(no title)
pierrefar | 7 years ago
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...
pitaj|7 years ago
It seems like this only addresses when IP addresses are combined with other data.
kasey_junk|7 years ago
The guidance my firm received was to treat them, by themselves, as an ID. YMMV.
zaarn|7 years ago
I think the easy way to check is to ask yourself if the data can directly link to someone's IRL identity.
If no, ask yourself if the police could identify them if they demanded and got the data.
If still no, ask yourself if the data is of a protected category (gender, religion, sexuality, etc.).
If you need any of this data, minimize your need first (ie this means storing IPs only for a limited timespan, german authorities have IIRC recommended 7 days as normal).
If you can't reduce your need, find another way to do what you do that has less need.
If all else fails, cover under legitimate interest and hope you're not Adtech.
pierrefar|7 years ago
It’s easy to see why quote I gave says what it says with this context.
Also, if you’re worries, talk to your lawyer.
dronescanfly|7 years ago
aswell as 'indirectly' identifying information like IP adresses where the technical possibilities exist to link them back to the person.
EVEN if you do not actively link them to the person DSGVO treats them the same way as the directly identifying information