Joomla in Faces. Marc-Antoine Thevenet (data protection specialist)

For over 15 years, Marc-Antoine Thevenet has been a cornerstone of the Joomla! project, shaping its very foundation. As a key figure in the Joomla! Production Leadership Team, his work directly influences the content management system used by millions. From coding and release strategy to mentoring new contributors, his contributions are both deep and wide-ranging. We sat down with him to discuss the past, present, and future of open-source CMS development.

To be honest: kind of by chance! Back in 2007, with Sandra Decoux (who doesn’t know her?), we weren’t thrilled with the web agencies’ solutions for our business. So we decided to test the CMS options ourselves… and learn by doing. Lots of discoveries and wins, a few letdowns—the real school of life.

Timing-wise, it was the 1.5 era, or maybe already 2.5. What made the difference? The community. Without the Joomlers’ support—especially the forum—we probably wouldn’t have picked Joomla after all our trials. Their help was decisive… and it opened the door to a long and lovely story.

Hahaha, I confess, I’ve strayed a few times. Mostly with static setups like Grav or Jekyll for very specific needs. But every time I tried a heavier CMS, I snapped right back to Joomla. Why?
Because it’s both fun and rock-solid, with unique features like proper ACLs and true native multilingual (not a duct-taped add-on) that let you build bespoke sites without stacking thirty plugins.

And once again, the community matters: responsive, kind, pragmatic. That makes all the difference when you need to deliver something maintainable, secure, and clean over the long run. So yes, a few well-assumed dalliances—but my CMS “first love” is still Joomla, and the community involvement has only reinforced that choice.

I drifted away from Joomla and its community—probably because I over-invested at one point. These days I’m focused on an old passion of mine: defending fundamental freedoms and protecting personal data. In practice, I work as a DPO/lawyer, helping companies and public bodies with compliance—especially international data transfers and cross-border relationships. I also jump in on data governance and cyber hygiene, because a great contract never fixes a lousy configuration.

I teach these topics at Université Savoie Mont-Blanc, and I still wink at the class: “the best CMS is Joomla.” (Promise, I hand the papers back after. 😜) On the ground, I support sensitive projects and regularly operate in cross-border contexts (EU ↔ North America, Indian Ocean).

I also make forays into Web3/Bitcoin projects with the same compass: minimize, secure, document. And when someone asks for web development, I advocate for a lean, maintainable approach—guess which CMS?—and I’m happy to recommend solid partners, notably IdimWeb, when you need bespoke, reliable work. Long story short: I’m no longer active in the Joomla inner circle (which has more or less forgotten me), but I remain a firm ally of open source—and a champion of a useful, ethical, sustainable web.

The list would be endless 😄. Mistake number one is thinking, “Since the client isn’t based in the EU, the GDPR doesn’t apply.”

Then come the usual suspects: cookies, trackers, and pixels firing before consent—even though clean technical solutions exist to block, log, and honor user choice. Same story with contact forms: collect everything “just in case,” forget minimization, and end up with mandatory fields that have no business being there. As for cookie banners that feel like psychological puzzles… you can be simple, clear, and symmetrical.

Another classic: no retention periods. Data piles up in a digital attic “just in case”—until the day you’re frantically looking for an exit. A readable retention policy, automated purges, and anonymization where needed: your future self will thank you.

We don’t talk enough about accessibility (RGAA) or the AI Act, yet both are very real. One directly shapes your interfaces and brand; the other governs your “smart” features (transparency, governance, logs, risk management). Ignore them, and you’re taking on legal and technical debt. Last but not least: processors. Hosting, email, analytics, captcha… people accept T&Cs without checking compliance, transfers, or data-protection clauses. A bit of due diligence saves nasty surprises (and a few cold sweats).

Joomla bonus: pick lean extensions (with data docs and purge hooks), put notices and consent right next to your forms via overrides, and keep your updates/security changelogs with a ready-to-roll rollback plan.

