server logs belong to website as a Controller

Some hosts - more commonly on more basic shared IP accounts - don't provide access to server logs. Also, at least in the UK, the host is required to keep them, independently of whatever access and configuration options the contract provides to the publisher.

If the contract allows the publisher control, then the publisher is obviously a Controller. However, the question was about "things I don't have any control over", not about control that has been relinquished, delegated, or is simply not exercised.

My own impression is that server logs are something of a can of worms under GDPR (as are other areas that apply to webmasters), and will probably require a couple of CJEU rulings before a definitve picture emerges. Where the law is unclear, I would expect the level of penalties to reflect that.

Also, at least in the UK, the host is required to keep them, independently of whatever access and configuration options the contract provides to the publisher.

Sure, but they are not allowed to make use of any personal data. They keep the data on grounds of "legal obligation" - and are a controller for that purpose.

I'm genuinely not sure how a court would view "Do not control on grounds that I chose not to". Like you say, server logs are one area where case law is required to add clarity.

Thanks for the insights everyone. I realize I'm super small potatoes here. I don't think the EU will pick me to make an example of. There are plenty of bigger fish to fry. I've noticed that many very large websites still haven't implemented any of the cookie consent from what I can tell.

I don't store any private information at all as far as I know. I don't store names, emails or even IP address. In what I can control, I have anonymized the IP addresses the same way as Google does by dropping the last number. So even if someone asked me to remove all their data, I can't even figure out what data is theirs.

I don't explicitly use cookies. The cookies drop onto a browser are from Google Analytics, Google Adsense and the forum software. The Google stuff I can, at least, turn off temporary until there are good examples of how to deal with it.

My shared hosting company does make the logs available to me in both raw and report format. The IP addresses are contained in those logs. There does not seem to be any way for me to turn this off. The best I can do is possibly write a script to erase them whenever they are made available. Will that do? The big downside is that if I am hacked or attacked I will have no idea who is doing it. I thought there was some exclusion in the GDPR for that. Since part of the GDPR is that breaches have to be reported. How can you tell if you had a breach unless you have logs to analyze?

The big downside is that if I am hacked or attacked I will have no idea who is doing it.

This is part of the can of worms, but you probably have a legal duty to be able to trace the source of a data breach. If so (see the link I posted earlier, 1. c.), your maintenance of server logs for processing in that event is lawful.

@fretfull, you have raised a lot of good points. I can answer (with quotes and references) most of that. Remember, no one is trying to "catch you out" - if the law says you can do it under certain conditions, then there is no need to worry unduly.

Below, the word "explicit" has a precise meaning under the law, such that an active intervention is required (such as ticking a box, clicking a banner)

I've noticed that many very large websites still haven't implemented any of the cookie consent from what I can tell.

Beware the FUD! The original cookie consent reached a consensus implementation, but that was led by the developer community. The EU's own website never did that, which tells me it was not the optimal solution that complied with the law.

Irrespective of this, the GDPR supersedes the cookie law. Cookies come in 3 main flavours.

• 1st Party "Plumbing" cookies make your site work. You just need to declare them, ideally under a privacy statement, although they are unlikely to be PII. No opt-out required. [Collection Art6(1)(f) [gdpr-info.eu]; Declaration Art 13, esp Para (1)(c)&(d) [gdpr-info.eu]]
  
• 1st Party Tracking Cookies (inc GA) needs case law, but a reasonable interpretation is they need to be declared if you use them to improve your site, but explicitly declared and provide an Opt-Out if you use it for Personalisation (AKA profiling / Direct Marketing)[Collection as above, Profile / DM opt-out Art 21, esp Para 1-4 [gdpr-info.eu]
  
• 3rd Party Cookies that sends user data to somewhere you do not control needs explicit consent. You could technically rely on "legitimate interests" but see ICO guidance [ico.org.uk]*

I don't store any private information at all as far as I know. I don't store names, emails or even IP address. In what I can control, I have anonymized the IP addresses the same way as Google does by dropping the last number. So even if someone asked me to remove all their data, I can't even figure out what data is theirs.

Good news, Art 11(1) [gdpr-info.eu] is for you:

If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

Also note that, if what you are saying is true, you do not deal with PII, and therefore the GDPR does not apply to you. The GDPR is for PII only.

The cookies drop onto a browser are from Google Analytics, Google Adsense and the forum software. The Google stuff I can, at least, turn off temporary until there are good examples of how to deal with it.

GA is a first-party cookie, but I think Adsense is third-party. In any event, Google has it's own requirements- see this [webmasterworld.com] and this [webmasterworld.com]

My shared hosting company does make the logs available to me in both raw and report format. The IP addresses are contained in those logs. There does not seem to be any way for me to turn this off. The best I can do is possibly write a script to erase them whenever they are made available. Will that do?

