Support

This is incorrect. GDPR only governs the collection and processing or personally identifiable information. The IP information collected by Admin Tools is not linked to a user session, therefore it is already anonymized. This is true for all kinds of log files.

Moreover, the IP address cannot be considered a piece of personally identifiable information anyway since its provision to the server is absolutely necessary for the server to respond. Therefore it can be argued that the action of the user visiting the site is voluntary provisioning of non-identifiable information.

Remember, GDPR does not prevent you from collecting anything at all from your users. It only governs PERSONALLY IDENTIFIABLE information which are either publicly available or used for taking business decisions (e.g. changing the price beyond what VAT and other relevant tax laws define) and only if removing the information does not run afoul a different law e.g. you can't delete someone's invoicing information for a decade or more depending on where your business is based. In this sense, even this ticket would not fall into the GDPR provisions if we were to make it private as it's no longer public information and it is not the subject of information processing.

Yeah. GDPR. Welcome to hell.

This is not exactly the case. The crux of the issue lies in this VERY IMPORTANT paragraph:

The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:



a. there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and

b. the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.

YOU DO NOT HAVE the "legal means" in section b and the IP address stored by Admin Tools is NOT linked to the actual user session.

And I quote:

If a business collects and processes IP addresses, but has no legal means of linking those IP addresses to the identities of the relevant users, then those IP addresses are unlikely to be personal data. However, businesses should note that if they have sufficient information to link an IP address to a particular individual (e.g., through login details, cookies, or any other information or technology) then that IP address is personal data, and is subject to the full protections of EU data protection law.

Therefore, in this case, the IP collected by Admin Tools is NOT personal information. It would become personal information if you collected the IP address when the user performed a transaction on your site. However, collection of such information is either required by law (to verify the tax residency per the EU VAT directive) or is expressly stipulated in your site's GDPR compliance page (like this) which you have to make people accept when creating an identifiable account on your site. Furthermore, if the user voluntarily discloses personally identifiable information in a session, e.g. to file a contact form when they have no reasonable expectation of anonymity owning to the fact that they demand they be contacted based on the submitted information, you have their de facto acceptance of the use of their personal information in the context of the transaction they originated, i.e. you are not in violation of the GDPR. Finally, since the Joomla user sessions are transient and DO NOT store the IP address of the user the whole point is moot for regular user logins since you can not positively link the IP address of a user to them since no such information is stored on your system.

I am not a lawyer but I do understand that context makes all the difference. If IP addresses were personal information period the Internet would be illegal for the simple reason that perusing the IP address is a requirement to fulfilling the HTTP request of the user even if your response was just "are you sure you want me to store your IP address". So please do ask your lawyer to be far more precise in what he tells you.

And I will close off with the final paragraph of the linked article:

In addition, businesses should note that Recital 26 to the recently adopted EU General Data Protection Regulation ("GDPR") states that the test for whether a person is "identifiable" (considered in detail above) depends upon "all the means reasonably likely to be used" to identify that person. The CJEU in Breyer did not directly consider the issue of likelihood of identification. If the BRD was not reasonably likely attempt to identify Mr Breyer from his IP address, this could potentially give rise to a different analysis under the GDPR.

In other words, since you are not likely to identify your users from their IP address -and you indeed have no reason or intent to do so- collection of their IP addresses does not fall under the GDPR's provisions for the collection of personal information.

Please do exercise common sense. I thought that we have already gone through the full round of paranoia and misconceptions with the cookie law which was NOT the end of the Internet and no, it did NOT make logging in illegal by any means. The GDPR is enacted to allow people to have access to and control their personal information stored by companies. If I ask you to give me all the information you have on me you CAN NOT go from "this is my username" to "this is the list of your IP addresses we have stored". This is the first test for whether the data falls under the GDPR. If you can't do that in a reasonable manner the information stored is NOT personally identifiable.