Depending on the data stored in server logs on web servers and the reason for logging, the question of the maximum retention period must be answered. The BayLDA allows 30 days. I think this statement is fundamentally incorrect.
Server logs for websites are used to record the visit or call up of a website. To put it bluntly, most people do this without knowing why. They only do it because it feels like everyone else is doing it and they think it must be necessary. Or they log in unknowingly because the web server is configured accordingly and no one is interested in the configuration.
In the log files of the website, the time of the call a internet address (URL) saved. In addition, the following information is usually recorded:
- Access address (URL)
- Browser user agent (including browser and operating system information)
- Caller’s address (IP address), often abbreviated
the IP address may be included along with a statement from a BayLDA representative. It is well known that IP addresses are personal data. Compare the judgments of the ECJ and BGH in the “Breyer” case from 2016 and 2017. Even dynamic IP addresses are personal data according to this personal data. This was also taken up by the Munich Regional Court on January 20, 2022 in its judgment regarding Google Fonts.
Official advice and legal advice
It’s not clear to me why the BayLDA or any representative is now licensing full IP addresses. I wrote to the representative on June 1, 2022 and asked for information on this and mentioned the critical points from my point of view. Once the answer is available I will reproduce it here in spirit.
Like any other data protection authority, the BayLDA is an authority and represents the opinion of an authority. This opinion is not valid in court and if it is, then “only” as a guideline. Depending on the court, the opinion of the authorities is hardly taken into account in a decision. This is not to say that official opinions are unimportant. They just do not provide legal certainty in civil or competition law disputes.
Courts also represent “only” opinions, therefore there is the opportunity for plaintiffs or defendants to: cases come forward if an opinion does not seem well-founded enough. At some point, the case may come before the highest German court or the ECJ. It will be over before the ECJ at the latest. His opinion may be considered fact if I understand the legal system correctly. But the recommendations of BGH and BVerfG can also be regarded as quasi-facts for Germany. See, for example, the judgment of the BGH in the “Planet 49” case, according to which Article 15 (3) TMG was reinterpreted. For example, the BGH introduced the ePrivacy Directive in Germany because the German legislator had once again slept in and was too slow. So the Federal Court of Justice was a legislator, which it really shouldn’t be. With the TTDSG, the matter has been formally settled correctly from 1 December 2021.
However, some courts further down the professional chain also convert themselves Supreme Court opinions away. So did a court above statement: of the BGH ignored. A above statement: is a decision by a judge about a question that was not asked, but for which there was a reason, for example because of an adjacent fact.
I’m only referring to whether full IP addresses can be stored in website logs. In fact, it is about the permitted retention period of such log files. But that answers the question at the same time.
My opinion is one rack. A thesis can forgedshall. That means if you can give me a single counterexample that contradicts my statement, my statement will be disproved. It also means that you have to accept my thesis if no such counterexample can be found. I am not interested in your opinion on this matter. Give me a counterexample to my next statement or accept my statement as actual truth that you would like to follow.
My dissertation is:
Most are upset by this statement. The reason is that the adjective for no reason misunderstood or misunderstood. Occasionally means always or almost always. On the other hand, there would be an opportunity if a Hacker attack it was determined whether the suspicion insists.
There may be a suspicion if the website in question is visited exceptionally often in a very short time. An automated retrieval could then be assumed, possibly with a view to a denial of service attack or to detect security gaps. But the desire to shut out crawlers can also be a reason. Of course only when the crawler becomes active and not just because of a general suspicion against any future caller.
I justify my statement in an extensive article:
Please note the following in this regard:
- Required (or necessary) is unequally useful. As an entrepreneur, how much would I not want to have to file my tax return or sometimes drive faster than allowed? That would be very useful in individual cases, but is of course illegal.
- log means non-volatile storage. Temporarily storing data in main memory is not logging in the sense of my thesis. Of course, the contents of main memory should not be preserved forever and main memory should not be “dumped” or read out for further processing, for example by humans.
- That legitimate interest is not a universal legal basis. It must be proven or made plausible. Is there milder means, the legitimate interest is regularly excluded as a license. There is therefore no legitimate interest in security measures. The interest can only be justified if it is derived in a very concrete way. Unfortunately, many fail at this. See also article 5 GDPR.
- Until now I could no one can give a counterexample, which would refute my claim. I’ve even actively written or called with IT security experts, data protection officers and the BSI.
Now to the actual issue of quantity, the retention period of website log files.
Storage duration of website log files
How long can log files be kept on web servers? The BayLDA says 30 days. The other display is regular: 7 days. My opinion is the following:
Website log files can kept for a very long time for no reason, provided it contains virtually no personal data. A year can be a very long time. However, it could be maybe two or more years depending on the type of data in it. The only danger is that you don’t always look at data to see if it can provide a personal reference.
Website log files can are not saved at all for no reasonprovided that the full IP address recorded by website visitors. Reason: The storage of the full IP address is not necessary and therefore illegal. See my post linked above for details.
Website log files can be stored event-related as long as the respective cause justifies it. If a hacker attack is detected, the cause may exist as long as the investigation is ongoing or as long as the hacker is active. Ideally, the controller should distinguish between which data in the log files can be assigned to the hacker and which certainly cannot be assigned to the attack. However, if there is no personal information in the logs, this question is irrelevant.
In such a case (of course) full IP addresses of users can also be stored. However, the evaluation of this data should only serve to avert danger and should not be used for marketing activities.
If the IP address is not stored in the server log because this is illegal without stating reasons (this is my statement that has not been refuted so far), the following additional data remains, which can be regarded as person and therefore as person-related (cf. Art. 4 No. 1 DSGVO) could see:
- user agent
- Visited URL
A personal reference can be created along with the time of access, which is recorded in server logs. If the called URL without URL parameters is stored, this data value is in any case not critical. If it can be ruled out that form data with personal reference will end up in URL parameters and no other personal URL parameters (such as tracking links from newsletters) are used, then the full URL can be logged without risk.
Of the user agent is quite unique, but not entirely unique. Using it alone as a distinguishing criterion to distinguish a user from a group of other users is difficult to say the least. However, if there is sufficient data or if the number of visitors to the website is low, the user agent could already be regarded as data that can be personally referenced. See statement from the Article 29 Group, which can be found, for example, on the motivation in the WhatsApp case.
I therefore recommend saving the user agent in abbreviated form or later (approximately after x days) or not to keep server logs for longer than 30 days.
Server log files for websites can be kept for almost any time for no reason if they do not contain any personal information. If the IP address is stored, there is no legal basis for this. So the server log is illegally kept. It should therefore not be kept at all.
In general, I don’t recommend keeping server logs that don’t contain personal information for more than one or two years unless there is a reason to do so (hack attack or something similar). In most cases, however, there will probably be no reason to keep such logs any longer. For most website operators, these protocols should not be necessary. With providers like ALL-INKL, you can deactivate such logs, which is probably the best decision in most cases.
If an occasion arises, all data appropriate to the occasion may be kept for as long as is appropriate for the occasion.