Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
KIT CMS is a self hosted content management system used by editorial, corporate and e-commerce websites. The core platform writes only strictly necessary session and CSRF cookies, but most production deployments enable optional analytics, social and marketing modules that fall under the ePrivacy consent rule. The privacy posture therefore depends on which modules the controller activates.
KIT CMS is a self hosted content management system that powers editorial, corporate and e-commerce websites. It runs as a server side PHP application installed on infrastructure chosen by the publisher. The core platform handles content modelling, role based authoring, multilingual templates and a plugin marketplace. Because the software is installed on the customer infrastructure, the personal data flows are entirely controlled by the website owner and not by a third party.
By default KIT CMS only writes a session cookie (typically PHPSESSID or a renamed equivalent) and a CSRF token cookie used to protect form submissions. These cookies expire when the browser is closed or after a short inactivity window. They do not contain personal data beyond the session identifier, which is meaningless without server side state. When the controller installs comment modules, member areas, analytics widgets or social plugins, additional cookies and identifiers may be written, including third party trackers.
The session and CSRF cookies set by KIT CMS are strictly necessary under Article 5(3) of the ePrivacy Directive and recital 66, since they are required to deliver the website service explicitly requested by the user. They can be loaded without consent. The privacy notice should still describe their purpose and lifetime under Articles 13 and 14 GDPR. Any optional module that triggers analytics, advertising, social or personalisation cookies requires consent collected through a Consent Management Platform.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
There is no transfer outside the European Economic Area when the application is hosted on EU infrastructure. If you host KIT CMS in Russia or another country without an adequacy decision, you must perform a Transfer Impact Assessment, sign Standard Contractual Clauses with the hosting provider and document supplementary measures. Many editors targeting European audiences therefore choose EU based hosting (OVH, Hetzner, Scaleway) and provide a clear statement in the privacy notice.
List every active module in your privacy notice and your record of processing activities. Pin the session cookie to the Secure and HttpOnly flags, set SameSite=Lax and configure short expirations. Block any optional analytics, social or advertising module behind a Consent Management Platform such as FlowConsent. Run regular tag scans to make sure third party scripts are loaded only after consent. Document the hosting region, the backup location and the legal basis of each processing activity.
Websites using KIT CMS must obtain user consent under GDPR regulations.
DPIA considerations
KIT CMS used as a content management tool with strictly necessary cookies is generally low risk. A DPIA becomes relevant when the deployment activates large scale member directories, behavioural personalisation, third party advertising integrations or when the hosting infrastructure is located in a country without an adequacy decision. Document the modules enabled, the data flows and the legal basis of each processing activity.
Sample consent text
This website is built on KIT CMS. Only strictly necessary cookies are written by default to keep your session active and to protect against forgery attacks. Additional analytics, social or marketing cookies require your explicit consent and can be managed at any time from the cookie preferences link.
Third-party domains contacted
kit-cms.rukit-cms.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | first_party | Session | Stores the session identifier so that visitor server side state (cart, login status, language) is preserved across requests. |
| csrf_token | first_party | Session | Stores a per session token used to validate form submissions and protect against Cross Site Request Forgery attacks. |
| kit_lang | first_party | 1 year | Stores the language preference selected by the visitor so that subsequent visits load the correct localised version. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
By default the platform writes one session cookie (typically PHPSESSID or a renamed equivalent) and one CSRF token cookie. Both are first party, expire when the browser closes or after short inactivity, and only contain a random server side identifier with no personal data.
No. The session and CSRF cookies fall under the strictly necessary exemption of Article 5(3) of the ePrivacy Directive and recital 66, since they are required to deliver the website service explicitly requested by the user. Optional analytics, advertising or social modules require consent.
Authentication, session management and content delivery rely on contract performance under Article 6(1)(b) GDPR or legitimate interest under Article 6(1)(f). Member registration and account management use contractual or legitimate interest grounds, while marketing modules require consent under Article 6(1)(a).
KIT CMS is self hosted, so the controller chooses the hosting region. There is no built in transfer to the United States. If the application is hosted in Russia or another country without an adequacy decision, you must rely on Standard Contractual Clauses and a Transfer Impact Assessment.
For a basic deployment a DPIA is rarely mandatory. However, if you enable large scale member directories, behavioural personalisation or advertising integrations, or if data is hosted outside the EEA, the threshold of Article 35 GDPR is often met. Document the criteria of the Article 29 Working Party guidelines.
Pin every cookie to Secure and HttpOnly with SameSite=Lax, host on EU infrastructure when possible, list active modules in your privacy notice, block optional trackers behind a Consent Management Platform such as FlowConsent and audit your tags regularly. Sign Data Processing Agreements with every plugin vendor.
Common open source alternatives include WordPress, Drupal, TYPO3 (very popular in Germany), Joomla and Strapi for headless deployments. Each has different cookie behaviours and module ecosystems, so review their default privacy posture before migrating.
List the session and CSRF cookies as strictly necessary, document the hosting region, and add a separate entry for every optional module that writes additional cookies. Provide a clear consent management link in the footer and document the proof of consent retention.