For GDPR compliance, I'm trying to disable or delete the raw log files for my Web Hosting service. I looked at the OVH API (https://eu.api.ovh.com/console-old/), but the DELETE /hosting/web/{serviceName}/ownLogs/{id}/userLogs/{login} command seems to only delete the users that can view logs, not the archived logs themselves.
Is it possible to somehow delete the log files, or set a shorter retention time? And/or disable the generation of logs completely? If not, it seems that hosting a German GDPR compliant website is not possible on OVH Web Hosting, which would be a shame cause I need to find another provider.
Cheers, M
13605 
05.06.2021 04:19
Typically, web server logs contain little personal information. Only the IP address could be considered personal data. It is stored on purpose.
A web server log must be kept securely and tamper-proof, and accessible only to authorized personnel.
It seems to me that OVH's offering meets this requirement. If IP address anonymization were possible, this log would be useless.
Hi,
This log is for technical & security reasons, so it's GDPR compliant as long as it's not stored indefinitely.
Best regards,
Dear both,
thank you for your replies!
Yes, the IP addresses in the log files can be considered personal data. It's clear to me that the logs need to be collected and retained for security reasons. "Technical and security reasons" therefore represent the "legitimiate interest" to collect and retain the log files (GDPR §5).
However, collection of personal data also needs to be proportionate to the benefit/purpose received from collecting that data ("principle of proportionality", introduced in (4) of the preamble to the GDPR). In the given case, the gained advantage in security needs to justify retaining the non-anonymised IP addresses for a longer timeframe. The question which timeframe is appropriate (proportionate) in this context is apparently interpreted very differently between France where OVH is located - I have read timeframes between 3 months and 1 year (e.g. https://www.inkivari.com/blog/le-quizz-hebdomadaire-d-inkivari-7/rgpd-conservation-logs-connexion-cpce-cnil-1-an-34) - and Germany where I am located - here, the common opinion (based on court verdicts) is that storing non-anonymised IP addresses in log files for security reasons is permittable for just 7 days (!!).
This means that OVH as my data processor is storing non-anonymised IP addresses about 50x as long as I am permitted. It's impossible for me to justify this massively increased retention period just with an increase in security, i.e. what the concrete gains in security and technical understanding are by keeping full IP addresses for 1 year instead of anonymising them after e.g. 7 days (proportionality).
Currently, my options would be to
- lie in my GDPR statement, claiming that IPs in log files are retained for only 7 days or that no IP addresses are collected
- say the truth in my GDPR statement, which is that visitor IPs are stored for 1 year (illegal in Germany). Unfortunately, I'm in a competitive environment where competitors are happy to send cease-and-desist letters for not complying with GDPR.
Thus, both options are not viable for me.
For me, the option to
- shorten the retention period to e.g. 7 or 30 days or
- anonymise the IP addresses in the log files after e.g. 7 or 30 days
would solve this problem. I understand that implementing this may not be easy, so I'd also be fine if there was an API call or other automated mechanism that I could trigger every 7 days to just delete my webserver log files.
Yes, I know that Germany is a pain with regard to data protection - unfortunately I have no means to change this. 🤦
Best regards, M.
Hi,
Technically, YOU are not choosing the retention time because, technically, you are not the administrator of the IT infrastructure (it's OVH). Since you are leasing a service (which you have no control on the technical side), I think you just have to write in your GDPR statement that the retention is done by OVHCloud under the French laws (which requires at least 6 months as far as I know, personally, I keep 12 months like before GDPR).
And bonus for you : https://germanpolicy.com/2025/12/21/germany-plans-three-month-ip-data-retention-to-boost-cybercrime-investigations/
And for your information, if a police officer asks for logs (for a specific time within the timeframe of the law) and you cannot give them, the administrator of the service can be punished for that (in France).
Best regards,
I suggest that you host with Hetzner: https://docs.hetzner.com/general/company-and-policy/data-protection-at-hetzner/
Yeah, thats what I figured, I will probably need to host on a German provider. It really is a pity that OVH Web Cloud is not compatible with German GDPR (DSGVO) regulations, because other than that I'm satisfied with the product. And I'd like to support OVH in the OVH vs Canada data sovereignity issue.
I'm a bit surprised that GDPR and the German market are so unimportant to OVH that they never bothered to implement IP anonymisation or customer-defined retention periods for logs. After all, I found in the forum that the same issue with GDPR vs. log files was identified already eight years ago: https://community.ovhcloud.com/community/en/disabling-server-logs?id=community_question&sys_id=0f667184e5d286d02d4c0165b3e76639&view_source=searchResult
In any case, thanks for your input!
Hi,
It's pretty simple : OVH cannot anonymize IP addresses without violating French law for server that are hosted in France.
Best regards,
Dear@janus57 ,
Your reply seems to have disappeared, but you pointed out that OVH is legally obliged by French law to keep non-anonymised IP addresses because it is a hosting service (herbergeur). This complicates things a bit, but it's important to point out that this aforementioned IP retention happens on OVH's behalf, so there is no reason why I as a customer of OVH should have access to OVH's own logs. Unfortunately, I therefore can't use this legal basis to justify why my website retains IP addresses for more than 7 (30) days.
So OVH needs to collect logs on its own behalf (non-anonymised, keep for 12 months) and may collect logs on behalf of its customers (retention period depends on legislation of customer). From a technical viewpoint, this probably means that logs would need to be stored in two locations, where the retention period of the OVH-internal logs is 12 months and the retention time of the customer logs is set by the customer based on their legislation, somewhere between 7 days and 1 year. I'd also be fine with not having access to the logs at all, so only OVH can read them.