[kzzzznot]

I’m not an expert on this, but perhaps it’s the usage of that data and linking to a person that crosses the line.

A web server’s logs may include the IP and http request they’ve made, but once you start attaching that to an identity instead it might count as data processing.

[cccbbbaaa]

Storing counts as processing under the GDPR; the definition is in article 4. It's not hard to find.

> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

One can use the “legitimate interest” basis (recital 49 may be relevant here) or “compliance with a legal obligation” for logging.

[kzzzznot]

Does an IP alongside a HTTP request count as personal data?

[cccbbbaaa]

An IP alone is personal data. Recital 30 should be enough, but it has been asserted time and time again by DPAs and courts. See also: https://commission.europa.eu/law/law-topic/data-protection/r...