Sorry for the delay, I got the notification of your answer only now.
It really depends. Have a look at the requirements of GDPR. It relies on principles, not “simple” rules. It’s impossible to say “you can do this” or “you can’t do that”.
The basic principle is that :
- When you log personnal data, you have to tell it to the users, and explain why you do it. “Personal” is a quite wide idea. IP is a personal data. Id and address also.
- If this personnal data is not required for your site to work, you need the acknowledgment of the users before logging it. Except if you consider that there is a legitimate reason to do so. Legitimate is not simple to decide. Logging the address of someone who ordered you something in an online store is legitimate : you need it. Logging the id of someone modifiying some information in a backend is legitimate : you need a trace of who did what. It’s up to you to decide what is legitimate or not.