Welcome to WebmasterWorld Guest from 184.108.40.206
server logs belong to website as a Controller
Also, at least in the UK, the host is required to keep them, independently of whatever access and configuration options the contract provides to the publisher.Sure, but they are not allowed to make use of any personal data. They keep the data on grounds of "legal obligation" - and are a controller for that purpose.
The big downside is that if I am hacked or attacked I will have no idea who is doing it.
I've noticed that many very large websites still haven't implemented any of the cookie consent from what I can tell.Beware the FUD! The original cookie consent reached a consensus implementation, but that was led by the developer community. The EU's own website never did that, which tells me it was not the optimal solution that complied with the law.
I don't store any private information at all as far as I know. I don't store names, emails or even IP address. In what I can control, I have anonymized the IP addresses the same way as Google does by dropping the last number. So even if someone asked me to remove all their data, I can't even figure out what data is theirs.
The cookies drop onto a browser are from Google Analytics, Google Adsense and the forum software. The Google stuff I can, at least, turn off temporary until there are good examples of how to deal with it.GA is a first-party cookie, but I think Adsense is third-party. In any event, Google has it's own requirements- see this [webmasterworld.com] and this [webmasterworld.com]
My shared hosting company does make the logs available to me in both raw and report format. The IP addresses are contained in those logs. There does not seem to be any way for me to turn this off. The best I can do is possibly write a script to erase them whenever they are made available. Will that do?
The big downside is that if I am hacked or attacked I will have no idea who is doing it. I thought there was some exclusion in the GDPR for that. Since part of the GDPR is that breaches have to be reported. How can you tell if you had a breach unless you have logs to analyze?
You may be able to rely on legitimate interests in order to lawfully disclose personal data to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine their lawful basis for their own processing.
You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them
it could be argued that they already have this information
joined:May 12, 2015
What's a non-EU site to do? What about EU sites? Analytics arguably are not tracking personally identifiable data, but I'm sure we could find a lawyer who could argue otherwise. I am not seeing definitive information about this from Google.
A UID is considered PII under GDPRThat is quite an assertion, especially as the ePrivacy Directive (soon to be regulation) says the opposite- that "visitor counting" cookies are allowed without consent- just a declaration.
joined:May 12, 2015
That is quite an assertion, especially as the ePrivacy Directive (soon to be regulation) says the opposite- that "visitor counting" cookies are allowed without consent- just a declaration.
[edited by: not2easy at 3:05 pm (utc) on Jun 26, 2018]
[edit reason] Snipped Promo [/edit]