Whois vs GDPR, latest news

• Previous message (by thread): Whois vs GDPR, latest news
• Next message (by thread): Whois vs GDPR, latest news
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

>> The way GDPR is written, if you want to collect (and store) so much as
>> the IP address of the potential customer who visited your website, you
>> need their informed consent and you can’t require that they consent as
>> a condition of providing service.
> 
> What we were told is that since security > GDPR, storing IPs in logs is obviously OK since it’s a legal requirement.

GDPR article 6.1c (legal obligation) and 6.1f (legitimate interests) would probably both qualify for logging HTTP requests.

In this context it's also not likely that the IP address is considered personal data at all. Personal data is defined as data related to "an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, [...]". If you have no way to determine who an IP address belongs to then it's not personal data to you.

This can actually be a tricky point: the ISP who provides connectivity to a customer obviously knows which IP address they provided, so to that ISP the IP address is definitely personal data. If you ask for someone's name on your website and you log the IP address together with answers then you suddenly turn that IP address into personal data, even regarding you web server logs.

To be safe, adding something like the following to the privacy notice on the website would be fine for this case: "In order to comply with law enforcement requirements and to be able to detect and investigate abuse of our website we log all requests in including the IP addresses of the requester. If our systems detect abuse they may block access to our services from that IP address. This data will be stored for up to 2 weeks and will then automatically be deleted.". Add boilerplate text for contact information etc and that should cover article 13.

> Storing them in a database for targeting / marketing is not.
> 
> What is a gray area so far is any use of IDS/IPS…

Sounds like legitimate interests to me :)  But it really depends on what is done with that information. Just protecting your servers should be fine. The big change with the GDPR is that you have to tell your users that you do this.

Hmmm. It might be a good idea to write some boilerplate privacy policy text for common components like IDP/IDS, load balancers, web server logs, DDOS protection etc.

Cheers,
Sander

• Previous message (by thread): Whois vs GDPR, latest news
• Next message (by thread): Whois vs GDPR, latest news
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]