I run a simple static site on top of nginx. I don't set any cookies. The two things I collect are 1. I use Google Analytics and 2. server logs.
Do I really need to create a "privacy policy" and "terms of use" page and show every user a GDPR message? It feels overkill to me given that I collect nothing as far as I can tell. I don't even look at GA and could remove it if I need to.
If you do not need GA why use it? It is a separate connection your visitors browser needs to open and it is a connection to a third party. If you want analytics, there are some privacy options, for example Umami. See also here: https://github.com/0xnr/awesome-analytics
You could also disable the Nginx logs from logging IP addresses and then you should be fine.
Maybe adding a simple site saying that you do not retain any IPs or other information, you can prevent these emails in the future.
Edit: Nice looking website.
If you are outside of the EU (e.g. US), I'd say the simplest is to ignore.
Frankly, even if you are in the EU I would probably ignore that email if it's from some random person.
My name is #REDACTED#, and I am a resident of Roanoke, Virginia. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:
Would you process a GDPR data access request from me even though I am not a resident of the European Union?
Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
What personal information do I have to submit for you to verify and process a GDPR data access request?
What information do you provide in response to a GDPR data access request?
To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding 2uo.de, I kindly ask that you forward my request to them.
I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.
If you have server logs and Google Analytics, you'd write that you need the logs for problem debugging and Google Analytics to improve your web site. Both are legitimate interests, and you don't need any kind of pop-up or so.
Removing GA is a good idea anyway, if you don't really use it (like most small private blogs who implement it, just because it's easy – I used to do that, too).
If you have readers in the EU and/or you are living in the EU, you are required to have a privacy policy.
This (https://www.iubenda.com/en/help/8385-gdpr-for-bloggers) article and this (https://adventurebagging.co.uk/2018/05/gdpr-guide-for-blogge...) is looking like a good read.
You could also be required to have data processing contracts.
Some local privacy protection offices have good information about GDPR for small blogs and sometimes you can even ask them directly.
no legal advice
Trying to avoid google analytics personally, but as you added them to your site you need a policy. You are the custodian and are sharing information to google through you. As you are the Data Controller: https://www.gdprsummary.com/gdpr-definitions/data-controller....
https://piwik.pro/blog/is-google-analytics-gdpr-compliant/#2...
Depending on the information logged by your nginx server, you may also need a policy. IP for instance is one thing you might need to cover.
I think you also have to provide a postal address on the website (I think that also applies without gdpr)
https://www.termsfeed.com/blog/privacy-policy-contact-inform...