DE Request a demo
Law

GDPR-compliant media monitoring

Media coverage names names — which means every monitoring effort processes personal data. Which legal bases apply, what obligations arise and how to recognise data-protection-compliant monitoring.

Reading time approx. 7 min Jurisdiction: EU · AT & DE As of: May 2026
Stephan Mitterer · Managing Director, online360 service GmbH

GDPR-compliant media monitoring means that the capture and analysis of media coverage involving personal data rests on a valid legal basis and that the principles of the General Data Protection Regulation — purpose limitation, data minimisation, transparency, storage limitation — are upheld throughout.

Note: This article offers a general overview and does not replace individual legal advice.

Why media monitoring processes personal data

As soon as a captured item names an identifiable person — board members, politicians, spokespeople, but also private individuals — there is processing of personal data within the meaning of the GDPR. That applies to storing the item just as much as to analysing it, for instance assigning a sentiment to a person. Media monitoring is therefore not free of data-protection obligations simply because the sources are public.

The legal basis: usually legitimate interest

For most use cases, media monitoring relies on legitimate interest (Art. 6(1)(f) GDPR): an organisation has a legitimate interest in knowing how it is being reported on, in protecting its reputation and in monitoring its market environment. The precondition is a documented balancing of interests that weighs this interest against the rights and expectations of the data subjects.

A special case is the media privilege (Art. 85 GDPR, given national form in Austria and Germany): it privileges processing for journalistic purposes. Whether and to what extent it applies to pure monitoring activity depends on the specific purpose and must be assessed case by case.

Obligations in practice

  • Purpose limitation: use data only for the defined monitoring purpose.
  • Data minimisation: capture and store only what is necessary for the purpose.
  • Storage limitation: defined retention periods and automatic deletion once they expire.
  • Records of processing activities and, where applicable, a data protection impact assessment for extensive analysis.
  • Data subject rights: access, rectification and erasure must be feasible.
  • Transparency: observe information obligations where applicable.
  • Special categories (Art. 9 GDPR): media coverage may touch on special categories of personal data — such as political opinions, health or religious information. Their processing is subject to stricter conditions and should be examined with particular care in the public-sector and public-affairs context.

Hosting & processing on your behalf

Anyone who obtains media monitoring as a service hands the processing to a third party — a processor relationship arises, which must be governed contractually under Art. 28 GDPR. Hosting within the EU or the EEA considerably simplifies compliance, because no third-country transfer with additional safeguards (such as standard contractual clauses) is required.

EU hosting as a default stance

mediaintel operates the platform with hosting in the EU, captures content from lawfully accessible, vetted sources with regard to reservations of use, and carries traceable source and licence information with every item. Details on data protection can be found under Privacy.

What to look for when choosing

  • Is there a data processing agreement (DPA) under Art. 28 GDPR?
  • Is hosting in the EU/EEA?
  • Are there configurable retention and deletion periods?
  • Is source capture lawful, and does it respect reservations of use? (See TDM reservation.)
  • Are data subject rights technically feasible?

Frequently asked questions

Is media monitoring permitted under the GDPR?

Yes, media monitoring is permitted in principle, provided it rests on a valid legal basis — in practice usually legitimate interest under Art. 6(1)(f) GDPR — and observes the principles of data minimisation, purpose limitation and transparency. This text is a general overview and does not replace legal advice.

What is the legal basis for the processing?

In most cases legitimate interest (Art. 6(1)(f) GDPR), such as protecting one's own reputation or monitoring the market environment. A balancing of interests against the rights of the data subjects is required and must be documented.

Where should media monitoring data be hosted?

Hosting within the EU or the EEA considerably simplifies GDPR compliance, because no third-country transfer with additional safeguards is required. Processing on a provider's behalf should be governed by a contract under Art. 28 GDPR.

Further reading

Law TDM reservation & UrhG The copyright side of lawful capture. Fundamentals What is media monitoring? The process that the GDPR governs. Solution For the public sector & public affairs Monitoring in a particularly sensitive environment. Legal Our TDM reservation The legal position of mediaintel.