I looked into this at back when the GDPR came into effect [0]. I am not a lawyer but in summary:
Web sites are allowed to log data (including visitor requests and IPs) required for the smooth running of the site. It could be argued that keeping logs allows for trouble-shooting so web server logging is probably OK in most circumstances.
However, there is no reason to keep months/years of logs around. Having this data is actually a liability under the GDPR and you should be aggressively deleting logs after a few days.
Web sites are allowed to log data (including visitor requests and IPs) required for the smooth running of the site. It could be argued that keeping logs allows for trouble-shooting so web server logging is probably OK in most circumstances.
However, there is no reason to keep months/years of logs around. Having this data is actually a liability under the GDPR and you should be aggressively deleting logs after a few days.
[0] https://sheep.horse/2018/6/the_eu_general_data_protection_re...