15

I am developing my own website with a blog, portfolio and tutorials, which will be accessible to the public.

As I am the only person who is in charge (my personal site), would I have to oblige to GDPR?

What I want to do is make an administrator panel and track user IP address ONLY if they go to that page. I would then block their IP if there is suspicious activity. I would also need to store cookies to ensure that the person using the administrator page is authorised.

As I understand GDPR make IP addresses personal information. Also, there is the EU cookie law too.

Is the GDPR and Cookie Law applicable to me or not? Also, would I have to make Terms and Conditions?

unor
  • 1,146
  • 8
  • 22
iProgram
  • 271
  • 2
  • 5
  • 1
    Even If your website does fall under GDPR regulation, which probably depends on its purpose, you might be able to track IP addresses without user consent solely for the purpose of protecting your site against malicious users, since processing personal data is allowed when "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child." – phoog Apr 28 '18 at 19:20
  • @phoog So you mean if I’m processing data only for security, it’s ok in that I don’t need their consent? I’m going to read through it before my site is live anyway. Just want people’s confirmation. – iProgram Apr 28 '18 at 19:52
  • 2
    I don't know that for sure. The regulation is young, and any particular case is unlikely to be tested in court for some time. That provision calls for a balancing of competing interests, so there's no way to make absolute statements about some situations. – phoog Apr 28 '18 at 21:18
  • 1
    Are you in the EU? As a practical matter, if you're outside the EU and not a multinational corporation, it's probably not going to affect you. – Ask About Monica May 02 '18 at 00:07
  • 1
    @O.R.Mapper - I've opened: https://law.stackexchange.com/q/28582/957 – Free Radical May 17 '18 at 09:16

2 Answers2

4

The conditions for lawfulness of processing are spelled out in Article 6 of the GDPR.

As for it being legal for website operators to log the IP-addresses of visitors, this is covered by the following paragraph (also pointed out by phoog in a comment). The paragraph says it is legal to process personal data if

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (my emphasis)

You are not the only web site that logs IP addresses for the purpose of security. Every web site I've ever worked on - from those controlled by large corporations to tiny NGOs - do this. This security practice will not be impacted by the GDPR (if it were, I am sure we would have heard about it by now).

there is the EU cookie law too

If your website are going to be accessible to European citizens and not only accessible by your friends and familiy, you have to comply with the EU cookie directive of 2002 (a exemption for "personal websites" does not exist).

Free Radical
  • 3,212
  • 15
  • 28
2

Art. 2 makes your personal blog feel free to not worry about GDPR:

This Regulation does not apply to the processing of personal data:

c) by a natural person in the course of a purely personal or household activity;

So long as you do not sell goods or services to people in the EU and do not monitor their activity/behavior (read "configure your website analytics, if any, to ignore EU countries") you are fine.

