[martin_a]

Gut feeling (kind of).

There are rulings that access providers are/were allowed to save full IP addresses for up to 7 days to handle misuse of services etc. and any longer storage seems unnecessary and unlawful.

In other cases there were recommendations of up to 30 days, ideally with anonymized addresses where the last one or two triplets are automatically being removed. I've also seen 30 days as kind of the default setting for automatic log purging with shared webhosters.

Our lawyer told us that he estimates that saving full IP addresses for 14 days in logfiles would be fine in regards of preventing/tracking misuse of services or attacks against the infrastructure.

If this would ever come to court it would most probably be up to the judge to see whether this is really fine or already too much. Therefore we had to document the process and why we think 14 days is reasonable and so on.

The GDPR lacks a specific time frame and I think that's okay. There's always some "wiggle room" in European laws, it's about not misusing that room and sincerely acting in the best interest of everybody.