of OWA, website operators must include the following points in their privacy policy:

• Controller: Indication of the name and contact details of the website operator (not of the OWA project developer).
• Purpose of processing: Analysis of user behaviour to optimise the website and user experience.
• Data types: Specification of the captured data (IP address, click paths, device type, browser, etc.).
• Legal basis: Consent under Art. 6(1)(a) GDPR + § 25(1) TDDDG (for cookies/tracking IDs) or Art. 6(1)(f) GDPR in the case of anonymisation.
• Retention period: Information on the retention period of the data.
• Data subject rights: Objection, access, erasure, restriction (see Art. 15–22 GDPR).
• No transfer to third parties: Clarification that the data is not passed on to external analytics providers.

C. Provider of Open Web Analytics – Legal Particularity

Open Web Analytics is an open-source software project developed by Peter Adams and contributors of the OWA community. However, it is not a provider in the GDPR sense, as is the case with Google Analytics, Matomo Cloud or other SaaS solutions.

Consequence for the privacy policy:

• The website operator is sole controller under Art. 4(7), Art. 24 GDPR.
• No Data Processing Agreement (DPA) with the OWA project itself required.
• A DPA must be concluded exclusively with the hosting provider (e.g. Hetzner, AWS, DigitalOcean), provided the latter is a processor.
• The OWA software itself is licensed under an open-source licence (typically GPL) and is free of charge.

Since the website operator operates the infrastructure itself, it bears full responsibility for security, updates, backups and compliance.

D. Data Processing – Workflow in Steps

E. Data Collected by Open Web Analytics

OWA captures the following categories of personal and non-personal data:

• IP address of the user (can be used for geolocation purposes, falls under personal reference under Art. 4(1) GDPR).
• Cookie and tracking IDs to identify recurring users (visitor cookies with configurable duration).
• Click paths and navigation flow on the website (which pages were visited, in which order).
• HTTP referrer (from which external page the user came).
• Device type and operating system (desktop, tablet, smartphone; Windows, macOS, iOS, Android).
• Browser information (browser type, version, JavaScript support).
• Rough location data (country, region, city based on IP address; usually aggregated without exact localisation).
• Conversion events (e.g. download, registration, purchase, if configured).
• Page dwell time and interaction data (scroll depth, hover events, if implemented).
• User agent string (technical features of the browser).

F. Purposes of Use of Open Web Analytics

The data processing by OWA typically pursues the following purposes under Art. 5(1)(b) GDPR:

• General product improvement: Identification of optimisation potential in website structure, usability and content.
• User profile creation (aggregated): Creation of anonymised or pseudonymised user segments to improve target group targeting.
• User-individual behaviour analysis: Tracking of individual users across multiple sessions to optimise the offer.
• Conversion optimisation: Measurement of business results (e.g. components of purchase processes or lead generation).
• Traffic monitoring: Monitoring of website performance and user load.

G. Legal Bases for Open Web Analytics under GDPR and TDDDG

The processing of data by OWA must be based on a permissible legal basis.

1. Consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG:

For the use of cookies and tracking IDs, explicit consent of the user is required. The cookie banner must be configured before loading the OWA snippet (Consent Management Platform, CMP). Without consent, tracking is not permissible.

2. Legitimate interest under Art. 6(1)(f) GDPR:

If IP addresses and data are completely anonymised (no reference to a person possible anymore), a legal basis may be omitted. A balancing of interests in favour of the website operator is then required, but is not sufficient to legitimise tracking data that still has a personal reference.

Practical note: In the vast majority of cases, consent under Art. 6(1)(a) + § 25 TDDDG is the applicable legal basis.

H. Special Features and Notes on Open Web Analytics

• Self-hosted control: The website operator has full control over data flow, security and processing. Data does not leave its own infrastructure unless the website operator configures external interfaces.
• No DPA with OWA required: Since OWA is open source and does not act as a processor, there is no obligation to conclude a DPA with the project developer.
• DPA with the host: A DPA under Art. 28 GDPR is to be concluded with the hosting provider (e.g. Hetzner, AWS, Strato), provided the latter processes personal data.
• IP anonymisation: OWA offers functions for anonymising or masking the last octets of the IP address. This function should be activated to minimise risks.
• Cookie duration: The duration of the visitor cookie is configurable (typically 13 months). Shorter durations reduce tracking intensity and are more data-protection-friendly.
• Security and updates under one's own responsibility: The website operator is responsible for regular security updates, patch management and physical/logical security of the database.
• No third-country transfer through OWA itself: As long as it is limited to one's own infrastructure, no transfers to third countries occur. Examination necessary if the host is established in a third country.
• Personal data breach notification obligation: In the event of security incidents (unauthorised access, data loss), notification to the competent supervisory authority may be required under certain circumstances (Art. 33 GDPR).

I. Frequently Asked Questions (FAQ)

Q: Can I use OWA without consent if I anonymise the IP addresses?

A: Anonymised data is exempt from the GDPR scope of protection. However, true anonymisation is technically demanding and often not fully achievable (risk of de-anonymisation). In case of doubt, consent under § 25 TDDDG should be obtained.

Q: Do I need a Data Processing Agreement with the OWA project developer?

A: No. OWA is open-source software, not a processor. A DPA is only required with the hosting provider.

Q: Which retention period should I define for OWA data?

A: The retention period should be made transparent in the privacy policy. Rule of thumb: 13 months (a typical visitor cookie duration), at most as long as the analysis purpose requires. After expiry, data should be deleted automatically.

Q: What is the difference between OWA and Google Analytics with regard to data protection?

A: Google Analytics is a SaaS service; Google is a processor and has access to all data. OWA is self-hosted; the website operator retains full control. No third-country transfer through OWA itself; no dependence on Google servers.

Q: Do I have to obtain consent before loading the OWA snippet?

A: Yes, § 25(1) TDDDG requires consent before setting cookies or similar tracking technologies. The OWA snippet should only be loaded after positive consent (consent management solution).

J. Conclusion and Recommendations for Action

Open Web Analytics offers website operators a data-protection-friendly alternative to cloud-based analytics platforms, since the data remains entirely under one's own responsibility. However, the GDPR requirements are no less strict:

1. Obtain consent under TDDDG (cookie banner before snippet loading).
2. Update privacy policy with the captured data types, purposes and retention periods.
3. Conclude DPA with hosting provider.
4. Implement security measures (updates, backups, access control).
5. Activate IP anonymisation and minimise cookie duration.

K. Author

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com