Application logs capture request URIs, query parameters, and response bodies. In a legal SaaS, these often contain personal data: client names in URL slugs, phone numbers in query strings, case details in response bodies. GDPR requires a lawful basis and a retention policy for every category of personal data — including what ends up in log files.
Key Analysis
GDPR Article 5(1)(b) requires that personal data be collected for specified, explicit, and legitimate purposes. Logging personal data as a side effect of debugging is not a specified purpose.
Application log files are often excluded from Subject Access Request responses and data retention schedules — incorrectly. They are personal data records subject to the same rules.
Log files retained indefinitely (the default on many servers) create a compliance risk: the data in them often outlives its lawful purpose.
Risk Signals
Application logs that capture full request URIs including matter IDs, client names, or phone numbers.
No documented retention period for application log files.
Log files accessible to development staff without a documented legitimate purpose.
Action Items
Implement a production allowlist: define exactly which context fields may appear in production logs, and ensure all others are excluded at the logger level.
Set a maximum retention period for application logs (suggested: 30 days). Implement automated deletion.
Document application logging in your GDPR Article 30 records: purpose, data categories, retention period.