Logs or connection logs are records of user activities, anomalies and events linked to the security of an IT environment (software, operating system, application, website, etc.).
Their retention is mandatory in certain cases and strongly recommended for security reasons. The objective is to guarantee the proper use of the IT system.
The Frecnh data protection authority, the CNIL recommends that these technical logs or traces should be kept for a rolling period of six months to one year unless there is a legal obligation to do so or you can prove that certain risks can only be covered by extending this period.
The following table summarises the recommendations:
| Minimum duration | Maximum duration | Conditions | |
|---|---|---|---|
| Standard" logging | 6 months | 1 year | |
| 6 months | 1 year | The logs must not include personal data from the main processing operation | |
| Logging of processing operations subject to "internal control" measures | 6 months | 3 years in the most common cases | Demonstrate the risk of misappropriation for the data subjects and have documented analysis and investigation procedures |
| Logging of processing operations with specific characteristics | 6 months | To be defined in the case of a case-by-case analysis | Existence of a specific characteristic which may, for example, be a legal obligation to retain data, a specific purpose or a threat situation which justifies an extension |
What must be retained: at the very least, user access including their identifier, the date and time of their connection, and the date and time of their disconnection;
In some cases, it may also be useful to keep details of the operations carried out by the user, the types of data consulted and the reference of the record concerned.