Greendrake
  • 27,460
  • 4
  • 63
  • 126
  • 5
    Doesn't that depend entirely on what "purely personal" means in a legal sense? – O. R. Mapper May 03 '18 at 15:47
  • 3
    @O.R.Mapper GDPR does not give a definition of "purely personal activity", so judges would apply the Plain Meaning Rule. – Greendrake May 03 '18 at 23:35
  • 3
    The German version of the respective GDPR article translates "purely personal or household" as "ausschließlich persönlich(...) oder familiär(...)". These are the same words that have been in use in §55 RStV since 2007. The common interpretation in resources on this topic (just two out of many; only available in German: 1, 2) seems to be that a website ... – O. R. Mapper May 04 '18 at 20:44
  • 4
    ... can only possibly qualify as "ausschließlich persönlich oder familiär" if it is exclusively directed at personal friends and family of the author. Following that logic, as soon as a blog might be of the slightest interest to strangers, it is not "personal" any more. Nonetheless, I'd be interested in finding more information on actual court rulings on this topic. – O. R. Mapper May 04 '18 at 20:51
  • 3
    This answer is wrong. The definition of "purely personal or household activity" does not apply to a publicly accessible website. The precedence is ECJ C-101/01. (@O.R.Mapper - this ruling may interest you.) – Free Radical May 16 '18 at 12:55
  • 1
    @FreeRadical: Thakn you for that link. However, note that the crucial paragraph (number 31) refers to the special case of publishing personal data, rather than just processing it. I have read the last sentence in that paragraph about six times now, and I am somewhat confused by it because it appears to say the opposite of the sentence before. To me, it only makes sense if the mention of "personal data" in the last sentence refers to something like "data personally provided by the natural person" (which is covered by the exception), in contrast to the "personal data" in the first ... – O. R. Mapper May 16 '18 at 13:11
  • 1
    ... sentence, where it refers to "data related to persons who have visited or used the website" (which cannot be published while being covered by the exception for "purely personal and household activities"). Therefore, I am not convinced your conclusion "The definition of 'purely personal or household activity' does not apply to a publicly accessible website." is accurate with respect to the text you linked to. – O. R. Mapper May 16 '18 at 13:12
  • @O.R.Mapper ECJ C-101/01 is about of the scope of Directive 95/46/EC - it is not specifically about publishing. Publishing was just the type of processing Ms. L. had engaged in. According to both 95/46/EC and the GDPR, publishing (dissemination) is just a special case of processing (see Article 4 defintion 2. Their ruling about whether the exception for "purely personal or household activity" apply, is relevant for all forms of processing, not only to the form of processing known as dissemination or publishing. – Free Radical May 16 '18 at 13:47
  • @FreeRadical: "is relevant for all forms of processing" - where is that stated? Publishing is a particularly far-reaching use of personal data, so how can one deduce from this special case that the exception also does not apply in the case of other, less far-reaching uses such as merely internal processing? ... – O. R. Mapper May 16 '18 at 14:06
  • ... Furthermore, the linked text states: "However, that Government does not rule out that the exception provided for in the first indent of that paragraph might cover cases in which a natural person publishes personal data on an internet page solely in the exercise of his freedom of expression and without any connection with a professional or commercial activity." My understanding of this statement is that when a natural person publishes a website solely to exert their freedom of expression, that may well be covered by the exception. – O. R. Mapper May 16 '18 at 14:09
  • ""is relevant for all forms of processing" - where is that stated?" It follow directly from the law. The law does not make an exception for publishing (or any other specific for of processing). – Free Radical May 16 '18 at 14:25
  • "My understanding of this statement is that when a natural person publishes a website solely to exert their freedom of expression, that may well be covered by the exception." The exception here is the one following from "Titles V and VI of the Treaty on European Union" and some other laws. This is indeed freedom of expression, which indeed applies to publishing, but not other types of processing. – Free Radical May 16 '18 at 14:35
  • 2
    @FreeRadical your claim that the cited ruling applies to all forms of processing and not just publishing has no ground so far. GDPR indeed does not make an exception for publishing, but the case (which you've brought as precedent in attempt to prove that this answer is wrong) does. It is in fact a very special case about publishing personal data and not processing in general. – Greendrake May 17 '18 at 00:08
  • 2
    @FreeRadical: Sorry, you lost me there. The law does define an exception, doesn't it (the one listed in paragraph 4.2. in the link)? This exception may apply to some forms of processing, but not others. (If the exception didn't apply to any forms of processing, it would obviously be pointless.) ECJ C-101/01 rules that it does not apply to the special case of processing (of other people's personal data) that is publishing (of that data). I fail to see how, based upon that, anyone can draw any conclusions about other special cases of processing. ... – O. R. Mapper May 17 '18 at 06:36
  • 1
    ... Also, unfortunately, I do not understand what you are trying to say here: "This is indeed freedom of expression, which indeed applies to publishing, but not other types of processing." - which one of the two possible meanings of "publishing" do you mean here? Publishing of other people's personal data (i.e. a special form of processing such data), or publishing one's own content online (not a form of processing other people's data and unrelated to publishing such data)? But maybe this topic is just too complicated to be explained in comments, so we should stop before this leads OT. – O. R. Mapper May 17 '18 at 06:42
  • First C-101/01 is a textbook case in law school. It is thought to demonstrate the over reaching scope of EU privacy laws. Second,yes 4.2 lists a number of exceptions, one of them being freedom of expression which may permit the publishing of other people personal data on a website (in this case the court concluded that this particular exception did not apply to Ms. L.) The "freedom of expression" exception obviously apply to online newspapers, who publish names and other personal data all the time. And yes, it is too complicated for comments. – Free Radical May 17 '18 at 08:50
  • 1
    @FreeRadical: "publishing of other people personal data on a website (...) publish names and other personal data" - as the OP does not appear to have any intention of doing that, according to the question, that case seems thus to be irrelevant here. – O. R. Mapper May 17 '18 at 10:28
  • @O.R.Mapper. The fact that court have a duty to consider whether the freedom of speech exception apply in a case where the processing happens to be publishing does not mean that the ruling of the court is irrelevant in a case the where the processing is not publishing. – Free Radical May 17 '18 at 10:56
  • @O.R.Mapper - Perhaps you may want to answer this: https://law.stackexchange.com/q/28582/957 – Free Radical May 17 '18 at 11:18
  • @FreeRadical: I'm afraid I don't have any references to back up my unfortunate suspicion that the answer is "No, it is not." I will answer if I come across anything suitable, though. – O. R. Mapper May 17 '18 at 19:38
  • Has anyone read ECJ C-101/01 till paragraphs 47-48? "That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people." - so if the personal data were not published, the exception would have applied. So the OP is free to collect IP addresses as long as they are not made public. – Vlad Nikiforov Dec 12 '21 at 23:06