There is nothing non-compliant about that. You seem to misunderstand essential vs. data hoarding for advertisement purposes. If you were to keep that data forever, sell it to third parties or profile users based on that logging data, not tell them about it, then yeah, you'd be violating the GDPR.
For normal operation system logging is pretty much a requirement for essential operation. That includes most properties of a connection like IP, UA, date, time, URI etc.
Which is the answer I see all of 50% of the time. Then, I see "Well, actually it is non-compliant because yadda yadda". My company isn't going to hire international compliance experts to review the operations of every public website we run, and we don't have any that need European visitors. So, best to just block them.
Meaning what? Our time is finite. Time we spend trying to comply with European regulations, when we have no European presence and seek no European customers, is time taken away from everything else we need to do—including complying with the actual laws we live under.
Without it documented why I am collecting it, how I use it and how I store and delete it, it is non-compliant that I am collecting it at all. I think that you are assuming that they know it is being collected and that they are supposed to use it for something. They don't. It is not essential at all to the operation of the service if you don't actively monitor it. Saying it could potentially be used for some kind of security function seems like a CYA if you aren't actually doing that.
Without a bunch of work that hasn't been done I seriously doubt that they can give Right to Access, Right to be Forgotten, Data Portability, Privacy of Design and it does clearly state it is Personal Data.
