there's a whole two hundred post debate around here whether ip are or aren't pii on their own, with the wast majority holding the wrong position.
there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar). you also need a privacy policy if you are receiving phone calls. did you know that?
there's a whole bunch of implication on how liable you are about holding unwanted personal information, including unwanted medical personal information i.e. "hi I saw your gazebo renting service, I'm organizing an event but I am unable to walk due a permanent disability and requiring a ramp is present to access your gazebo, is that so?"
there is a huge surface area for uncertainty, up and including 'best practices' that are a constantly shifting target.
edit: to clarify the calendar part: if you have a meeting with someone, that links an identity with a location. that's why it's an issue, even without considering the address book, which is another issue by itself.
Largely pointless. EU courts have in the past ruled that IPs are personal data because they can be tracked back to a person. End of story.
>there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar).
was largely already covered by the previous EU privacy law and the german privacy law. Courts largely agree that calendars for appointments are fine as long as you keep them reasonably secure and don't throw them around in public.
>you also need a privacy policy if you are receiving phone calls. did you know that?
Yes I did. I informed myself when I registered as a small business.
You mean your website needs to have a note next to your phone number saying something like "we will not record your phone calls", and if there isn't, you're liable to be fined?
I know. I'm on that side. Can link you to dozens threads where the comment stating ip are pii are downvoted to hell asunder and false myths spread like wildfire.
> Courts largely agree that calendars for appointments are fine
yes, but for online calendars the provider is a processor and need to be listed as such. and when a customer exercise the right of being forgotten, you'll need to go back and delete the meetings. all new stuff I'm quite sure the majority forgot to consider.
> Yes I did. I informed myself
good for you, doesn't mean there are a lot of business that didn't, and considering the false myth spread around here, this board needs to hear as much as possible about these things.
THe problem is that it's a stupid question. No-one has just IP addresses, they have a mix of data. If you can combine the IP address with anything else to identify a natural person it becomes personal data.
Ip are personal data https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Without conditions. Even hashing them doesn’t make them ‘irreversibly anonimized’ because the ip space is too small for hashing to be irreversible. A rainbow table can be built with all ips and use to deanonimize the ip.
> The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
That raises an amusing question. Suppose you have a one person business with a small number of customers (a few dozen or so) that you deal with in person. With proper mnemonic techniques it would be possible to do all the storage and processing of their personal data in your head.
Does GDPR apply?
The only thing I see in the quoted paragraph that might suggest it does not is "provided the data is organised in accordance with pre-defined criteria (for example alphabetical order)". Do brains use pre-defined criteria to organize data?
This too raises an interesting question:
> Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
If data is used to train a neural net and then discarded, but you keep the trained neural net, in some sense the data is still there in the weights of the connections in the neural net. Has it been sufficiently rendered anonymous to no longer be considered personal data?
It’d be really nice for the “fucking idiots” that you referred to earlier if those of you who clearly know what the law says and what it means could get your stories straight.
They are wrong. IPs are not personal data. End of story.
In the EU IP addresses are legally defined as personal data and have been for a long while now. End of story.
On the other hand, as parent noticed, hashing IPs is not effective as it's possible to reverse it (the IP space is small).
What if you are using IPv6?