BG Beter Geregeld ICT
AVG & privacy · 2 min leestijd · 20 December 2025

Logging IP addresses under GDPR: pseudonymous, personal data, and what's allowed?

An IP address is personal data under GDPR. Security logs often need to retain them for weeks or months. How do you reconcile that with data minimisation principles?

Under GDPR, an IP address is considered personal data. Security logs that capture IP addresses fall within the scope of data processing.

\n\n

Permitted legal bases

\n
    \n
  • Legitimate interest: security, fraud prevention, troubleshooting. Most commonly used.
    • \n
  • Legal obligation: where specific legislation applies (e.g. financial supervision).
    • \n
  • Consent: rarely required for security logs.
    • \n
\n\n

Retention periods

\n
    \n
  • Web access logs: 30 days as standard, up to 90 for forensic purposes.
    • \n
  • Auth logs (login attempts): 90 days – 1 year.
    • \n
  • Firewall logs: 30–90 days.
    • \n
  • Audit logs for compliance: 3 years (ISO-required).
    • \n
\n

Longer retention = stronger justification needed in your processing register, plus a risk analysis explaining why it is necessary.

\n\n

Pseudonymisation

\n

Can you anonymise the last octet (192.168.1.x → 192.168.1.0/24)? Sufficient for analytics. Usually not for security — you need to be able to correlate a specific IP address.

\n\n

Data subject rights

\n

Someone asks "what logs do you hold on me?" — you must be able to search by their IP address as well as their account ID. Document how you do this in your system.

\n\n

See also: GDPR pillar, retention periods.

Onderwerpen

#security #avg #ip-adres #logs

Volledige gids: Cumplimiento GDPR para pymes: el mínimo práctico

Dit artikel is onderdeel van onze uitgebreide AVG & privacy-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

AVG & privacy

GDPR Compliance for SMBs: The Practical Minimum

GDPR doesn't require a €10,000 project or a DPO for most small businesses. Here's what every SMB actually needs — based on what the Dutch DPA really checks for.

2 min
AVG & privacy

Data Retention Periods by Category for SMBs

How long should you keep customer data, job applicants, invoices, or CCTV footage? Here are the key categories in a clear overview table, with the source for each retention period.

2 min
AVG & privacy

Marketing consent: email, WhatsApp, retargeting — what are you still allowed to do?

Your newsletter, promotional emails, retargeting pixels — they all need a valid consent basis. Here are the concrete rules per channel.

2 min
AVG & privacy

Data subject rights: access, rectification, erasure — a workable procedure

A customer wants to see their data — or have it deleted. You have 30 days. Here's the procedure that gets it done without each request eating up half a week.

2 min
AVG & privacy

Sub-processors outside the EU: what Schrems II still requires

Using AWS, Google, or Microsoft? Then some of your data flows through the US. Since Schrems II, that's no longer a given. Here's what actually works today.

2 min
AVG & privacy

DPIA — Data Protection Impact Assessment: when is it required, and when can you skip it?

A DPIA sounds like something only large enterprises need to worry about. For SMBs it's rarely required — but there are a handful of specific situations where it is. Here's the decision tree.

2 min
← Alle artikelen in "AVG & privacy"