GDPR discussion thread

RobParker · Aug 29, 2018

Slavik said:
Could you not go back and just give them an arbitrarily high number, say, 10 years. To the point that everyone will have long forgotten.

You could also try argue say, 5 years from the last point of contact, as banned accounts after that time are likely to never be wanted nor missed, and that you have a legitimate interest in retaining the data for that period. If a banned user frequently contacts you, it suggests they are attempting to undermine the ban from your site and thus you need the data to keep them off your system.

That doesn't really work though does it? Say they email you, the account in XF has no record of that. Short of manually adding some sort of note to an account and somehow keeping track of them all it doesn't work.

We're happy with removing all email addresses and dobs from accounts that have been banned for 5 years. It's still not easy to do this though, even manually.

RobParker · Aug 29, 2018

Chris D said:
If your retention period is 5 years, why do you need to manually edit the users, one by one? Why not just use the batch update tool to delete them? If there is a need to not retain the data for that long, what is the benefit of keeping those accounts at all?

What happens to posts from users whose accounts are deleted? What username is shown on those posts?

I wouldn't consider it a good idea to "free up" a username again from a notorious banned user and allow someone else to register as it. That on it's own has the likelihood to cause lots of issues.

Stuart Wright · Aug 29, 2018

We have 29,339 banned accounts with a last visit of 5+ years ago. The reason to keep banned accounts is so that there is a flag in the registration moderation queue to say the user shares an IP with a banned member. Questionable how useful this is with very old accounts when IP addresses are changing generally more than every 5 years !!
But we can also cross reference user names and email addresses with old accounts to check up on current members if there is something suspicious going on.

Sim · Aug 29, 2018

RobParker said:
That doesn't really work though does it? Say they email you, the account in XF has no record of that. Short of manually adding some sort of note to an account and somehow keeping track of them all it doesn't work.

Forgive me if I'm misunderstanding the issue here - but isn't that exactly the point?

Someone emails you asking about the data you hold on them under a GDPR request. You check but their email address doesn't exist in the system (because their account has been deleted). Thus, the data you hold on them (now) is exactly "none" - which is exactly the desired outcome (for them), right?

RobParker · Aug 29, 2018

Sim said:
Forgive me if I'm misunderstanding the issue here - but isn't that exactly the point?

Someone emails you asking about the data you hold on them under a GDPR request. You check but their email address doesn't exist in the system (because their account has been deleted). Thus, the data you hold on them (now) is exactly "none" - which is exactly the desired outcome (for them), right?

Nope.

Say our policy is to delete data 5 years after their last contact as Slavik suggested rather than their ban date (which is what I was working from).

They get banned in 2018.
They contact us by email in 2019 to pester about getting unbanned.

Their account shows their last activity as 2018, meaning we'd remove their data in 2023. But they contacted us in 2019 which would push it back to 2024, there's no easy way to associate that information to their account. That's why using their last contact date doesn't really work and something automated from ban date would be better.

Slavik · Aug 29, 2018

The point of my suggestion is to basically kick the can down the road infinitely, and if you can get the ICO to agree to that, would be a glorious win for forum owners.

RobParker · Aug 29, 2018

Slavik said:
The point of my suggestion is to basically kick the can down the road infinitely, and if you can get the ICO to agree to that, would be a glorious win for forum owners.

Yep but there's no way to track it within XF. How do you record that and then action based on it? Should Stu keep a spreadsheet with the date that those 20,000 users last contacted him? And then check that spreadsheet every day to see if the 5 years are up?

Slavik · Aug 29, 2018

RobParker said:
Yep but there's no way to track it within XF. How do you record that and then action based on it? Should Stu keep a spreadsheet with the date that those 20,000 users last contacted him? And then check that spreadsheet every day to see if the 5 years are up?

Well, more one of those, if they agree thats reasonable, then making a change to accommodate it wouldnt be too difficult imho.

RobParker · Aug 29, 2018

Slavik said:
Well, more one of those, if they agree thats reasonable, then making a change to accommodate it wouldnt be too difficult imho.

My experience of the ICO is that they don't have a clue. They're following very vague guidelines and anything you think you can justify they'll accept.

Slavik · Aug 29, 2018

RobParker said:
My experience of the ICO is that they don't have a clue. They're following very vague guidelines and anything you think you can justify they'll accept.

Yea, but seems pointless to spend dev time on a "solution" before they agree to it.

Claverhouse · Aug 29, 2018

Slavik said:
Could you not go back and just give them an arbitrarily high number, say, 10 years. To the point that everyone will have long forgotten.

You could also try argue say, 5 years from the last point of contact, as banned accounts after that time are likely to never be wanted nor missed, and that you have a legitimate interest in retaining the data for that period. If a banned user frequently contacts you, it suggests they are attempting to undermine the ban from your site and thus you need the data to keep them off your system.

