Compliance & regulation

GDPR for news comments

European data protection regulation that governs how publishers collect, store and process reader data, including comments, debate contributions, and accounts.

  • Updated May 13, 2026
  • Topic GDPR comments · GDPR comment system · Article 28 processor

The General Data Protection Regulation (GDPR) is the EU’s data protection law. For news publishers, it shapes how every comment, reader account, vote, and moderation decision is handled, because all of those are personal data under Article 4.

Why GDPR matters specifically for comments

A comment system creates personal data on day one : the IP address of the visitor, the account used to post, the content itself (which may identify the author), and the moderation decisions taken against it. GDPR requires you to :

  1. Identify a lawful basis for each processing activity (usually legitimate interest for comments, consent for marketing, contract for paid features).
  2. Limit purpose and retention, keep comments only as long as editorially useful.
  3. Honour data subject rights, access, rectification, deletion, portability, objection.
  4. Sign Article 28 Data Processing Agreements with any vendor that touches reader data.

Article 28 and your comment vendor

If your comment system is hosted by a third party (Disqus, Viafoura, Coral, Logora), that vendor is your data processor under Article 28. You must :

  • Sign a Data Processing Agreement that specifies the data, the purposes, the retention, the security measures.
  • Audit (or get audit reports from) the processor at least annually.
  • Get explicit authorisation before sub-processors are added.
  • Ensure data location and transfers comply with Schrems II if the processor is outside the EU.

This is where the EU-native vs US-platform divide becomes concrete. Logora signs Article 28 DPAs by default, hosts on OVH (France), and contracts in French / German / Spanish on demand. US-based vendors operate under different contractual frameworks and Standard Contractual Clauses post-Schrems II, workable, but with additional legal review on the publisher side.

How Logora handles GDPR

  • First-party data. Reader accounts live in your database, not Logora’s. We process them on your behalf.
  • EU-only hosting. OVH, France. No data transit to the US.
  • Built-in rights. Reader can export their data, request deletion, and review consent from inside the comment widget.
  • Article 28 DPA signed by default. No back-and-forth, no legal review delays.
  • Retention is configurable. You decide how long comments stay before anonymisation.

See the Logora vs Disqus and Logora vs Viafoura comparisons for how GDPR posture differs across vendors.

← Back to the lexicon
User guides
Moderation Best practices Moderation charter
Examples
Use cases Documentation Administration panel
About us
Team Blog Partners Positioning Contact
Legal
Legal Mentions Terms Privacy
No tracking cookies. Sovereign infrastructure on OVH (France).
Created for democracy by Logora
⌘K / Ctrl+K to open