Every day thinking it's just easier to ban all traffic from the EU...

I wish it were that easy. EU is >20% for me.

"Every day thinking it's just easier to ban all traffic from the EU..."

It is not about people who are currently in the EU. It is any EU citizen anywhere in the world. So you'd need to figure out your EU users, who are currently in the US and remove them also. :)

It is any EU citizen anywhere in the world

I see that a lot, but the law does not seem to say that (I have a paper copy of it in front of me, which I am annotating).

See, for example, Article 3, quoted in full for the avoidance of doubt:

Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Source: [eur-lex.europa.eu...]

So, Citizenship is irrelevant. It is the Data Subject's physical location. Americans are covered while on EU soil, while Germans are not while in the USA.

Also, a quick Ctrl-F suggests "citizen" does not appear in the legal text.

Edit - clarity/consistency of emphasis

[edited by: Shaddows at 1:12 pm (utc) on May 4, 2018]

Part of this issue is the IP addresses and other data found in server access logs.

Possibly, but you are probably safe if you do not collect any other data (like email addresses) on the site in question. The reason being, it is not reasonable for you, a private site owner, to tie server log data to a particular person- unless you then collect other data which is PII, and links back to the server log data via IP. See Recital 26. Again in full, emphasis mine:

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

I appreciate that's one for the lawyers, but I would be comfortable operating on the basis that I cannot resolve a IPv4 address to a private person.

NOTE: Legal persons (i.e. Businesses) are NOT covered, so reverse-DNS lookups are not going to help.

So, Citizenship is irrelevant. It is the Data Subject's physical location. Americans are covered while on EU soil, while Germans are not while in the USA.

How exactly is one supposed to know from an IP address alone that a user is "physically" situated in an EU country. It is possible, and even likely (hackers will exploit this vulnerability) that some users will use technological means such a VPN and/or botnets to access sites using EU IP's to ensure that their activities are not traceable.

Well, you could just comply for everyone. Doing so is not that difficult.

The bits that are difficult is the endless documentation. But, assuming you do that for your EU cohort, it applies equally to everyone anyway.

Governance = tricky, onerous
Operations = easy

Hackers do not suddenly have free reign here in the EU. You have a whole load of reasons for keeping data. You just need to declare them.

RE: Hackers (I knew it was here somewhere)

Recital 49
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

The topic of this thread is Log Data Storage.

Part of this issue is the IP addresses and other data found in server access logs.

Possibly, but you are probably safe if you do not collect any other data (like email addresses) on the site in question. The reason being, it is not reasonable for you, a private site owner, to tie server log data to a particular person- unless you then collect other data...

It does apply. I've had discussions with several hosting companies where the sites I manage reside. Log data is being regulated by the upcoming GDPR.

Log Data Storage is subject to the 3 options listed in the 1st post. This applies to Shared Hosting and Leased Servers or VPS and concerns site owners as well as the company that owns the hardware and the jurisdiction they're in.

How rigidly this will be enforced, especially with smaller hosts, is another matter and we'll need to wait and see. 2 of my hosts are Privacy Shield Certified. Still waiting on my 3rd host. I may need to move.

Generally, as outlined by the GDPR, websites outside the EU but who have EU visitors have 3 options.

No offence, but says who? Why would US companies need additional services beyond what we in the EU have to do?

There is a whole bunch of FUD, especially Stateside, about this. I get the impression that there are some service companies telling people what they need to do, and conveniently it means using their services.

In terms of outsourcing, there are additional things EU companies need to do before we outsource to Rest-of-World. That may very well mean using a Privacy Shield compliant partner. But in terms of US companies complying in-house, it's just exactly the same as it EU companies complying in-house.

In short:
Legal Basis (probably "legitimate interests")
Transparency (say what you will do with it)
Delete data when no longer required
Encrypt in transport
Don't make novel use of data, if that use was not covered in your Imprint at time of collection

You will hear people say a court found IP addresses to PII. Unless you can discuss the case with me at length, I will assume you are just repeating third hand info. Suffice to say that if you are not an ISP, and do not have in-house means of resolving an IP to a person (like though further data collection), IPs are not PII.

No offence, but says who?

@Shaddows - this comes from admins at the several US hosting companies I deal with for clients. Please read the link.

Since they don't to loose their EU clients and their US clients who have EU visitors, they have been working with the EU to be compliant with the upcoming GDPR.

Why would US companies need additional services beyond what we in the EU have to do?

I don't see US companies doing anything more than EU companies. Again, read the link posted in the OP.

I did read the link.

I agree that EU companies using US hosting will need to use a Privacy Shield hosting company. This is because of outsourcing rules. I could quote the law, but I sense you are not reading my at-length quotes above.

If you collect PII via web forms, and you use a hosting company, Privacy Shield might be appropriate. This is because you can resolve IPs to people.

If you are an info-only company (i.e. a publisher), based outside the EU, and do not collect any data beyond server logs, you will not need Privacy Shield certification.

If you are a US hosting company that is certified, you will say everyone needs Privacy Shield.

Privacy Shield is what the EU and the US have developed for companies outside the EU that collect log data to be compliant with GDPR. This is for hosting companies & those who own (not lease) servers.

Privacy Shield goes well beyond determining log data storage, but that is the topic of this thread.

Site owners, outside the EU, that save log file data have several options. Hosting or leasing a server from a Privacy Shield certified company is just one option for GDPR compliance.

Personally, I do 2 things for compliancy. My host is Privacy Shield certified and I purge log file data every 24 hours.

How strictly this will be enforced remains to be seen.

One more option is to encrypt log data.

I feel about encryption the same way you feel about https; I cannot understand why anyone would do anything else. As such, I take encryption of personal data as a given, GDPR or no. (Like https is vital, ranking benefit or none).

someone posted the new BBC privacy policy the other day, this is what they say about "where we store your data"

Some companies that provide services to us run their services from outside the European Economic Area. We only let that happen if we are satisfied with their levels of security. Keep in mind that when you give us personal information it could be being transferred, stored or processed in a location outside the EEA.

that to me seems not very GDPR-compliant, I'd be interested to see if it still says that on Friday.

Could be to do with the big US social media companies, who have transferred their data-processing out of the EU in a hurry. (Eg. Facebook.)
[theguardian.com...]
So if the BBC is using stuff from Facebook or LinkedIn, for example, that might be a necessary notification.

Strangely enough, the EU - and Eire in particular - was great when they were getting tax breaks and could shift their earnings from country to country...

Please keep on topic. The topic of this thread is Log Data Storage.

There are several other discussions about various things related to GDRP.

Thanks.

My web host is listed as certified on the Privacy Shield website, so I guess I'm okay as far as log files are concerned. I'll be sure to include that in my privacy policy.

From my Privacy Policy...

Our data center [ragingwire.com] complies with the EU-US Privacy Shield Framework [privacyshield.gov] as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from European Union member countries.

Logs with users' identifiers removed (but including IP addresses and user agent strings) may be securely retained for a period of 96 hours or less. This period of time balances privacy concerns with the need to ensure that log processing systems have time to operate; that operations engineers have time to monitor and fix technical and performance problems; and that security and data aggregation systems have time to operate. These logs will not be used for any other purpose.

- - -

Through talks with our data center & server hosting & getting some changes made, we now can say:

Logs with users' identifiers removed (but including IP addresses and user agent strings) are encrypted and securely retained for a period of 72 hours or less...

I feel now we are in full compliance with GDPR regulation.