Golden rule: minimize, secure, document. And when in doubt… document again. 😉
Need a quick outside look? My DMs are open.

Good news: lots of useful things are still missing… and totally within reach. Here’s what would really help (promise: concrete and plug-and-play).

Voila, voila, voila… and few more.

In short: a solid CMP, a clear data inventory, standardized purges, and presets that set the right defaults. Keep it simple, keep it clean, and document it.

Up for a Joomla Privacy Starter Kit? I’ll spin up the repo, you bring the coffee ☕️

ABSOLUTELY NOT! (Or… very rarely—and it’s not a great idea.) 😉
A developer becoming the client’s DPO is like the referee scoring goals: convenient, but not exactly compliant.

Why? The GDPR spells it out (Arts. 37–39):

Great question—I’ll try not to lose anyone along the way!

Yes… but not in every case and not any old way. When someone requests erasure (GDPR Art. 17, different from the right to object), you must delete anything that isn’t necessary. However, you can (and must) keep data that the law requires or that you need to defend your rights. In e-commerce, that typically means accounting and tax records (invoices, entries), certain contractual evidence (orders, deliveries, warranties), and, if needed, items useful in case of a dispute. In other words: don’t keep data “for convenience”—keep only what’s legally required, and keep the bare minimum.

Compass to remember: legal purpose = yes, marketing = no. Keep only what the law mandates, lock it down, disclose the timeframe—and cut any “feed back” into the user experience.

Bonus: your future DPO will thank you at audit time.

A timeless classic—and it ties back to the previous question.

TL;DR: erase in production, minimize in logs, and let backups expire on their normal schedule. Don’t spin up a backup just to delete one person: that’s disproportionate… and risky.

Practically:

The obvious answer: ask your DPO 😉

Here’s my no-nonsense starter kit for calm, compliant Joomla sites—practical, concrete, and headache-free.

People who know me will tell you I’m a bit of a lone bear (for sure), and yet teaching, for me, is a lively blend of adrenaline, pedagogy… and humility. Right before I walk into the lecture hall, I’m torn between excitement (share, debate!) and that “good stage fright” of a musician tuning their guitar backstage.

In front of me: curious eyes, sometimes skeptical, often in a hurry. My job is to hook attention in five minutes: a real case (data breach, dark pattern), a needle-sharp question (“Who here actually reads the T&Cs?”), and we build from there. When the room flips from “GDPR = paperwork” to “GDPR = real business lever,” I know we’ve won the round.

Emotion-wise, it’s a full spectrum: the joy of those “aha!” moments (that collective oooh), the frustration at some… creative digital hygiene, and a quiet pride when a student says, “I got the cookie banner changed during my internship.” Let’s be honest: two hours can feel long if you stay theoretical. Hence my credo: 30% concepts, 70% real-world cases.

My method? Ultra hands-on: scenarios, group work, quick-fire audits of real sites, and a simple lens—minimize, secure, document. I give tools you can reuse the very next day (checklists, templates), and I show how compliance boosts conversion, reputation, and resilience—not just box-ticking.

That’s my mantra: yes, data protection respects users and avoids hefty fines but it can also be a fantastic commercial asset that puts you ahead of the competition.

There are funny moments too: the student convinced that “Azerty123!” is “uncrackable,” and a few other gems. We laugh, we fix, we move on. The goal isn’t guilt, it’s empowerment. After class, what I feel most is gratitude. Gratitude for the group’s energy, for the questions that challenge me, and for the trust of the teaching teams. And yes, a little endorphin hit when I read, “I finally understand what a DPO is for.”

In short: teaching keeps me sharp, curious, and very human. I leave drained… and recharged. Paradoxical? Sure. But that’s exactly the joy of aligning knowledge, practice, and transmission—with a wink to Joomla whenever I get the chance. 😉

Ouch… the spicy question—the one I should probably play a joker on 😄.

