GDPR tools allows raw data access when visits log is disabled to prevent raw data access

[tsteur]

Summary

Currently, we can disable "raw data access" by disabling the visits log in the site/measurable settings. This is important for GDPR compliance to remove raw data access when wanting to track data without needing consent.

However, the GDPR tools are still available meaning raw data access and export is possible after all meaning it's not actually disabled.

When visits log is disabled for a site, it should also show an option to disable GDPR Tools for a given site. Not sure if it requires a separate setting as when you have the visits log enabled, then it shouldn't be a problem to have the GDPR tool enabled.

When GDPR tools are disabled for a site, and a Matomo user tries to search for visits, then we should ignore sites that the GDPR tool was disabled for.

I'm thinking by default, when the visits log is disabled, the GDPR tool usage is maybe still allowed and a user can disable it specifically. Or would it be better the other way around?

Sometimes, the visits log may be disabled when there is only anonymous data in there. In that case you won't need the GDPR tool anyway as you can't find a specific data subject anyway when there is only anonymised data tracked.

The GDPR tool should probably make it clear if specific sites are excluded from the search because it's disabled and that it can be enabled by users with enough access should it be needed.

[michalkleiner]

Hi @tsteur,
thank you for the suggestion, I'll assign this to the product team for discussion on which way this could/should work and for prioritisation in the backlog.