> Digital Ocean virtual machine hosted in EU

The Schrems II ruling says it's not enough to have the data hosted in EU since DO is a US corp.

One trick I've seen people use is to move the discussion to a different forum, like posting the article to HN and having a link in the article saying "Discussion on Hacker News".

Why do you think you need any privacy statements at all?

Because name field in a comment form is personal data in GDPR. IP address is also considered personal data in GDPR. And GDPR requires that we publish a privacy statement about how personal data is going to be stored/used/shared. I am not going to share this data with any party. But due to access logs and showing comments, this data is going to be saved on disk. A good template for privacy statement can help a lot.

This is a solved problem for open source licenses. It would be great if there is something like that for privacy statement too.

IP addresses in themselves are not personal data but it is indeed a good idea to handle them carefully.

If you do collect personal data and are stickler for the letter of the law you can just state which personal data you collect and for what purpose. No-one will bother you if you are indeed only a small blog.

IP address seems to be personal data here: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

Many other articles I read also agree with above.

We're diverging from your question here, but I'll stick to my previous comment: an IP address is not in itself personal data.

A more nuanced, and realistic explanation may be found at [1] (UK GDPR is the same as EU GDPR but Brexit...)

That does not really help about your question, though. Again, if you clearly state what is collected and why you should be more than fine.

[1] https://ico.org.uk/for-organisations/guide-to-data-protectio...

> We're diverging from your question here, but I'll stick to my previous comment: an IP address is not in itself personal data.

iP addresses are within scope of GDPR, period.

Source: I hold CIPP/E certification

Thanks! May I ask how you would handle this scenario - A blog has a commenting feature where users can type in their name (possibly full name) and a comment. There is no user registration or email address collection/verification. Any user on the internet can type in a name (an anonymous name or a real name like Bob Yan) and their comment and submit it. Web server access logs are kept in the server for 30 days.

Does it fall within the scope of GDPR? If yes then how is the right to have personal data erased implemented? How would you process a request from someone with the name Bob Yan asking you to delete all comments posted by 'Bob Yan' on your website? Without a user registration or an email, how would you verify that the Bob Yan contacting you is the one who posted all those comments? This part seems to be very confusing. I'd appreciate any knowledge or tips you can share about this.

If the blog is purely for personal/household use, it would be entirely exempt from the GDPR per Article 2(2)(c) GDPR.

Otherwise, it falls within the scope of the GDPR even re the access logs if IP addresses are logged.

Thanks for the answer! The blog has visitors from other geographic locations (both in EU and outside EU). Those visitors also post comments with their names included in comments. Those comments are then made available on the internet. So I am doubtful if it falls in purely personal use category.

https://gdprhub.eu/Article_2_GDPR says:

> According to Lindqvist in particular, the publication of personal data on a blogging site made available to an unlimited number of people would 'obviously' not be subject to the household exemption.

For now, let us assume that the commenter name and IP addresses fall within the scope of GDPR. Do you have any comments about how the right to erasure would be implemented in the scenario I described in my comment above?

The right to erasure is not absolute; there is no basis to request erasure of web server access logs, for example.

Yes, a blog cannot claim to be "purely for personal or household use" because it is an online publication and so the GDPR applies.

I think you are falling down the "GDPR rabbit hole" here, though. As said, for a personal blog the most probable scenario is that no-one will care about your following the law strictly to the letter.

Now, you can reasonably argue that you have a legitimate interest in logging IPs and to keep them for a sensible duration for security audit purposes. So in any case, you can just inform visitors that you will log IPs for security/spam prevention purposes and move on.

Commenters do not necessarily have a right of erasure and as you have said you probably won't be able to check that requests are genuine, anyway. So I think a sensible approach is not to worry about that until and unless you receive such a request and then decide what to do to make your life the easiest possible. For instance, if one day someone claims to be the author of a comment and wants it deleted you might decide to just delete it and to move on whatever the strict legal position and procedure might be.

> iP addresses are within scope of GDPR, period.

This sentence does not mean anything.

The actual position regarding IP addresses as personal data is that "an IP address may be personal data if you are able to access additional information which enable you to identify the user behind the IP address", hence my previous statement. Unfortunately, this is often oversimplified (as tends to happen to any non-trivial issue) to "an IP address is personal data". It does mean, though, that one must be careful when handling IP addresses and may treat them as personal data by default as a belt and braces approach (as I already mentioned in my first comment), but that's not the same thing.

>may treat them as personal data by default as a belt and braces approach

I'm glad we agree.