Honestly, I’ve often crossed swords with the French-speaking community (and I do mean French-speaking, because it goes far beyond France, that diversity is a real strength). Its relationship with the wider Joomla world sometimes feels like miniature geopolitics: lots of love, a few misunderstandings, and that very… French urge to stand apart, as if we, heirs to the “Age of Enlightenment” (lights flickering a bit these days), held a special truth if not the truth. Old-timers Joomlers know what I mean. We even dubbed ourselves the “indomitable Gauls.”

For my part, I’ve always disliked clique culture, maybe because I’ve worked across so many different cultures.

Glass half full, though: that creative friction moves the conversation forward. Well-framed, conflicting viewpoints force us to clarify, document, and raise the bar. In the end, the francophone community blends high standards, candor, and pride in a job well done—with enough humor (and panache) to self-correct. That’s exactly what makes it valuable to the project.

A constructive thorn in the side, in the best possible way.

At the core, it’s gratitude: Joomla gave me a lot: method, network, discipline. Contributing was my way of giving back to a project that shaped me, both technically and humanly.

There’s also real values-alignment: open source, technical frugality, quality that lasts, privacy by design. Joomla lets me champion a practical, useful web—no smoke and mirrors.

What I’ve gained most is people. Bright, kind folks and a network you can count on. I’ve had memorable Joomla events all over the world (never asked for reimbursements :p ): you can clash over a beer at noon… and burst out laughing over another in the evening. So many Joomlers have vacationed at my place! That’s what sticks with me: ten years of genuine happiness. Don’t ask for the friends list, it’s as long as the WordPress plugin directory 😁. And a thought for those we’ve lost; you realize those bonds went far beyond a tech collaboration.

Another driver: curiosity. Learn, learn, and learn again, not so much as a dev (I’m not a coder), but through missions with teams from everywhere. Different cultures, faiths, languages, and approaches… one shared goal. You learn from others, you adapt, and you’re proud to get—say—for example an Indian and a Pakistani teammate working seamlessly together. That human and intellectual alchemy made me want to contribute and it still fuels my desire to pass it on.

As we wrap up, you can probably guess my answer: the Community.

It’s the reason I chose Joomla, the source of some of my best professional moments (and many lasting friendships), and the place that taught me to raise the bar—technically, humanly, ethically.

What does that community look like in practice? Skilled, approachable volunteers; FOSS governance that holds up even when the headwinds blow; events where you learn as much as you laugh; code reviews that lift the standard; a real culture of sharing (docs, best practices); and a reflex for privacy and quality. In short, Joomla is an excellent CMS of course but its community is what makes it a sustainable choice. Without it, Joomla would be a tool; with it, it’s a living project.

Twenty years already! That’s an eternity on the web. It’s the age where a CMS stops being just “tech” and becomes an institution. To me, it proves the architecture is sound, the FOSS governance is resilient (and still improvable), and the community doesn’t quit. We’ve seen the fads, the “revolutions” promised every six months… and Joomla is still here: solid, useful, elegant.

This jubilee is, above all, a thank-you to the volunteers—the people who patch, document, test, welcome, and teach. Without them, there’d be no 2.5, no 3, no 5… and no 20 candles.

What’s next? Keep welcoming newcomers (also keep it free as in freedom, and reach the not free as in free beer! If you want to keep pros), keep pushing innovation, double down on accessibility and privacy by design, and keep the docs and presets that set the right defaults. In other words: stay true to what works, while keeping the courage to evolve.

My only worry: seeing pics and others, I can sometimes feel like a veterans’ reunion. I’d love to see fresh blood, young folks who shake us up, challenge our certainties, and pull us out of our comfort zone. Young French contributors, maybe? That would be the cherry on the cake 😁😁

Twenty years calls for a Joomla-style celebration: one commit, one coffee, and lots of laughter.

Long live the project—see you at 30. 🎉 And like in “Hotel California,” you can check out any time you like… but you never really leave.