The GDPR requires logging in many places. Log data is an important component of technical and organizational measures (Art. 32 GDPR). However, it should be noted that log data itself is personal data and must therefore be protected under data protection law.
Purpose of log data
The recording of log data takes place in order to be able to trace who had access when to something to which access must be regulated. This can be access to hazardous materials as well as to an electronic system with sensitive data or simply access to a building with a transponder for employees.
If inconsistencies then arise, it can be quickly clarified who had access last. In data protection, it is then particularly important to identify unauthorized access or vulnerabilities.
In the context of Art. 32 I DSGVO, log data represent technical-organizational measures for the security of processing. If a data breach of a physical or technical nature occurs, it can be determined who last had access. This is often the key to restoring access to the personal data, e.g. if it was an employee's oversight.
Log data as personal data
However, the fact that log data shows who had access to what and when also means that log data itself is personal data. This means that they are also subject to the protection of the GDPR.
Survey
When it comes to how log data is collected, Section 76 I BDSG contains regulations. Accordingly, in automated processing systems, the processing operations of collection, modification, retrieval, disclosure including transmission, combination and deletion must be logged. However, the collection of log data containing the data listed in Section 76 I BDSG again requires a legal basis, e.g. from the GDPR.
Deletion
This data is to be deleted at the end of the year following its generation (Section 76 IV BDSG). According to the principle of purpose limitation, deletion also takes place earlier if the purpose of processing no longer applies.
Principles for the processing of personal data
All other principles of the GDPR for the processing of personal data (Art. 5 GDPR) naturally also apply to log data. Thus, only that data may be collected which is also necessary (data economy). In addition, log data must always be protected against loss, destruction, manipulation and unauthorized access (integrity and confidentiality).