Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
MySQL is an open source relational database used to store application and user data on the server side.
MySQL is the world''s most widely deployed open source relational database. It runs on the server side, behind your application, and is used to persist user accounts, orders, content, logs and any other structured data. Originally developed by MySQL AB in Sweden and now owned by Oracle, it is offered both as a free community edition and as commercial editions. Most major cloud providers expose managed variants such as Amazon RDS for MySQL, Google Cloud SQL, Azure Database for MySQL and DigitalOcean Managed Databases.
MySQL itself is neutral storage: the personal data it contains depends entirely on what your application writes to it. In typical web applications this includes emails, hashed passwords, full names, addresses, IP addresses, payment references, support tickets and behavioural logs. MySQL also keeps server logs (general log, slow query log, binary log) that may incidentally contain personal data embedded in SQL queries.
As soon as MySQL stores information about identified or identifiable natural persons, the GDPR applies. You become a controller (or joint controller) for that data. Key obligations include having a valid legal basis, applying data minimisation, defining retention periods, securing the database with encryption at rest and in transit, restricting access, and being able to honour data subject rights such as access, rectification, erasure and portability. The ePrivacy Directive does not apply to MySQL directly because it is not a terminal equipment storage technology, but it covers the cookies your application sets on top.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Storing operational data in MySQL does not require browser consent because the database lives on your server, not on the user device. The legal basis is typically contract performance (Art. 6(1)(b) GDPR) for the data needed to deliver the service, or legitimate interest (Art. 6(1)(f) GDPR) for security logs and fraud prevention. Special category data (health, religion, biometrics) requires an explicit Art. 9 GDPR basis, usually consent or a specific legal obligation.
MySQL is hosting agnostic. Where the data ends up depends on the region of your virtual machine, your managed database or your colocation provider. To avoid international transfer issues, pick an EU region and verify it covers backups, replicas and disaster recovery sites. If you use AWS RDS, Google Cloud SQL or Azure Database for MySQL operated by a US headquartered provider, you must rely on the EU US Data Privacy Framework or on Standard Contractual Clauses together with a documented transfer impact assessment.
Map every table that stores personal data. Document purpose, legal basis and retention for each. Enforce TLS for client connections, enable encryption at rest (InnoDB tablespace encryption or filesystem level), restrict privileges with the principle of least access, pseudonymise identifiers where you can, schedule automated purges of expired data, and back the database up to a region with the same data protection guarantees. Add MySQL to your records of processing activities (Art. 30 GDPR) and to your incident response runbooks.
Websites using MySQL must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when MySQL stores sensitive data (health, financial, biometric) at large scale, when the database is hosted outside the EEA without adequate safeguards, or when it backs profiling and automated decision making systems.
Sample consent text
No browser consent is required because MySQL runs server side. Inform users in your privacy policy about which categories of personal data are stored, the legal basis, retention periods and hosting region.
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. MySQL is a server side database; it never communicates with the user browser and never writes cookies. Cookies are set by the web application or framework that reads from and writes to MySQL.
Browser consent is not required because MySQL runs on the server. However, when MySQL stores personal data you still need a GDPR legal basis (contract, consent, legitimate interest, legal obligation) and you must disclose the processing in your privacy policy.
Most use cases rely on contract performance (Art. 6(1)(b) GDPR) for data needed to deliver the service and legitimate interest (Art. 6(1)(f) GDPR) for security and fraud prevention. Sensitive data (health, religion, biometrics) needs an Art. 9 basis, typically explicit consent.
MySQL itself does not transfer data, but your hosting choice does. AWS RDS, Google Cloud SQL and Azure Database for MySQL operated from EU regions by US providers still trigger transfer rules under Schrems II. Use the EU US Data Privacy Framework or Standard Contractual Clauses with a transfer impact assessment.
A DPIA is required when the data stored is sensitive, large scale, or supports profiling and automated decisions. For a small CRM or standard SaaS account database, a documented risk assessment is usually enough.
Pick an EU region, enable TLS and encryption at rest, apply least privilege accounts, pseudonymise identifiers, schedule automated retention purges, take encrypted backups, log access centrally and add MySQL to your records of processing activities.
PostgreSQL is the closest open source alternative with stronger SQL compliance. MariaDB is a community fork of MySQL. For managed European hosting consider Scaleway Database, OVHcloud Public Cloud Databases or Hetzner Cloud. Pick the option whose data residency matches your obligations.
MySQL itself does not appear in the cookie policy because it sets no cookies. Update the privacy policy instead to describe what categories of personal data you store, the legal basis, retention and hosting region.