ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
IT Security

Are logs personal data?

ANSWER

The Working Party, in Opinion 4/2007, states that a natural person can be considered identified if, within a group of persons, that individual can be distinguished from all other members of the group. This means that the ability to identify a person does not necessarily require knowing their name – it is sufficient to be able to indicate or single out that person from a defined group.

The definition of personal data as set out in the GDPR does not contain a closed list of personal characteristics. Instead, it specifies three cumulative qualifying criteria for the concept of personal data:

  • any information,
  • relating to a natural person,
  • who is identified or identifiable.

Taking into account the range of information that may be recorded in an event log (including IP addresses, geolocation data, user identifiers, activity timestamps, browser type, operating system, referrers, and site errors), the term ‘personal data’ should be interpreted broadly, including electronic information (location data, online identifiers), given technological progress and the resulting emergence of new tools enabling identification of the data subject.

This is consistent with the hitherto prevailing position, according to which the identifiability criterion should be assessed using objective criteria for recognising information as personal (although a tendency towards a narrower, subjective interpretation of personal data can be observed).

It is worth citing in this context the decision of the President of PUODO (DS.523.3908.2021), which states: “Pursuant to Recital 30 of the GDPR, natural persons may be associated with online identifiers – such as IP addresses, cookie identifiers – generated by their devices, applications, tools and protocols, or other identifiers, generated for example by radio-frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. Information connected with a specific person – even indirectly – conveys a message about that person. Accordingly, information relating to a person includes both information that refers to that person directly and information that refers directly to objects or devices but, through the possibility of linking those objects or devices to a specific person, constitutes information about that person indirectly.”

Show all
PreviousNext

Read also:

07 June 2026

Przygotuj się na atak phishingowy, nim będzie za późno

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

02 June 2026

Czy do spełnienia wymogów ustawy o krajowym systemie cyberbezpieczeństwa (KSC / NIS2) potrzebne jest Security Operations Center (SOC)?

Kalkulator wagi naruszeń

Sprawdź, które naruszenia wymagają zgłoszenia do PUODO

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Are logs personal data? GDPR explained | ODO 24 | ODO 24