[kleiba]

1) Your IP address is considered personal data, as it can be used to identify you. In general, everyone can see and agree with this.

Only if you're the sole user of that IP, which is e.g. not the case in a family.

[rndgermandude]

It is enough to identify whoever is paying for the internet access, which is enough, in itself. And it might be enough to identify the actual user with "reasonable" certainty, e.g. if the user was home alone at the time the IP was used.

Courts found that it doesn't have to be demonstrated that a user can be identified, the abstract reasonable risk that a user could be identified is enough to turn an IP address into PII (and this ruling explicitly mentions this).

[kiallmacinnes]

I stand corrected - not everyone can agree!

In reality, as a service provider, you have no ability to determine if the client IP belongs to an individual or not - so you have no choice but to assume it does identify an individual.

[_ixnm]

This is ludicrous. Nginx logs are regulated now? What if you just want to make a static website and get on with your life?

[isbvhodnvemrwvn]

You're not sending your nginx logs to Google, a well known advertiser, do you?

In this case you can store IP addresses if you have a legitimate reason (e.g. you can show you need it for troubleshooting etc), as long as it's reasonable and doesn't infringe on the rights of the user, and you have documented it along with the retention strategy.

[orra]

No, that's not a criteria for “personal information” under GDPR.

Your name or your date of birth or your postal address isn't unique either, but they are still personal information.