[pitaj]

I should have been more clear that I meant IP addresses alone.

It seems like this only addresses when IP addresses are combined with other data.

[kasey_junk]

That particular guidance has provided a lot of gnashing of teeth because some readings of it have an implicit “because” before the final sentence. That is IP addresses are personal data as sometimes they uniquely identify people.

The guidance my firm received was to treat them, by themselves, as an ID. YMMV.

[zaarn]

IP Addresses are Personal Data.

I think the easy way to check is to ask yourself if the data can directly link to someone's IRL identity.

If no, ask yourself if the police could identify them if they demanded and got the data.

If still no, ask yourself if the data is of a protected category (gender, religion, sexuality, etc.).

If you need any of this data, minimize your need first (ie this means storing IPs only for a limited timespan, german authorities have IIRC recommended 7 days as normal).

If you can't reduce your need, find another way to do what you do that has less need.

If all else fails, cover under legitimate interest and hope you're not Adtech.

[pierrefar]

Here is a write-up of the decision from EU’s highest court on this topic: https://www.whitecase.com/publications/alert/court-confirms-...

It’s easy to see why quote I gave says what it says with this context.

Also, if you’re worries, talk to your lawyer.

[dronescanfly]

DSGVO concerns 'directly' identifying information (Name, SSN...)

aswell as 'indirectly' identifying information like IP adresses where the technical possibilities exist to link them back to the person.

EVEN if you do not actively link them to the person DSGVO treats them the same way as the directly identifying information