I suppose that this may be outside the scope of this forum (except possibly for Umbraco Cloud) as it relates to the hosting environment.
My understanding is that a service must receive consumer consent prior to data collection.
If this is correct, a server log that records a requesting ip address with the user's original request for a page (before consent can be given) may be problematic.
IP addresses are personal data under the GDPR, and as such you can’t collect it without having obtained consent (and being able to document that consent where given) from the persons you’re collecting information about.
There is an exception given for the requirement about obtaining consent that allows for limited collection of personal data when this is collected for the sole purpose of detecting and preventing unauthorized access, or other network security needs. You still have to delete this data in a timely fashion, limit access to it even within your own organization, and ensure it’s securely stored.
I wrote up some specifics about this topic in EU GDPR and personal data in web server logs if your interested in more details, including a suggested implementation with logrotate and GnuPG encryption.
GDPR and server logs
I suppose that this may be outside the scope of this forum (except possibly for Umbraco Cloud) as it relates to the hosting environment.
My understanding is that a service must receive consumer consent prior to data collection.
If this is correct, a server log that records a requesting ip address with the user's original request for a page (before consent can be given) may be problematic.
Does anyone have any thoughts?
Comment author was deleted
IP addresses are personal data under the GDPR, and as such you can’t collect it without having obtained consent (and being able to document that consent where given) from the persons you’re collecting information about.
There is an exception given for the requirement about obtaining consent that allows for limited collection of personal data when this is collected for the sole purpose of detecting and preventing unauthorized access, or other network security needs. You still have to delete this data in a timely fashion, limit access to it even within your own organization, and ensure it’s securely stored.
I wrote up some specifics about this topic in EU GDPR and personal data in web server logs if your interested in more details, including a suggested implementation with logrotate and GnuPG encryption.
is working on a reply...