GDPR and Your Nginx Logs — What PII Are You Accidentally Logging?

GDPR and Your Nginx Logs — What PII Are You Accidentally Logging? Most developers know GDPR applies to their databases and forms. Few realise their nginx access logs may already be GDPR non-compliant — logging personal data without consent, no retention policy, no protection. Here is what your default nginx log line looks like: 185.22.30.11 - - [26/Mar/2026:08:20:00 +0000] "GET /reset-password?token=abc123&email=john.doe@example.com HTTP/1.1" 200 512 You just logged an email address. That is personal data under GDPR Article 4. And it is sitting in a plaintext file on your server. What PII Ends Up in Nginx Logs? 1. Email addresses in query parameters Password resets, magic links, email verification — all commonly pass email as a URL parameter: GET /verify?email=user@example.com&token=xyz GET /unsubscribe?email=user@example.com GET /invite?ref=user@example.com 2. Names and usernames in URLs GET /profile/john.doe GET /u/jane_smith/settings GET /invoices/acme-corp-march-2024 3. Session tok