Hi,

>> The way GDPR is written, if you want to collect (and store) so much as
>> the IP address of the potential customer who visited your website, you
>> need their informed consent and you can’t require that they consent as
>> a condition of providing service.
> 
> What we were told is that since security > GDPR, storing IPs in logs is 
> obviously OK since it’s a legal requirement.

GDPR article 6.1c (legal obligation) and 6.1f (legitimate interests) would 
probably both qualify for logging HTTP requests.

In this context it's also not likely that the IP address is considered personal 
data at all. Personal data is defined as data related to "an identifiable 
natural person is one who can be identified, directly or indirectly, in 
particular by reference to an identifier such as a name, an identification 
number, [...]". If you have no way to determine who an IP address belongs to 
then it's not personal data to you.

This can actually be a tricky point: the ISP who provides connectivity to a 
customer obviously knows which IP address they provided, so to that ISP the IP 
address is definitely personal data. If you ask for someone's name on your 
website and you log the IP address together with answers then you suddenly turn 
that IP address into personal data, even regarding you web server logs.

To be safe, adding something like the following to the privacy notice on the 
website would be fine for this case: "In order to comply with law enforcement 
requirements and to be able to detect and investigate abuse of our website we 
log all requests in including the IP addresses of the requester. If our systems 
detect abuse they may block access to our services from that IP address. This 
data will be stored for up to 2 weeks and will then automatically be deleted.". 
Add boilerplate text for contact information etc and that should cover article 
13.

> Storing them in a database for targeting / marketing is not.
> 
> What is a gray area so far is any use of IDS/IPS…

Sounds like legitimate interests to me :)  But it really depends on what is 
done with that information. Just protecting your servers should be fine. The 
big change with the GDPR is that you have to tell your users that you do this.

Hmmm. It might be a good idea to write some boilerplate privacy policy text for 
common components like IDP/IDS, load balancers, web server logs, DDOS 
protection etc.

Cheers,
Sander

Reply via email to