Excellent; yet a period of time nearer the heat-death of the universe might be reasonable, on the grounds you never want them back and you need to have some point of reference.

Anonymized some chap yesterday --- and dear God, why can't people just fade away, as it was in the old days --- and since all names are changed to 'ex-user' etc. etc., the only record of his username and of his death-wish to be liquidated is on the notification email of that request.

I won't want him back, and I certainly won't remember his name after the usual rites of forgetfulness.

RobParker · Aug 29, 2018

This was their reply:

The ICO is not able to provide a considerable time guideline for an organisation to retain data. The GDPR does not dictate how long you should keep personal data, it is up to you, as the organisation to justify this, based on your purposes for processing and why you need to keep personal data in a form that permits identification of individuals. You are in the best position to judge how long you need it.

You should consider any legal or regulatory requirements, and relevant industry standards or guidelines. For example credit reference agencies are permitted to keep consumer credit for six years.

The approach you take should be proportionate, balancing your needs with the impact of retention on individual's privacy. The retention period should be fair and lawful.

Finally, the countdown for a retention period would be, using your example of banned accounts, from the date the account was banned and you would explain to the individual requesting their information to be deleted that it is kept for XXX amount of time and justify why.

The retention period for the banned accounts can be different from the retention period for closed accounts. It is important to note, that once the retention periods are set they are to be clear within your privacy policy.

Bottom line seems to be it's up to us what we do but we need to do something and it'd be great if XF could help in that somehow.

Claverhouse · Aug 29, 2018

Very cute.

I've just been reading up on Jury Nullification --- for which I have no opinion either way --- and the consensus in the American Legal System seems to be that it is wholly lawful; but it is punishable to actually do so. Schrödinger's Jury in the box.

And all I ask is a tall ship and a star to steer her by

Woujija · Sep 7, 2018

Slavik said:
In fact I believe the requirements are worded along the lines of "unsubscribing must not be more difficult than subscribing".

I wish Hostgator had to follow this rule. It's a damned lot of trouble canceling a hosting account with them. Never again.

RobParker · Sep 8, 2018

RobParker said:
This was their reply:

Bottom line seems to be it's up to us what we do but we need to do something and it'd be great if XF could help in that somehow.

It'd be great if we could get a response to this as it seems to be one of the areas lacking from the XF core in terms of GDPR.

I'd even be happy with an SQL statement that removed email addresses and data of births for any account that is banned and has last activity greater than 5 years from today's date.

screamfine · Apr 2, 2019

I am looking for German GDPR documents that I can include into my website and pages. I found this one and wonder if it is recommended to use such a template? Or do I have to create my own?

Slavik · Apr 2, 2019

screamfine said:
I am looking for German GDPR documents that I can include into my website and pages. I found this one and wonder if it is recommended to use such a template? Or do I have to create my own?

Well if what the other german members have been posting isnt hyperbole you need to go hire a lawyer to draft them for you.

creativeforge · May 19, 2019

Hi, I received this unusual request from a member, who has no forum content, not one post.

I hereby withdraw my consent for you to collect, process or store any
personal data related to, and belonging to redactedemail at bowling dot net.
Pursuant to my rights under Article 17 GDPR I request that you delete
any and all related data.

Please note that I am not looking for instructions on how to delete my
account, I want you to delete all my data due to this request.

What is the world is he asking, all we have for info on his account is:

a made-up username
an email address,
he identifies as male,
the DAW software he uses,
he's in the UTC+1:00 time zone.

All other info would have been caught by a cookie, I suppose, in his browser, but that info doesn't come to us. Or does it?

Thanks for any help on this!

Andre

AndrewSimm · May 19, 2019

creativeforge said:
Hi, I received this unusual request from a member, who has no forum content, not one post.

What is the world is he asking, all we have for info on his account is:

a made-up username

an email address,

he identifies as male,

the DAW software he uses,

he's in the UTC+1:00 time zone.

All other info would have been caught by a cookie, I suppose, in his browser, but that info doesn't come to us. Or does it?

Thanks for any help on this!

Andre

Delete his account and when he makes a future request, tell him that you do not have any user registered under his name.

creativeforge · May 19, 2019

AndrewSimm said:
Delete his account and when he makes a future request, tell him that you do not have any user registered under his name.

Seriously? That's what people do with these requests?? Hmmm... Tempting, but...

GDPR discussion thread

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

XenForo moderator

Well-known member

XenForo moderator

Well-known member

XenForo moderator

Active member

Well-known member

Active member

Member

Well-known member

New member

XenForo moderator

Well-known member

Well-known member

Well-known member

Similar threads

We value your privacy