Hi Ken, > If website logfiles are to be purged after 7 or 14 days, > are you allowed to keep website analytics as long as they are > anonymous, i.e. divorced from visitor identification like IP > addresses? I'm talking about counts of pageviews and unique visitors, > top referrers and entry pages, browsers, etc.
I am no lawyer, so I can only tell you what I *think* the law means and would ask you to get the solid facts from an GDPR expert or lawyer. It is my impression that it's fine to keep anonymized website analytic data that has been sanitized of parts of the visitors IP. However: The thing here is that the degree of anonymization is debatable. Is it enough to strip the last octet off an IPv4 address? And the last segment of an IPv6 IP? Or does it need to more than that? From what I read into the German implementation of the law this whole thing is such a vague and ambiguous shit-show that it will keep lawyers and courts well fed for the next 10-15 years. > (Still not sure why an IP address is considered personal or private > information.) That was established in the Court of Justice of the European Union (the "CJEU") in the ruling of Case 582/14 – Patrick Breyer v Germany. See: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases The full court ruling can be found here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1 -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx