
Confusion about GDPR and logless webservers - mildlyconfused
Hi all!<p>I intend to run a simple website on a VPS using an Apache web-server.<p>My plan is to disable logging completely. All pages on the website will be static and the website will not utilise cookies. No personal data pertaining to visitors will be stored on persistent storage under my control.<p>Initially I thought this would exclude me as a data controller under the GDPR, so I drafted a privacy policy explaining how I would store no personal data pertaining to visitors, etc.<p>After closer inspection, it seems that the act of collecting the IP address of an EU data subject to respond to HTTP requests would make me a data controller, even if I don’t store that IP address in a log.<p>Something about my interpretation of the GDPR seems off.<p>If I understand correctly, I would need to provide contact details in the privacy policy and respond to requests to be forgotten, requests for access, etc.<p>If someone sends me an email requesting to be forgotten, they’ve just provided me with their email address and any other personal data they include in the content, so suddenly I’m storing their personal data and would have to respond and delete it.<p>Similarly, if someone sends me a request for access, their email contains personal data. It seems like I’d have to send them back an email saying “Yes! I hold your personal data. Here it is:” with a copy of their email attached.<p>It seems as though by providing contact details in the privacy policy of that website and receiving emails about that privacy policy, I’d be processing personal data that I would not have otherwise processed, purely for the purpose of GDPR compliance.<p>I am sure most will see the irony in this interpretation.<p>I was wondering if anybody here has dealt with situations like this or has a different interpretation of how the GDPR applies to such websites.
======
mikece
Would GDPR cover not logging individual requests and sessions but calculating
aggregated statistics without keeping per-request, user-identifiable info?

~~~
mildlyconfused
I suspect it would because personal data needs to be collected in order for
such aggregated statistics to be made and collection seemingly counts as
processing, but I’m not sure as I do not yet fully understand the GDPR. Sadly
I cannot provide any advice on the topic. In the case of my planned website, I
will not even be calculating aggregated statistics.

