7

Is it still allowed to have server access log files under the new GDPR? Because of the gathering of IP addresses is not allowed, I can imagine that system operators are in violation of the law in countries where the GDPR is active.

Edit (thanks to HBruijn): "Because of the gathering of IP addresses under the GDPR seems to be not allowed"

Edit: the server log files are to maintain server integrity.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
C.A. Vuyk
  • 612
  • 10
  • 17
  • 7
    I'm voting to close this question as off-topic because it's fundamentally a *legal* question. – ceejayoz Apr 16 '18 at 14:23
  • 3
    Your best approach here is a) lawyer or b) Google "GDPR log files". – ceejayoz Apr 16 '18 at 14:24
  • https://www.eugdpr.org/ – joeqwerty Apr 16 '18 at 15:40
  • 3
    I'm **not** voting to close. The scope of this legal question is limited to a very central part of professional sysadmin work, and it is possible to answer to this from purely practical perspective, without actual interpretation of the law. – Esa Jokinen Apr 16 '18 at 16:33
  • I just started a [discussion on meta](https://meta.serverfault.com/questions/9281/borderlines-for-gdpr-related-questions) since this is broader than this individual question. – Esa Jokinen Apr 16 '18 at 17:35
  • 1
    Possible duplicate of [Can you help me with my GDPR issue?](https://serverfault.com/questions/908181/can-you-help-me-with-my-gdpr-issue) – Esa Jokinen Apr 18 '18 at 10:24
  • Not a duplicate, this question is more specific than your discussion – C.A. Vuyk Apr 19 '18 at 11:16
  • @C.A.Vuyk Closing as a duplicate doesn't require the two questions to be exactly the same - it's sufficient if there's an *answer* that fits. – Jenny D Apr 25 '18 at 09:54
  • 1
    _Is it still allowed to X under the GDPR?_ where `X = have log files`. For every X the answer is always: *it depends*. – Esa Jokinen Apr 25 '18 at 13:21

2 Answers2

10

The General Data Protection Regulation (GDPR) is for protecting privacy and giving the control over personal data back to citizens. It's not a list of things not to do, even though there's quite a mythology around it already. Currently working as a GDPR mythbuster (not official job title, unfortunately) I've already seen a lot of misunderstanding, misleading and honest uncertainty.

Selected quotations from Art. 5:

Personal data shall be:

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; - - (‘purpose limitation’);

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

More important than what is collected that it is collected for legitimate purposes and only used for those. One reason to collect IP addresses in log files might be to comply with the integrity and confidentiality: if the purpose of the log files is to detect and prevent illegitimate use of personal data, then it may be for ensuring the privacy, not for violating it.

Just focus on documenting how and why this data is collected, processed and destroyed after it's not needed anymore. If you don't consider your purposes falls in Art. 6 lawful "necessary for compliance with a legal obligation" nor "necessary in order to protect the vital interests of the data subject or of another natural person", the given consent is always the most safe & clear case.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
7

Because of [the GDPR] the gathering of IP addresses is not allowed

That simplification is patently incorrect.

The GDPR provides a legal framework for how personal data may be collected, stored and processed. IP-addresses are considered digital personal data governed by that legislation.

Article 6 point 1 provides 6 conditions that make it legal to process personal data (including IP-addresses) and it is already sufficient if only a single one of those is applicable for your purpose.

So it may well be that the IP addresses in your log files are not a violation.

(You may for instance have consent from your users to collect their IP addresses for a specific purpose.)

Since IP addresses are considered personal data, they have to be treated as such and relevant safeguards have to be taken to ensure their security.

Falko
  • 109
  • 5
HBruijn
  • 72,524
  • 21
  • 127
  • 192