|
|
|
|
|
|
by srrr
3037 days ago
|
|
|
As others have noted: Laws with examples would be to specific to survive fast technological changes. Laws do mostly contain the 'spirit' of the idea and are applicable to many different situations and times. But the European Commission does gives examples: https://ec.europa.eu/info/law/law-topic/data-protection/refo... This is of course no nginx configuration. But the thing is.. there is no one size fits all example configuration. The situation depends on: 1) What do you use the data for? 2) How long do you really need it? 3) Can you securely handle it? 4) Has the user consented? Saving ip adresses in log files can be fully complaint IF you only use them for legal reasons (sue an attacker, ...), have severe access restrictions on the files, delete them as fast as possible and get consent from the user prior to saving the logs. It depends on your goal, workflow and abilities if you are allowed to store this data, and you must decide for yourself. If in doubt.. don't store it. |
|
|
You do not need consent for saving the IP, user agent and URL (including GET values) in Apache logs because, as someone said above, you have a "legitimate interest to combat fraud and maintain information security".
Legitimate interest and consent are only 2 of the 6 legal bases under which you can collect and store (process) personal data. Art. 6 contains all 6 https://gdpr-info.eu/art-6-gdpr/ .