I'm running a small, static, non-commercial website (http://t3x.org) and I'm currently investigating options for dealing with the new General Data Protection Regulation, which looks like a minefield to me that opens the door for all kinds of dubious C&D letters.<p>So far I have thought about:<p>- contacting a lawyer to work out a proper data privacy statement, but I don't think I can afford this<p>- deactivating the server logfiles so that the site <i>really</i> does not store any user-related data (is this really safe?)<p>- shutting down the site (currently most probable)<p>How do you deal with the situation?
Do I understand correctly that your concern is about the logs? You can set up an Amazon S3 static website, and no logs will be collected, unless you enable it. The first year is free, and after that it's pennies a month. I use this, plus Route 53 DNS, and my total bill each month is ~ $0.54 (US), with $0.51 for Route 53.<p>If you need other options to cut cost, freedns.afraid.org offers free subdomains under ~68000 second level domains.
A few alternatives:<p>* Move your site to Github, it is free and you get a domain like your_username.github.io. Works great for static websites.<p>* With less than $100 per year you can buy a .com domain name from a US registrar and a cheap VPS on DigitalOcean or Linode, chose a VPS from US or some other now European jurisdiction.<p>* Another free approach, host it on Azure see <a href="https://buildazure.com/2016/08/25/free-website-hosting-in-microsoft-azure/" rel="nofollow">https://buildazure.com/2016/08/25/free-website-hosting-in-mi...</a> for an example.
This is just my own methodology that I have always followed for my own person hobby sites, but I don't imagine many people do this, nor would they, nor should they.<p>I log access to a ram disk and truncate the logs daily. If I start having issues that require keeping logs, I rsync to a secure location or rotate until x percentage of ramdisk is full.<p>My machines boot up and bootstrap their static content, cgi scripts, etc, from a git repo over a VPN link. They dynamically format a data volume using a long random key that I have no knowledge of. The end goal being ephemeral and cattle. If I need to back up anything in a data volume, I do so over a VPN link.<p>Again, this is just my lunatic method and has never been tested in a legal case. I could argue a thousand reasons to not use my methods and only a few hundred to use them.
I see your hoster has plans for a dataprocessing agreement, I'd look into that: <a href="https://www.manitu.de/unternehmen/eu-datenschutz-grundverordnung-dsgvo/" rel="nofollow">https://www.manitu.de/unternehmen/eu-datenschutz-grundverord...</a> (should be easy enough, and answers on what basis they store your logs)<p>If your hoster allows you to change whats in the log files you could look into that too (e.g. don't log full IPs, or delete them after 2 weeks and only keep unpersonalized access logs longer: right now it's not entirely clear from the purposes you list why you need to keep IPs at all).<p>Not sure if you're supposed to have a German version too, despite your site being in English. (unrelated to GDPR)