16

I am developing my own website with a blog, portfolio and tutorials, which will be accessible to the public.

As I am the only person who is in charge (my personal site), would I have to oblige to GDPR?

What I want to do is make an administrator panel and track user IP address ONLY if they go to that page. I would then block their IP if there is suspicious activity. I would also need to store cookies to ensure that the person using the administrator page is authorised.

As I understand GDPR make IP addresses personal information. Also, there is the EU cookie law too.

Is the GDPR and Cookie Law applicable to me or not? Also, would I have to make Terms and Conditions?

unor
  • 1,154
  • 9
  • 22
iProgram
  • 281
  • 2
  • 5

2 Answers2

4

The conditions for lawfulness of processing are spelled out in Article 6 of the GDPR.

As for it being legal for website operators to log the IP-addresses of visitors, this is covered by the following paragraph (also pointed out by phoog in a comment). The paragraph says it is legal to process personal data if

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (my emphasis)

You are not the only web site that logs IP addresses for the purpose of security. Every web site I've ever worked on - from those controlled by large corporations to tiny NGOs - do this. This security practice will not be impacted by the GDPR (if it were, I am sure we would have heard about it by now).

there is the EU cookie law too

If your website are going to be accessible to European citizens and not only accessible by your friends and familiy, you have to comply with the EU cookie directive of 2002 (a exemption for "personal websites" does not exist).

Free Radical
  • 3,322
  • 16
  • 28
2

Art. 2 makes your personal blog feel free to not worry about GDPR:

This Regulation does not apply to the processing of personal data:

c) by a natural person in the course of a purely personal or household activity;

So long as you do not sell goods or services to people in the EU and do not monitor their activity/behavior (read "configure your website analytics, if any, to ignore EU countries") you are fine.

Greendrake
  • 28,487
  • 5
  • 71
  • 135