now makes server log files GDPR-compliant hosting

My hut has really been on fire for a few weeks now. All customers whose websites I look after only now come up with the idea that I am visiting their website because of the GDPR times could make data protection compliant. Not only do you need a cookie notice and a corresponding data protection declaration, you also have to pay attention to things such as the storage of IP addresses in the server logs or in databases, because by default, web servers write each time a page or a page is accessed File an entry in a log file in which the IP address of the visitor is not anonymized. And exactly this is no longer allowed according to the GDPR and can lead to legal problems.

Server log options rarely available

In most hosting packages and even with managed servers, the customer has no control over how the logs are saved. For this reason, the matter is usually solved by adding a passage like this on the data protection page:

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your Browser automatically sent to us. These are:

The type and version of browser used
The used operating system
Referrer URL
The hostname of the accessing computer
The time of the server inquiry
The IP address

This data is not merged with other data sources.

The basis for data processing is Art. 6 (1) (f) DSGVO, which allows the processing of data to fulfill a contract or for measures preliminary to a contract.

From my layman's point of view (it should be noted, I am not a lawyer and cannot offer legal advice and I definitely do not want to do this) this is only a compromise, because even if you refer to it in the data protection declaration, the IP addresses are used still saved at the hoster. I think it's kind of a legal gray area you're in with that. Since most hosting providers do not offer the customer the option of changing the server log files so that the IPs are not saved or only saved anonymously, it is perhaps the best compromise.

Anonymize server logs
In the administration area of ​​the hosting at you can now also activate the anonymization of the IP addresses. offers an anonymization option

I just got it from my favorite provider (Why? read here!) the message that I can now also influence the storage of the IP addresses via the settings in my admin area. The shop has once again proven that my long-term recommendation “Hosting wanted -> All-Inclusive!” is not wrong. In the corresponding settings field you can now choose from several options:

  • do not generate any logs (thus also no storage of the IP addresses)
  • IP addresses are set to ( becomes
  • the last two digits are set to 0 ( becomes
  • Generate complete logs (without anonymization)

The first three options are sufficient to be GDPR compliant. I would not recommend storing the complete logs, even if this is the best way to analyze the data.

What I still have to clarify with Whether these functions are available in all hosting packages or only in the managed servers. If I have received an answer to this, I will add it here.

Update May 18.05.2018, XNUMX: As announced by, this option is available for all hosting packages - from mini to managed server. / End of update

If you are still looking for hosting with a very good price-performance ratio and extremely good support, then I can give you the hoster really highly recommend. The support even responds extremely quickly to emails at night and they don't shy away from you with Wordpress problems but actually give you helpful tips on which plugins could possibly trigger the current problem or where else the dog could be buried.

My tips & tricks about technology & Apple

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

18 Responses to “ now makes server log files GDPR-compliant”

  1. I can only confirm your opinion on ALL-INCL. Virtually nothing is left to be desired, the support is unbeatable and the price on top of that. 5 out of 5 stars :-)

  2. Yes, I can only confirm, all-inclusive is really great, I am annoyed afterwards because I was at STR * T * for a long time and had to deal with forced upgrades and permanent price increases! Just because I thought that a domain move was totally complicated and risky!
    Brief inquiry about the statistics or the new possibilities with AllInkl. Can I leave the access logs activated, or should I switch them off because of GDPR compliance ...?

    1. The access logs are also “affected” by the settings. So if you anonymize them, you are already on the safe side.

  3. For everyone to the INFO: (1) Yes, all-inkl is definitely one of the best providers (I've been myself for more than 6 years). (2) IMPORTANT / FYI: Regardless of what the customers set in their KAS with regard to IP storage or regardless of these settings, All-Inkl definitely saves the full IP address for 7 days (information from Business Support 5/2018). VG

    1. Hello Torben! Thanks for the interjection! I did not know that. But it makes perfect sense, if illegal things happen on a server, you can only take legal action against the person with the IP. VG!

      1. That's right, Dave! But there are several item "11" in the list. To make it simple: Point 11, which describes log file retention, is veeeeeeetet below. So just scroll all the way down the page and you'll find it.

  4. Thanks for the article. Unfortunately, there is no indication of where to find the setting (under “Settings” -> “Logs & Statistics”).

    Unfortunately, I (and some colleagues) do not share the prevailing opinion here about all-inclusive. The servers are fast, no question. However, some of the standard functionalities are only moderately implemented (e.g. the horrible "PHP bridge" for cron jobs) and the support has not been remembered positively so far.

    1. You can actually see that in the screenshot, but ok. So it is again explicitly said where it can be found in the menu. I'll leave your criticisms of as they are. I don't know what you mean with the PHP bridge... I get along well with the cron job settings and the support has been fast and competent with all my inquiries (and they are now certainly in the 20s to 30s range). I have experienced completely different times and answers with other hosters. If you have “Wordpress” in the query with other hosters, you will usually be dismissed with the fact that the support is not responsible for Wordpress. But ok, maybe you've had bad experiences. That can happen too.

  5. only has these options for your log files. Internally, the employees still have after my inquiry. The complete Ips are also deleted internally after 7 days. So it should be in the privacy policy, I think.

    1. That would make no sense for German data protection. No matter who logs the IPs, you have to specify it. But if you've talked to them, it will be like that. Only then could they give themselves the option with the anonymized logs ...

  6. Hallo,
    if you choose not to create log files, you could delete the following in your data protection declaration, right?:
    Each time our website is accessed, the user's browser transmits various data.
    Browser type and version used
    Operating system
    Pages and Files Fetched
    Amount of data transferred
    Date and time of retrieval
    Provider of the user
    IP address in anonymous form
    Referrer URL

    And also the text for Openstreetmap:
    "By activating by clicking on "Show map" your IP address will be saved by the OpenStreetMap Foundation and data will be transmitted to Great Britain".
    would then probably also unnecessary, or am I seeing this wrong?

    Say hello to Anne

    1. Hello Anne! Yes, if you don't create any log files, you can probably delete the section. But what does this have to do with OpenStreetmap? I think if you embed an iFrame from this service, they can create the logs themselves.

  7. Hi Jens,
    It's about an entry service for gastronomy businesses (Wordpress plugin) on which operators can enter their businesses, which then displays the addresses via Openstreetmap, ergo not just a single ...

    Thanks and regards Anne

    1. Hello Anne! How many companies are displayed is actually irrelevant. As far as I know, it's more about the fact that OpenStreetmap could theoretically "fish" the user's IP and other data if he calls an iFrame where a map from OpenStreetmap is displayed. So it's not about the data of the catering establishments, but about the data of the visitor who calls up your site.

  8. Hi Jens,
    was my assumption, eg anonymize IP - no data transmission of this or only, ?.
    Theoretically, it should also work for other applications that forward IP addresses (e.g. ReCaptcha), right?
    Say hello to Anne

    1. So if you hide it behind a "click" like "view map" then you can let the user know beforehand that when they click they agree to your privacy policy. But you can't set the IP address to, because the script in Recaptcha and OpenStreetmap has a direct connection to the user. You can no longer intervene.

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.