undefined | Better HN

0 pointsonli4y ago0 comments

It's illegal to keep personal data of users without either legitimate interest or a direct agreement, that's completely clear under the DSGVO. If the operational logs are needed to fulfill the contract with the user then sure, the provider can keep them (for as short as possible), otherwise not. Days? I highly doubt it.

The Vorratsdatenspeicherung counteracted that principle, if it falls away storing this data gets really complicated.

0 comments

5 comments · 2 top-level

Jensson4y ago· 2 in thread

Keeping server logs for a few days is considered necessary for running servers. Therefore you accessing a server means you implicitly give them the right to store your access request for a few days, because it is unreasonable to assume they would run a server without access logs.

Edit: For example, you can't assume people will work on weekends. So if an issue occurs on a weekend and someone needs to look at it, then the log need to at least last throughout the weekend.

adambatkin4y ago

And if it is May 29 and you notice an attacker has been lurking in your network for at least 2 weeks (but you don't yet know exactly when it started or how they got in) you will be very happy that you have netflow and access logs going back 30 or 60 days or a year. And that's considered an operational requirement for anyone who cares about the safety and security of their systems and networks.

hodgesrm4y ago

We store certain audit logs forever--or close to it--for exactly this reason. You don't know when you'll need the data to assess possible breaches and report back to users. (Which not coincidentally is a requirement of GDPR.)

Edit: clarified "forever"

adolph4y ago· 1 in thread

Is DSVGO the same as GDPR? Why wouldnt ISPs bake personal agreement into the TOS like every other cookie clickthru? (Even if they don’t plan to retain it, better to get permission in case unintended retention occurs or business needs change.)

https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

onliOP4y ago

> Is DSVGO the same as GDPR?

Yes, just the german name :)

> Why wouldnt ISPs bake personal agreement into the TOS like every other cookie clickthru?

Personal agreement baked into a TOS is illegal. It has to be declinable and the service be offered regardless. Those cookie clickthroughs are getting those publishers sued now, see https://www.huntonprivacyblog.com/2019/10/03/cjeu-reaches-de... for an example.

> better to get permission in case unintended retention occurs or business needs change.

Which exactly is why this is not allowed. You can't just collect data just in case. Or you can of course, until you get caught and fined.

j / k navigate · click thread line to collapse