IPs are not PII if it is not reasonable for you to resolve them to a person. If you do not collect other PII, and you are not an ISP, then that would apply. Deletion regimes are good practice anyway. Do not share your logs, as it may be trivial for them to resolve the IPs to PII.

The big downside is that if I am hacked or attacked I will have no idea who is doing it. I thought there was some exclusion in the GDPR for that. Since part of the GDPR is that breaches have to be reported. How can you tell if you had a breach unless you have logs to analyze?

This is covered by overriding legitimate interests (i.e. Art6(1)(f) [gdpr-info.eu]) combined with Recital 49 [gdpr-info.eu]

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

*This is the part I would not be confident about in passing data to 3rd parties:

You may be able to rely on legitimate interests in order to lawfully disclose personal data to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine their lawful basis for their own processing.

You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them

@Shaddows your answers are always so impressive. Thank you very much.

Thanks Travis!

I had been getting a little worked up about potentially having to provide all emails from a subject on receipt of a SAR, I was considering how I would gather them, redact them and present them, but then I was pointed at:

Article 14 Para 5a which states : Paragraphs 1 to 4 shall not apply where and insofar as: the data subject already has the information;

and Article 13 Para 4: Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

So assuming the subject sent the emails, there is no action to take.

Also I wondered if this might apply to IP addresses and logs. The data subject may request logs to cover their IP address's access to your website. But it was they that accessed your website and their own internet histories will evidence them what, where and when .. so it could be argued that they already have this information.

it could be argued that they already have this information

It could be argued that they already know their own name and address. The point is not what they already know, it is what information you have about them. You need to know what information you have, so that you can respond to a request for it.

Where the information you have includes documents (which includes emails) you have received from the enquirer, you would have to provide a record of these, not copies or transcripts of them.

Is it okay with GDPR if I locally host Google Analytics and Google Fonts on WordPress, any idea?

@Mark_A

Redaction should not be a major headache, because all parties would already have seen all contents when they were initially sent/received.

Most modern mailservers should have search functions. Then you can just export them to a folder and forward.

Make a data map, and write a process for each data location. Then when you get a SAR, you can just execute your process.

Server logs, you will need to extract just the pertinent data. Scripts are your friend.

For data retention, I would remember these core rules:
1) You do not need to retain data for the sake of complying. Delete unnecessary emails.
2) Data retention is supposed to be time-limited. Delete old data, like server logs, unless you have a specific reason to keep it.
3) Much data does not need to be tied to a person. Anonymise where possible.

Are there established guidelines of what a website would need to do to comply with this? For example, if my site uses Analytics it's serving a cookie (from Google). Does this mean I have to clutter my sites with those annoying "this site uses cookies" banners? They seem like a fairly useless addition, and I've read that they may not actually be sufficient for compliance with the new regulations.

What's a non-EU site to do? What about EU sites? Analytics arguably are not tracking personally identifiable data, but I'm sure we could find a lawyer who could argue otherwise. I am not seeing definitive information about this from Google.

This may have already been answered but I can give you my very researched and educated answer. Google Analytics creates a unique ID for every web session. A UID is considered PII under GDPR. That means you need to have consent to collect a UID from a user. The consent has to be specific to its intended use, in this case for tracking usage and engagement with content on your website (for example).

This can be done be creating a CMP (consent management platform) - there are free and open sourced ones by the IAB or Google.

If you're a non-Eu site but have a significant portion of your traffic from the EU and have an "EU presence" which doesn't have to be a physical office, can also be that you ship products to the EU or translate your website to German, for example then you must comply with GDPR.

A UID is considered PII under GDPR

That is quite an assertion, especially as the ePrivacy Directive (soon to be regulation) says the opposite- that "visitor counting" cookies are allowed without consent- just a declaration.

Probably best to comply with DNT though.

That is quite an assertion, especially as the ePrivacy Directive (soon to be regulation) says the opposite- that "visitor counting" cookies are allowed without consent- just a declaration.

Anything that can be used to create an "online identity" is considered PII. This is an actual example that has been used by the commission.


<Snipped Promo>

[edited by: not2easy at 3:05 pm (utc) on Jun 26, 2018]
[edit reason] Snipped Promo [/edit]

Incidentally, the ICO site, linked to earier, e.g. [ico.org.uk...] has now changed the way their Cookie message operates, giving the user explicitly a way to stop the cookies. I would suggest that this is probably best practice moving forward, as teh old ASA Cookie law is probably now redundant.