GDPR on Log and Usage Data

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 05 November 2024.

GDPR on Log and Usage Data

Some of the data you collect in your website's usage and access logs may count as personal data under the GDPR. You'll need to make sure you process it lawfully and follow the GDPR's requirements.

Here's what you need to know about what the GDPR requires when it comes to log and usage data, and what to do to collect and use this type of data in a compliant manner.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:

    3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  3. Answer a few questions about your business:

    4. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  4. Enter the country and click on the "Next Step" button:

    5. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  5. Continue with building your Privacy Policy while answering on questions from our wizard:

    6. FreePrivacyPolicy: Privacy Policy Generator - Answer on questions from our wizard - Step 3

  6. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



The Basics of the GDPR

The General Data Protection Regulation (GDPR) is a European Union regulation that deals with personal data processing.

The GDPR applies if you are in an EU country, the person whose personal data you process (the data subject) is in an EU country, or the processing itself is done in an EU country.

If the GDPR applies and you process personal data, you must:

  • Have a lawful basis for doing so, and
  • Follow rules to uphold the data subject's rights under the GDPR

Let's break down how this applies to log and usage data.

Processing Log and Usage Data Under the GDPR

Processing Log and Usage Data Under the GDPR

In the simplest terms, the GDPR defines processing as any activity involving data. This includes collecting, using, storing and sharing the data. It doesn't matter if you do this through "automated means" or not.

Access and usage logs inherently involve processing because you are collecting and storing the data.

Is Log and Usage Data Classed as Personal Data Under the GDPR?

The GDPR defines personal data as:

"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that natural person."

Website access and use logs will rarely, if ever, specifically identify individuals. However, they may contain enough information to directly or indirectly identify the individual. This will usually come via the IP address.

This point is addressed by Recital 30 of the GDPR, which is effectively an explanatory note for the law. It says:

"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."

A German court later ruled that, for GDPR purposes, an IP address could identify an individual whether it is a static or dynamic address.

If your site logs have enough information to identify an individual, both the IP address and other data in the log can count as personal data. This includes the records of what pages they visited on your website and any files they accessed, along with any geolocation data.

For this reason, it's usually safest to treat any website logs as personal data for GDPR purposes.

Access logs will definitely count as personal data if you have previously linked an IP address to a specific individual, for example a user who has registered an account and provided their name, email address, or other identifying detail.

This could happen if you've used an IP address to check somebody's location, for example to see if they are legally able to open an account or use your services.

Lawful Basis For Processing Log and Usage Data

Lawful Basis For Processing Log and Usage Data

Under the GDPR, you must have a lawful basis to process personal data. If you don't have a lawful basis, the processing is illegal and could lead to regulatory action and financial penalties.

The GDPR sets out acceptable lawful bases, several of which are limited to specific situations (such as medical emergencies) that clearly do not apply to log and usage data.

One of the most commonly used lawful bases is that you have the data subject's consent.

However, the consent must be freely given and, just as importantly, the data subject must be able to withhold or withdraw consent. This is impractical with website logs as you inherently cannot gather consent before somebody accesses your site, which is recorded in your logs.

Instead, you'll normally have to rely on the "legitimate interests" basis. The name is slightly confusing, but the two key criteria are that:

  • Your data processing is part of your business activity, and
  • This does not outweigh the user's personal data rights

A common rule of thumb for finding this balance is that processing for legitimate interests would be reasonably expected by a rational data subject. In other words, they would not be surprised by your data processing.

As a guideline, the following log and usage data activities would likely come under legitimate interests:

  • Collecting and storing access and usage logs.
  • Analyzing website access from a specific IP address (to improve the site and learn about user interests) without attempting to link it to a named individual.
  • Analyzing website access to maintain site security or prevent breaches of your terms of use. For example, you might use access logs to identify a user who had uploaded illegal material.

The following activities would likely not count as legitimate interest:

  • Tracking what pages a user had visited and then trying to identify them so you could send them personalized marketing emails.
  • Making your logs, or extracts from your logs, publicly available.
  • Selling copies of your access logs to another business such as a data marketer.

GDPR Rules Affecting Log and Usage Data

As well as having a lawful basis, you must follow various rules to comply with the GDPR. These are the most relevant to processing log & usage data.

