> No, it's not, unless you have logs or database records that links the IP address to a person (such as a login from that IP). And I bet you do, that's why it bothers you.
Nope, the scenario is which this came up for me was about keeping IP addresses in a blacklist in a firewall. No logs or linking or anything.
> Users can leave data that identifies them in various places. Sometimes they do it intentionally, sometimes not. It's your job to warn them and obtain consent.
If it's my job to obtain individuals' consent to process their personal data in contexts where they have no business putting personal data, the law is poorly-designed.
Thanks for the info and links, that's genuinely useful. For the record I know my example isn't a watertight logical gotcha; it's an example of how GDPR's language is (IMHO) imprecise and unhelpful.
Nope, the scenario is which this came up for me was about keeping IP addresses in a blacklist in a firewall. No logs or linking or anything.
> Users can leave data that identifies them in various places. Sometimes they do it intentionally, sometimes not. It's your job to warn them and obtain consent.
If it's my job to obtain individuals' consent to process their personal data in contexts where they have no business putting personal data, the law is poorly-designed.
> In this case, removing data is a legal obligation you have. Processing data (by deleting it) to obey law is one of the exceptions in GDPR (art.6/1./c, and also art.17/3./b). https://gdpr-info.eu/art-6-gdpr/ https://gdpr-info.eu/art-17-gdpr/
Thanks for the info and links, that's genuinely useful. For the record I know my example isn't a watertight logical gotcha; it's an example of how GDPR's language is (IMHO) imprecise and unhelpful.