|
|
|
|
|
|
by Someone
1172 days ago
|
|
|
> In certain larger EU countries you're not even allowed to record a website visitor's IP address (because some court has decided those count as PII) You’re not allowed to do that without reason. If you have a reason, and tell your users, there’s nothing wrong with it. Some anecdata that proves that: https://gdpr.eu/privacy-policy/: “IP and browser user agent string: this data is collected when you leave a comment.” https://commission.europa.eu/privacy-policy-websites-managed...: “In addition, IP addresses and device IDs might be saved for one year in the log files of the Directorate-General for Informatics operational environment for security or other purposes (see DPR-EC-02886 DIGIT IT security operations and services for more information).” |
|
|
That's still for the courts to decide. Specifically, the German federal court for example didn't define what constitutes a legitimate reason for storing IP addresses.
This is precisely the problem with GPDR: While maybe well-intentioned, that regulation has been kept intentionally vague, which has local authorities interpret the rules how they see fit (or how it suits their purpose), since there's no clearly defined ruleset to depend upon.
> "for security or other purposes"
"other purposes" is about as vague as it gets. According to GDPR, a legitimate interest has to be specific and the specific reason that constitutes such an interest has to be communicated to the user.
This is not surprising at all. The EU itself is hilariously non-compliant with GDPR. After all, why would they comply with GDPR? Public authorities are largely exempt from GDPR anyway.