May I log visitor IP addresses?

IP address = personal data since CJEU Breyer ruling (C-582/14, 2016) — applies to both static and dynamic IPs. Processing falls under full GDPR. Allowed logging: (1) Security (Art. 6(1)(f) legitimate interest) — anti-DDoS, anti-fraud, intrusion detection. Retention 30-90 days typical. (2) Legal obligation (Art. 6(1)(c)) — e.g. email servers must keep IP logs for anti-abuse. (3) Debugging — briefly during debugging. NOT without consent: analytics, marketing, profiling. Anonymisation: /24 or /16 mask (last 8 or 16 bits = 0) makes IP less identifying — usually sufficient for analytics (Google Analytics IP-masking, Matomo's "anonymize IP" setting). But NOT fully anonymous in CJEU sense — combination with other data can re-identify. For your rights: Art. 15 — ask if your IP is logged + retention. Many sites can't answer this = GDPR non-compliance. Tip for website owners: log only what you need for security. CloudFlare + similar CDNs log a lot without your knowledge — check their privacy policy + DPA.