Thank you, that was an aspect I hadn't considered. That said, I'm not sure how much I agree with the conclusion of this particular answer. My understanding is that IP addresses are only considered personal data if they either uniquely identify a person (e.g. a static IP address), or can be joined with additional available data to uniquely identify (e.g. a dynamic IP address logged by somebody who also has logs on the dynamic IP assignment).
In addition, that there is an exception allowing the collection of personal data for legitimate interests without prior consent. While that has been erroneously argued to enable a business model (e.g. Facebook's ongoing collection), server security by applying IP address bans would be be a more solid case [1].
In addition, that there is an exception allowing the collection of personal data for legitimate interests without prior consent. While that has been erroneously argued to enable a business model (e.g. Facebook's ongoing collection), server security by applying IP address bans would be be a more solid case [1].
[0] https://www.whitecase.com/publications/alert/court-confirms-...
[1] https://law.stackexchange.com/questions/28603/how-to-satisfy...