← Back to context

Comment by dessant

6 years ago

An IP address is itself personal data, it does not have to be associated with other personal data.

https://ec.europa.eu/info/law/law-topic/data-protection/refo...

> Collecting IP address alone, and not associating it with anything else, is completely fine (otherwise nginx and apache's default configs would violate GDPR), and through them basically every website would violate GDPR.

See my comment about consent not being required when the data is needed to provide a service. Logging is reasonably required to provide a service.

> and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.

The transmission of data is already covered by GDPR, you don't have to store the data to be bound by the law.

3 comments

dessant

Reply
joshuamorton  6 years ago

See my edit. There's conflicting information on this. A dynamic IP, for example, isn't directly related to or relatable to a specific natural person without other context.

But even if that's the case, if you don't tie the pseudonymous ID to the IP, it isn't personal data. As far as I can tell, the transfer rules you reference are about transferring data out of the EU, and can be summarized as "you can't transfer data to a non-EU country and then process it in a way that violates the GDPR". Article 46 notes that transferring data is fine as long as appropriate safeguards are in place[1], and article 47[2] defines what constitutes those safeguards (in general, contractually/legally binding agreements with appropriate enforcement policies).

This goes back to what I said before: The theoretical capability to do noncompliant things doesn't make a system GDPR-noncompliant. You have to actually do noncompliant things to not comply.

[1]: https://gdpr-info.eu/art-46-gdpr/

[2]: https://gdpr-info.eu/art-47-gdpr/

thenewnewguy  6 years ago

> > and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.

> The transmission of data is already covered by GDPR, you don't have to store the data to be bound by the law.

This cannot be the actual correct interpretation of the GDPR, because under this logic _all_ IP packets on the public internet (made by/to EU citizens) are covered by the GDPR because you are transmitting data alongside an IP address.