Does GDPR apply to server logs?


This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.

Short answer

Yes! But you don’t need to delete them if someone requests you to delete their data.

Long answer

From a legal perspective, server logs fall under the category of “things we must be able to do so that we could actually provide our service for you.

In the Privacy Policy template that comes with The WordPress GDPR Framework, there is the following clause:

We use your personal data to:

  • provide our service to you.

So this covers that.

However, GDPR still applies to logs. You are still responsible for any personal data in the logs and all the bad things that could happen to it. Store as little data as possible in the logs, make sure it is hidden from anyone who doesn’t need to see it and get rid of all sensitive data there.