The Principle of Data Minimization and Retention

You must only collect and keep the minimum amount of data necessary to achieve the specific purpose for which you collect it. If you have the option to change the settings on your access logs, make sure you do not collect any data that doesn't serve this specific purpose.

You must only keep the data for the minimum period of time to serve the purpose for which you collected it. You must then delete it. Review your log and access data regularly to make sure you still need it for this purpose.

The Office for National Statistics has clear policies on how long it keeps access log data:

Office of National Statistics Privacy Notice: How long we keep data clause

GDPR Limitations on Data Transfers

The GDPR includes rules on transferring personal data outside of the European Union. This includes any access logs classed as personal data. In simple terms, you can only transfer the data if:

  • the non-EU country has been recognized by the EU as having equivalent data protection rules (for example through an "adequacy agreement"), or
  • you have a binding contract requiring the recipient to protect the data to the same standard as the GDPR

These requirements won't normally apply if you are simply moving access logs within your organization (for example from a data center in an EU country to your server in a non-EU country).

However, you will need to check you are following the rules if you transfer the data to a subsidiary, sister company or a similar organization.

Securing Data in Line With the GDPR

The GDPR says you must secure personal data to protect it against unauthorized access, alteration or deletion. This includes any access logs classed as personal data.

Although the GDPR doesn't specify security measures, it says you should take appropriate physical, technical and organizational measures to protect the data.

With data logs, this could include restricting access to the logs to certain staff members, password-protecting access, and encrypting the data where possible.

GDPR-Compliant Privacy Policies

Access logs classed as personal data are covered by the GDPR's requirement to inform data subjects about your data use and their data rights. You should already have a Privacy Policy covering your other data use.

Sections of the Privacy Policy where you may need to specifically address your access logs include:

  • The data you collect
  • How and why you use the data
  • How long you keep the data
  • How you secure the data
  • Whether you share or disclose the data

The Talks gives examples of personal data it collects through access logs:

The Talks Privacy Policy: Usage data clause

Ordnance Survey gives specific examples of the way it uses access log data:

Ordnance Survey Privacy Policy: Log information clause

Summary

The GDPR restricts how you can collect and use personal data in European Union countries or about people in those countries. The GDPR's definition of personal data will often cover IP addresses and other information you collect in website access and use logs.

This means you'll need a lawful basis to collect and use the data, such as that it's done for your legitimate interests (your business activity) and that the use doesn't outweigh the user's privacy rights.

You'll also need to follow the GDPR's principles and rules. These include processing the data only for specific purposes, collecting the minimum amount of data necessary to serve these purposes, and retaining it only long enough to serve these purposes.

You must also secure the data, tell people about it in a Privacy Policy, and not transfer it to non-EU countries unless you can show it will remain protected to the same standards.

About this article

Last updated

This article was last updated on 05 November 2024.

Author

John Lister

FreePrivacyPolicy Legal writer

Category

Disclaimer

Please note that legal information, including legal templates and legal policies, is not legal advice.

Try out our free generators

Free Privacy Policy Generator

Free Cookie Consent

Free Terms and Conditions Generator

Free Cookies Policy Generator

Free Disclaimer Generator

Free EULA Generator

Free Return & Refund Policy Generator



What our customers says

I like the steps to create a Privacy Policy.

— Anonymous



Thank you for making it so simple and easy to create a proper and compliant privacy policy!

— Andrea - Toronto Success Coach



Quick and easy way to secure our company website. Thanks for making this a great user experience.

— Anthony - Canine Behavioral Services



Thank you for your time and help. Setting up a Privacy Policy, and Terms of Service is easier than I thought.

— Casey H - Casis Boutique

Read more from our blog

GDPR-Compliant Cookie Banners

GDPR-Compliant Cookie Banners

Two myths about cookie consent sprung up when the GDPR took effect: The first was that "you only have to make a token effort to get consent." The second was...

GDPR Data Controller vs Data Processor

GDPR Data Controller vs Data Processor

If you handle personal data you may qualify as either a data controller or data processor under Europe's General Data Protection Regulation (GDPR). Your role depends largely on whether you...

Who is Exempt From the GDPR

Who is Exempt From the GDPR

The EU's General Data Protection Regulation Act (GDPR) applies not only to EU companies, but also to non-EU companies who collect or transfer data of EU residents. If the act...