GDPR Compliance FAQ

No, it doesn't. GDPR does not make consent a mandatory requirement for all processing of personal data. Consent (Article 6 (1)a) is indeed one of conditions that can be used to comply with the GDPR requirement that processing must be lawful, but it is not the only condition available to the controller to ensure lawful processing – there are alternatives (before the list of conditions it says that "at least one of the following" must be satisfied).

All the conditions for lawfulness of processing are spelled out in Article 6 of the GDPR. One of alternatives is Article 6 (1)f. It says it is legal to process personal data if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Logging IP addresses for the purpose of security is an extremely widespread practice. It is a legitimate interest to comply with standard security practices. It is the default, and most (all?) web-sites do this.

I.e. it is legal to do this without a consent.

Yes, we save IPs locally in the free version and send them to our cloud in the paid version. We don't install any cookies, except for the three in the dashboard "llar_enable_notify_notice_shown", "llar_review_notice_shown" and "llar_menu_alert_icon_shown". This fixes AJAX-related issues for some customers with misconfigured sites. Those cookies don't track anything. 

You just need to turn on the GDPR message. This should be enough. If not, you can copy the explanation above and paste it into your policy directly. Here's the link to our GDPR policy.

Yes, the free plugin IP data will only reside in the sites database.

IP obfuscation was removed because a message is enough to be GDPR compliant. The obfuscation feature involves a lot of maintenance and is incompatible with our cloud service.