Compliance for legal teams
Does Simple Analytics collect personal data?
Simple Analytics processes IP addresses for Internet communication but never stores them. See below for more information on how we process IP addresses.
Does Simple Analytics require consent?
Are data transfers an issue when using Simple Analytics?
Data transfers are not an issue. Simple Analytics does not collect personal data and does not rely on service providers outside the EU.
The anonymous data we collect can be transferred outside the EU with no compliance risks or burdens if needed. Our extra-EU customers don’t need to implement standard contractual clauses or other safeguards to make the data transfer GDPR compliant.
What is Simple Analytics’ role in the processing of the data?
The notions of data controller and data processor are defined concerning personal data by the GDPR (see Articles 4(7) and (8) GDPR). We only collect anonymous metrics. Therefore, we are neither data controllers nor data processors concerning the data we collect and process for our customers.
Simple Analytics is a sole data controller concerning IP addresses.
Do I need a Data Processing Agreement to use Simple Analytics?
A Data Processing Agreement is unnecessary because Simple Analytics is not a personal data processor.
Does Simple Analytics use third-party providers?
We rely on Dutch companies Worldserver and Leaseweb to store data. We also rely on BunnyCDN to deliver content. BunnyCDN is part of Slovenian company BunnyWay.
Worldserver, Leaseweb, and Bunnyweb are trusted, European, and GDPR-compliant providers with infrastructure located in the EU. We don’t need to use European providers, as non-personal data can be transferred without limitations under the GDPR. We still choose to do so to ensure that the processing is as transparent and confidential as possible.
What are your legal bases for processing the data?
The anonymized metrics collected by Simple Analytics are not personal data. They do not fall under the GDPR, and Articles 5(1)(a) and 6 do not apply to them. No legal basis is needed to process anonymous data.
IP addresses are processed by Simple Analytics as a sole data controller based on its legitimate interest (Art. 6(1)(f) GDPR) to provide the service.
What legal bases can I rely upon to process the data?
Using Simple Analytics does not make you a controller of personal data. You do not need a legal basis to process the data, as the GDPR and the principle of lawfulness (5(1)(a) GDPR) do not apply to anonymous data.
How does Simple Analytics process IP addresses?
IP addresses are personal data. As much as we would like to process no personal data at all, we need to process IP addresses to communicate over the Internet and collect the anonymous data we need to provide our service.
We are sole controllers concerning IP addresses. We minimize the processing of IP addresses by only using them for communication. We drop IP addresses from our systems after each request, and no trace of IP addresses can be found in our system logs.
Simple Analytics may match addresses against a list of known bots addresses as an optional setting. IP addresses are dropped immediately after the check.
IP addresses are never logged, stored, transferred, or processed in any other way.
Simple Analytics does not require a privacy notice. Our customers are not controllers of personal data and are not required to provide any information under Art. 13 GDPR, as the provision only applies to the data controller.