[MauranKilom]

Providing the IP address for the communication channel is quite obviously necessary and does not require explicit consent.

https://gdpr-text.com/read/article-49/#para_gdpr-a-49_1_1b

> In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, [...] a transfer [...] of personal data to a third country or an international organisation shall take place only on one of the following conditions:

> [...]

> (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request

> [...]

GDPR does not forbid providing internet resources to EU users, that is simply a lie. All it requires is that data handling happens in the best interest of the user.

[tremon]

True, but storing the IP address server-side for purposes other than serving the HTTP request doesn't fall under (b).

Diagnostic logging (e.g. apache logs) is probably okay as long as the organization can show that these logs are destroyed in a reasonable timeframe, but FAFAIK even that is legally a gray area (in the sense that it isn't explicitly forbidden nor allowed).

[tyfon]

Diagnostic logging is ok as long as you have a sane retention policy.

[nickpp]

Recent court orders in Germany and France beg to differ.

[rightbyte]

Opening a communications channel to a third party, e.g. a shady spyware company like Google, requires content, which makes sense.

[makeitdouble]

I don’t remember any case related to accessing first party resources, can you give a link ?

[fenier]

https://iapp.org/news/a/new-eu-data-blockage-as-german-court...

[zauguin]

That case is not about accessing first party resources. It was about a German website which (effectively) shared data with a third party provider from a country with no adequate privacy protection.