Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Russian open source PHP content management system. Self hosted on the operator infrastructure. Sets a PHP session cookie (PHPSESSID) and an admin authentication cookie. No third party telemetry by default.
Danneo CMS is a Russian open source content management system written in PHP and distributed under a free licence. It targets small to mid size editorial sites, corporate websites and community portals. The platform is self hosted, which means the operator chooses the server, the database and the location of all data. Out of the box it ships with a public site, an admin back office and a modular extension system.
By default Danneo CMS sets a PHP session cookie (PHPSESSID) on every request, an authentication cookie for users who log in to the admin or member area, and a CSRF token cookie that protects form submissions. The web server records standard access logs with IP address, user agent and timestamp. No analytics, advertising or social network telemetry is loaded unless the operator installs a dedicated module.
The PHP session cookie, the authentication cookie and the CSRF cookie fall under the strictly necessary exemption of Article 5(3) ePrivacy Directive and can be set without consent. The processing of account data is covered by Article 6(1)(b) GDPR when it serves the contract between the operator and the user, or by Article 6(1)(f) GDPR for the legitimate interest in operating the site. Any additional plugin (web analytics, advertising, social embed) requires its own legal basis and, for non essential cookies, consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
A vanilla Danneo CMS installation does not need a consent banner because it only sets strictly necessary cookies. As soon as the operator adds analytics (Yandex Metrica, Google Analytics, Matomo) or social widgets (VK, Telegram, YouTube), a banner becomes mandatory under the ePrivacy Directive and the national implementations. The banner must let the user refuse as easily as accept and provide a way to withdraw consent.
Danneo CMS does not perform any default data transfer. Where the application is installed determines the storage location. If the operator hosts the instance in Russia, the Russian Federal Law 152 FZ applies and requires the data of Russian citizens to be stored on servers located in Russia. If the operator hosts the instance outside the EEA, transfers from EU visitors require an appropriate safeguard under Chapter V GDPR (Data Privacy Framework for the US, standard contractual clauses elsewhere) and a transfer impact assessment.
Document Danneo CMS and the chosen host in your records of processing, secure the admin back office with TLS and strong authentication, configure log rotation and a reasonable retention period for IP and access logs, audit installed modules to confirm whether they introduce non essential cookies and, if so, gate them behind a CMP. Publish a clear privacy notice that lists the modules in use and explains how to exercise data subject rights.
Websites using Danneo CMS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a Danneo CMS website that serves a brochure or a small editorial site, but becomes relevant when the CMS hosts user accounts at scale, processes sensitive content (health, political views, religion) or runs commerce or community modules that handle a high volume of personal data. Document the categories of data stored in the database, the retention of access logs and the security measures protecting the admin interface.
Sample consent text
We use Danneo CMS to operate this website. It sets a session cookie that is strictly necessary to navigate the site and an authentication cookie if you log in to a member area. These cookies do not require consent. Any additional analytics or advertising modules will be loaded only after you accept them in the cookie banner.
Third-party domains contacted
danneo.comdanneo.ruCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | first party session | Session | PHP session cookie that identifies the visitor session in Danneo CMS. Strictly necessary. |
| danneo_auth | first party (admin only) | 7 days | Authentication cookie set when an admin or member logs in to the Danneo CMS back office or member area. |
| danneo_csrf | first party security | Session | CSRF token cookie protecting form submissions against cross site request forgery in Danneo CMS. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Out of the box Danneo CMS sets a PHP session cookie (PHPSESSID) for navigation, an authentication cookie when a user logs in to the admin or member area, and a CSRF token cookie that protects form submissions. All three are first party and strictly necessary. Additional cookies appear only when the operator installs an analytics or social module.
For a vanilla installation no consent is needed because only strictly necessary cookies are set. Consent under Article 5(3) ePrivacy Directive becomes mandatory as soon as the operator adds analytics, advertising or social widgets, since these introduce non essential cookies and processing.
Legitimate interest (Article 6(1)(f) GDPR) and the strictly necessary exemption of Article 5(3) ePrivacy Directive for the session and CSRF cookies. Performance of a contract (Article 6(1)(b)) for member accounts. Consent (Article 6(1)(a)) for any non essential module added by the operator.
Not by default. Danneo CMS is self hosted, so where data goes depends entirely on the operator. If you host the instance in Russia, Russian law 152 FZ applies and storage must remain on Russian servers for Russian citizens. If you host outside the EEA for EU visitors, you need a Chapter V GDPR safeguard (Data Privacy Framework for the US, SCCs elsewhere).
For a brochure or small editorial site a DPIA is not mandatory. It becomes recommended when the CMS runs user accounts at scale, handles sensitive content, hosts a forum exposing user generated content, processes payments or interacts with minors.
Host on a controlled server in or close to your audience, restrict admin access by IP or VPN, enforce TLS and strong passwords, document the modules in your records of processing, keep PHP and the CMS patched, define a log retention period and gate any analytics or social module behind a consent banner.
Other self hosted PHP CMS such as WordPress, Drupal, Joomla, MODX or Bitrix in the Russian market. Static site generators like Hugo or Eleventy paired with EU hosting are a privacy friendly alternative when dynamic features are limited.
Describe the strictly necessary cookies (PHPSESSID, authentication, CSRF), state that no third party cookies are loaded by default, mention any active analytics or social module and link to its policy, indicate the hosting region and applicable transfer mechanism. Review the policy every twelve months and after each module change.