Does your website use third-party services? Get GDPR compliant in minutes.

Shiny

What does R Shiny do?

R Shiny is an open-source framework from Posit (formerly RStudio) for building interactive web applications directly from R code. It is widely used in data science, research, and analytics to create dashboards, visualisations, and data exploration tools. GDPR compliance depends on the application built and where it is hosted. Self-hosted Shiny apps on EU infrastructure have no transfer concerns. Apps hosted on shinyapps.io are processed on US infrastructure requiring SCCs.

What is R Shiny?

R Shiny is an open-source framework developed by Posit (formerly RStudio) that allows data scientists and researchers to build interactive web applications using only R code, without requiring knowledge of HTML, CSS, or JavaScript. Shiny applications can include interactive charts, data tables, maps, machine learning model interfaces, and data input forms. They are widely used in academia, healthcare research, pharmaceutical companies, financial services, and government statistics for creating shareable data analysis tools.

GDPR and Shiny: it depends on the application

GDPR obligations for a Shiny application depend entirely on what data the application processes and where it is hosted. A Shiny app displaying only aggregated statistics with no personal data has minimal GDPR relevance. A Shiny app allowing users to upload patient records, enter personal survey responses, or interact with identifiable datasets must comply with GDPR in full. The developer and deploying organisation are the data controllers.

Hosting options and transfer implications

Shiny applications can be hosted three ways with different GDPR implications. Self-hosted on EU infrastructure (recommended for EU personal data): no third-country transfer, full control. ShinyApps.io (Posit, US): all data processed in the US, requires SCCs for EU personal data. Posit Connect on-premise or EU cloud: EU data residency possible with appropriate configuration.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Research data and special category data

Shiny is frequently used in healthcare and research contexts where special category data (health, genetic, biometric data) is processed. When a Shiny app processes such data, GDPR Article 9 applies. Research processing may rely on Article 9(2)(j) (research purposes) with appropriate safeguards, or explicit consent. A DPIA is mandatory for large-scale health data processing.

Practical compliance steps

Host on EU infrastructure for EU personal data. Implement user authentication and access controls in Shiny. Minimise data displayed and processed. Implement session timeouts to clear data from memory. Sign a DPA with the hosting provider. For shinyapps.io, sign a DPA with Posit and implement SCCs. Conduct a DPIA for health data applications.

GDPR consent category

Other

Websites using R Shiny must obtain user consent under GDPR regulations.

Legal basisR Shiny is a framework, not a data processor. GDPR obligations arise from the Shiny application and its hosting infrastructure. For shinyapps.io hosted applications, contract performance or legitimate interest applies for the hosting relationship.

Risk levellow

Applicable regulationsGDPR compliance depends on the application and hosting — EU self-hosted deployments have no transfer concerns

DPIA considerations

A DPIA may be required for Shiny applications processing special category data (health, genetic data) or large-scale personal data, particularly in research or clinical contexts. The DPIA should focus on the application design and data flows, not Shiny itself.

Sample consent text

This data application is built with R Shiny. Data entered or uploaded to this application is processed as described in our privacy policy.

Technical details

Tracking methodR Shiny web application framework, server-side R processing, session cookies, optional first-party analytics

Server locationSelf-hosted or Posit (RStudio) cloud infrastructure (US)

Third-party domains contacted

shiny.posit.coshinyapps.io

Cookies placed

Name	Type	Duration	Purpose
shinysession	session	Session	Strictly necessary session cookie maintaining the R Shiny WebSocket session — does not require consent

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Does R Shiny collect personal data?

R Shiny itself does not. However, Shiny applications routinely process personal data uploaded or entered by users. The developer and deploying organisation are responsible for GDPR compliance for all data processed within the application.

Does shinyapps.io require SCCs for EU data?

Yes. ShinyApps.io is operated by Posit in the US. Any EU personal data processed by a Shiny app hosted on shinyapps.io is transferred to the US, requiring Standard Contractual Clauses and a DPA with Posit.

What is the most GDPR-compliant hosting option for Shiny?

Self-hosting on EU infrastructure (AWS Frankfurt, OVHcloud, Hetzner) provides full EU data residency with no transfer concerns. Sign a DPA with the hosting provider. For managed hosting, Posit Connect on an EU cloud instance is an alternative.

Does R Shiny set cookies?

Shiny sets session cookies for maintaining the R session and WebSocket connection. These session cookies are strictly necessary for the application to function and generally do not require cookie consent. Analytics scripts added to the Shiny app do require consent.

Do I need a DPIA for my Shiny application?

A DPIA is required for Shiny applications processing health, genetic, or biometric data at scale, applications making automated decisions significantly affecting users, and applications processing large volumes of sensitive personal data. Standard dashboard applications with access controls may not require a DPIA.

How do I implement user authentication in Shiny for GDPR compliance?

Use the shinyauthr or shinymanager packages for local authentication, or integrate with your organisation's SSO/OAuth2 system. Implement role-based access so users only see data they are authorised to access. Log all user access for audit purposes.

How do I handle data uploaded to a Shiny app under GDPR?

Implement automatic deletion of uploaded data when the user session ends. For data that must persist, apply retention limits, access controls, and document the processing in your RoPA. Inform users in the app interface about how their uploaded data is processed.

Does R Shiny need to appear in my privacy policy?

Only if your Shiny application is user-facing and processes personal data. Describe the application purpose, what data is processed, the legal basis, the hosting location, and how users can exercise their rights. If hosted on shinyapps.io, disclose the US transfer and SCC mechanism.

Get compliant — Try FlowConsent free

Free plan · 10-min setup