[snowwrestler]

GDPR does not regulate “sharing,” it regulates any use of personal data. IP address is considered personal data, so you can’t avoid GDPR compliance if you are running a website at all (since you must process IP addresses in order to serve a website).

[viraptor]

I'm using simplified language here, not writing a legal document. The first use was also supposed to be "storing/sharing", but it's processing in practice. But here you go:

> GDPR does not regulate “sharing,”

13.1.e requires at least the notification of the recipients of the data. With the requirement about the purpose of use, it effectively regulates sharing.

> since you must process IP addresses in order to serve a website

That's right and that places the IP in the 4.1.f "processing is necessary for the purposes of the legitimate interests pursued by the controller" area which doesn't require consent.

[snowwrestler]

It doesn’t require a consent dialogue but it requires user notifications and data processing agreements with anyone who is helping you serve your site and an agent available to EU jurisdictions to answer inquiries. Granted a lot of people don’t bother or slide by with some vague crappy language they downloaded from somewhere.

The irony here is that the people who think they’re standing up for GDPR are actually the ones not taking it seriously, while the people who take it seriously are the ones who know what a pain it is to comply with.

[viraptor]

Have you got some support for this from people experienced with legal matters? Because not only I've never heard of the internet provider notification being required and can't find any act which would apply, I can't even find any European page which does that, including https://op.europa.eu/en/web/about-us/privacy-statement which is responsible for publishing gdpr itself.

That publisher's page lists the third party processors for the documents, (as expected) but not the hosting provider. I'd love to see a counterexample.

[snowwrestler]

My experience was the months I spent with a very competent (and no doubt expensive) French law firm to help my employer implement GDPR compliance. None of that is public info that I can link to, however.

I’ll edit to add that the user must be notified that you are collecting and processing personal data, which includes IP address. And the hard part is that you must also have internal paper trails that prove that you have written that notification in full knowledge of all the data processing done on your behalf by all your service providers. Is a data center owner routing traffic to your server? You need paperwork in which they commit not to store the IP addresses of your visitors, for example. That is not public-facing but must be available to regulators upon their request.

That’s the hard part of compliance and what most people skip. They click OK on the standard agreements with service providers and put up a standard privacy template. That is not actually compliant but folks are essentially betting that they are small enough that data regulators won’t ever come call them on it.

[viraptor]

There's a known side effect of highly paid legal work... it will produce lots of results. But was it all required or just-in-case-CYA? Is one highly paid lawyer more correct than a sample of European institutions? Maybe...

[johnklos]

"since you must process IP addresses in order to serve a website"

That's complete nonsense.