> registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance. APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person.
Article 6, Paragraph 1, seems to cover those two parts of data collection. Logging a user's IP for security is acceptable, as is logging for a legitimate interests of the user (or operator) as long as it do not conflict with the interest of the data subject in regard to their need for data protection. APNS push tokens seems to fit that description quite well.
Agreed, I don't see how this possibly cannot be a legitimate interest - the user knows they need to be contacted for a push request to work, even if they don't understand or care about the underlying vagaries of IP addresses.
it covers it ... except when it doesn't. Which is open to 'interpretation'
Where is the scale balanced on this ... will it be the same in each of the different countries implemeting it?
>as long as it do not conflict with the interest of the data subject in regard to their need for data protection
Article 6.1.f
>processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
So ... I can retain IP records in my logs , as long as they aren't a child?
In regard to children I view it as part of two different interpretations. One is that data in regard to children need to be considered with extra care and in those cases that the process is written down or is more formal then that consideration need to addressed.
The other way to see it is a bridge to the US regulation COPPA, where operators in the US and EU now have to follow the same rules in regard to children. In this case Monal would have to move out of both EU and US in order to avoid the regulations in regard to children.
Article 6, Paragraph 1, seems to cover those two parts of data collection. Logging a user's IP for security is acceptable, as is logging for a legitimate interests of the user (or operator) as long as it do not conflict with the interest of the data subject in regard to their need for data protection. APNS push tokens seems to fit that description quite well.