Joe is a completely novice Web developer who sets up an Apache server on its defaults, which include collection of log files which basically say "this specific file was requested by this specific IP address using this specific client string at this specific time, and the request succeeded/failed." Joe might not even be aware of this logging and might not ever use it.

Joe's Web site is Web 1.0: information published in a form others can read. It has no capabilities for typical users to create an account, log in, or enter data beyond the HTTP GET requests their browser automatically sends when the user navigates to/from/on the site. It doesn't even need cookies.

Joe's server and operations are outside the EU and his primary target audience may be too (e.g. Joe is a local activist in a non-EU country, and the Web site is that of the activist group, or a small nonprofit, or even a local restaurant which might serve ethnic food from a specific European tradition). However, it may be that some people in the EU are interested in what Joe is saying/doing, and visit Joe's web site to read what's posted there.

This page and others I've seen indicates that IP addresses are considered personal information under GDPR. It seems that Joe's server is collecting that data without notice and consent from each user.

It doesn't seem that this site would qualify as "purely personal" in the same way as a personal blog might.

Is Joe in violation of GDPR, just for having posted a simple Web site with an Apache server on defaults?


3 Answers 3


First of all, although the GDPR is stated to apply to any site which processes the data of any person who is in the EU, it is not clear how a site not located in the EU, does not business in the EU, and does not primarily target EU residents as its audience can be required to comply with the GDPR. To the best of my knowledge, no such case has yet been brought, much less decided.

There has also been some debate on whether an IP address constitutes Personal Data under the GDPR, and if it always does so, or only under particular conditions. The European Court of Justice (ECJ) held that (under the predecessor Directive 95/46/EC) that a dynamic IP address was personal data. But in that case the web site was run by the German Federal Government, which surely has wider scope for getting info from a German ISP than a small private US web activist does. There is not yet any case law that I know of on the applicability of the GDPR to IP addresses in any case at all similar to the one in the question.

Joe would in my view be wise to at least learn that logs are being kept, and post a disclosure of this on the site. Whether Joe needs to do more than that is less than clear at this time.



Assuming that it is personal data, there are 6 lawful reasons under the GDPR for collecting personal data: you are focusing on no 1, consent; this falls under no 6, legitimate business interest. Notwithstanding, Joe would not be in compliance because he has not identified the legal basis, is not notifying his users and presumably has no procedures in place for dealing with user access requests etc.

However, it isn’t personal data for Joe because, unlike the ISP in the judgement, he lacks the supplementary data (which account the IP address was issued to) that would allow the IP address to be linked to a specific individual.

  • How would he lock up that supplementary data if he doesn't take steps to gain access to it in the first place?
    – WBT
    Commented Jun 27, 2019 at 15:05
  • @WBT added into answer
    – Dale M
    Commented Jun 27, 2019 at 20:42
  • The addition says what supplementary data you are referring to, not how he "locks" it up or gains it in the first place.
    – WBT
    Commented Jun 28, 2019 at 13:29
  • @WBT ah, I see. The confusion is the word should be lacks, not locks
    – Dale M
    Commented Jun 28, 2019 at 20:55
  • That makes more sense now.
    – WBT
    Commented Jun 29, 2019 at 1:17

There are multiple aspects to this. Let's start from the beginning.

Is GDPR applicable? Let's see. My interpretation of the GDPR is that IP addresses are typically regarded as "personal data". Note that it's enough that information can be indirectly connected to a natural person together with additional data. Joe is therefore processing personal data according to the GDPR.

Next, someone from EU visits the website, but Joe is not in the EU. In this case, the GDPR only applies according to Article 3 when the processing relates to:

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the Union.

Joe is clearly not offering goods in EU. He is potentially offering a service (i.e. the website itself). More clear is that Joe monitors the EU visitors' behaviour through his web server logs.

In other words, for visitors from the EU, the GDPR appears to apply to the Apache logs. This is nothing controversial and many privacy policies of e.g. American websites mention access logs in their privacy policies.

Are there any exceptions to GDPR applicability? The exception for "purely personal or household activities" comes to mind, but it's unlikely to cover any monitoring of people outside of Joe's household. I have written a blog post with many more details about this: GDPR for personal websites. If Joe only provided the web server for himself and his friends and a stranger stumbled upon it by mistake, it might go under "purely personal", however.

There's still one last exception to consider, as far as I can tell, and that is whether EU law covers Joe at all. This is a general limitation, which is also hinted at in Article 2 of GDPR. In the end, European Union regulations have limited effect across the world and won't be enforced everywhere. There's no way to answer that in the hypothetical scenario, but it's possible that Joe operates his web server in a context that falls entirely outside the reach of EU law.

Given that Joe has actively made the website available for the general public and assuming that his activities don't fall outside the scope of EU law entirely, he's to some extent covered by the GDPR. This still doesn't answer the main question. Does Joe violate the GDPR? Maybe. That depends on whether he complies with the regulation. He should provide visitors with information about his data processing (i.e. a privacy policy). Since he doesn't seem to, then he appears to be in violation of the GDPR. This is a minor violation that he could easily fix.

Finally, note that there's a theoretical difference between not violating the GDPR and EU not being able to enforce any penalty for a violation. For Joe, it may be enough that the GDPR can't be enforced towards him. If Joe has no intention of ever visiting or dealing with EU in the future, he might be content regardless of any GDPR violations. See this article for more on this.

  • 1
    Great answer, and a very thorough blog post! I think the discussion about Art 2 is irrelevant though. This is not about the territorial but material scope, e.g. stuff like national security is out of scope for the EU (compare Recital 16 GDPR and the EU's subsidiarity principle). Regarding Art 3, the question isn't so much if the website is a service (well duh) but if the controller is offering it to people in the EU – EDPB guidelines 3/2018 are highly relevant here.
    – amon
    Commented Jan 3, 2021 at 23:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .