Deleted member querying data removal - GDPR

[Alvin63]

Ok. So a member requested their account was closed. I made a note of their email address before deleting the account and anonymising it as "previous member" so any posts were anonymised. I then emailed them from the forum email confirming their account was closed as requested and their data removed as requested.

They are being awkward and have replied saying - if all my data has been removed, why are all my posts and photos still there.

As far as I'm aware, as long as their content is anonymised, I don't have to remove it do I? I'm in the Uk so subject to GDPR

"Your personal data has been removed from the database and server, your content has been anonymised.

But could do with a bit more than that. Could I say that the terms and conditions are clear that "You are granting us with a non-exclusive, permanent, irrevocable, unlimited license to use, publish, or re-publish your Content in connection with the Service. You retain copyright over the Content."

I guess they could argue - but I'm no longer a member so those terms and conditions don't apply now. What is the best way to handle this because I do not intend to remove all their content and mess up all the threads!

The irony is - if we are emailing then presumably her email address is still on the server! Or does that not count as it's not in the forum database.

 

[Mr Lucky]

As far as I'm aware, as long as their content is anonymised, I don't have to remove it do I?

No you don’t but if any posts contains any personal details I would delete those.

guess they could argue - but I'm no longer a member so those terms and conditions don't apply now

The terms still apply due to the word “permanent”

server! Or does that not count as it's not in the forum database

They replied to your email so you would have their address due them sending you an email (on which they asked for a response that wasn’t “delete this email address from your computer”)

 

[Alvin63]

Thank you. Would a pet's name be classed as personally identifiable info? It's a pet forum!

 

[Black Tiger]

Not that I know of. A pet's name is not personal as it's not related or bound to a person like an e-mail address for example.
Hundreds of people can have a pet named Charly for example.

I'm happy I have an exclusion in my policy which prevents the need of deleting things (except account) which the user needs to agree to before being able to become a member.

 

[Alvin63]

Not that I know of. A pet's name is not personal as it's not related or bound to a person like an e-mail address for example.
Hundreds of people can have a pet named Charly for example.

I'm happy I have an exclusion in my policy which prevents the need of deleting things (except account) which the user needs to agree to before being able to become a member.

Thanks. That sounds a good idea. So you've added it to the standard terms and conditions? Good idea. What does yours say? I did think about that but then read that GDPR overrides any terms and conditions. And it already makes it clear that they gave over use of the content but keep the copyright. I have a feeling they are going to reply saying their pet photos are personal data.

 

[Alvin63]

It's the second time this member has asked to close their account (changed their mind the first time). So I followed through this time after getting no response to messages asking if there was something I could sort out.

Now sounds like they are having second thoughts again after I let them know some moderation had been done on a particular thread if that had been an issue.

So if they now decide they want to join again - and the account is deleted. I assume there is no way of linking the old content to any new account they open?

 

[Mr Lucky]

So if they now decide they want to join again - and the account is deleted. I assume there is no way of linking the old content to any new account they open?

See my post here

XF 2.2 - Is it possible to restore a deleted membership?

Hi By mistake, I deleted someone's user account Can this be done without going back to back up ? Is there a solution other than back-up? Thanks!

xenforo.com

 

[StarArmy]

Once you delete the account and any personal data you could find I'd just tell them that you made your best reasonable effort to remove any personal info and if any was missed in error, they should simply email you with a link to the post containing PII and the PII will be removed from the post as soon as time permits and within 2-3 business days. As long as you're making a bona fide effort to comply I think you are good.

Disclaimer: Not a lawyer, not legal advice

 

[Alvin63]

See my post here

XF 2.2 - Is it possible to restore a deleted membership?

Hi By mistake, I deleted someone's user account Can this be done without going back to back up ? Is there a solution other than back-up? Thanks!

xenforo.com

Thank you. I don't think they will be coming back based on their last email wishing the forum good luck. But in future I think I will send a final warning message saying account closure isn't reversible and if I don't hear anything further to discuss within 24 hours I'll go ahead and close the account.

 

[Alvin63]

Once you delete the account and any personal data you could find I'd just tell them that you made your best reasonable effort to remove any personal info and if any was missed in error, they should simply email you with a link to the post containing PII and the PII will be removed from the post as soon as time permits and within 2-3 business days. As long as you're making a bona fide effort to comply I think you are good.

Disclaimer: Not a lawyer, not legal advice

Thank you I have done something like that

 

[Mr Lucky]

But in future I think I will send a final warning message saying account closure isn't reversible and if I don't hear anything further to discuss within 24 hours I'll go ahead and close the account.

I no longer delete accounts, I just “close them” by changing the username, deleting all data, profile, avatar. Add to a usergroup called account closed which has no permissions to do or see anything.

It’s as good as deleted but it is reversible

 

[Alvin63]

I no longer delete accounts, I just “close them” by changing the username, deleting all data, profile, avatar. Add to a usergroup called account closed which has no permissions to do or see anything.

It’s as good as deleted but it is reversible

Thanks - good idea. Does that actually remove their email address from the registered account and database though? This one specifically asked for all data to be removed.

 

[Mr Lucky]

Thanks - good idea. Does that actually remove their email address from the registered account and database though? This one specifically asked for all data to be removed.

I just remove everything manually and change the password. Username is changed so all posts have no connection to the original username (except quotes, but you get those anyway with user deletion. (And if the name is unique you can change the quote name in the database anyway)

I learned the hard way to do this instead of deletion when a good member wanted deleting, then asked to come back. I was able to relink the posts as above, but not conversations or reactions.

 

[Slavik]

good as deleted

But if any, and I mean any personal data remains, which can include IP addresses, you are breaking the law.

why are all my posts and photos still there.

GDPR isnt a "purge me from a site" button, information they have willingly posted in public is largely exempt. The caveat being if the post contains specific personally identifiable information such as a name and address for example.

 

[Mr Lucky]

But if any, and I mean any personal data remains, which can include IP addresses, you are breaking the law.

But if all other data is deleted and username anonymised should it matter?

Probably yes because the person's lawyer might claim they could be identified by their posts. So thanks for pointing that out.

So a query could delete the IP information I think???

DELETE
FROM xf_ip
WHERE user_id = 23

 

[Alvin63]

It probably comes down to what the member specifically requests. If they just request their account is closed then Mr Lucky's method should be fine perhaps. But if they specifically request, as mine did, that the their account is closed and all their data removed. Then email address and IP addresses need to be gone. I need to think about this and get my head round it!

 

[Alvin63]

Also wondering if it has changed slightly since the Uk left the EU. According to this, it's the Uk Data Protection act that needs to be complied with

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

Data protection

The Data Protection Act (DPA) controls how personal information can be used and your rights to ask for information about yourself

www.gov.uk

 

[Mr Lucky]

Then email address and IP addresses need to be gone.

True. email address is easy as you just remove it. IP can be done if you are OK with database query as above.

presumably this should not be a common occurrence so doing all this manually seems better than a quick "burnt bridges" user deletion.

 

[Mr Lucky]

Also wondering if it has changed slightly since the Uk left the EU. According to this, it's the Uk Data Protection act that needs to be complied with

Data protection

The Data Protection Act (DPA) controls how personal information can be used and your rights to ask for information about yourself

www.gov.uk

That is true probably for UK users, but I doubt they have got around to changing the actual specifics since Brexit. @Slavik may know more.

 

[Alvin63]

The Data Protection Act may actually allow for your solution Mr Lucky

It says "...must make sure the information is

..kept for no longer than is necessary"

So in which case it could be argued that it's kept stored away the purposes of reactivating an account - therefore it's necessary.

On the other hand, further down under "Your rights" it says the right to

"...have data erased"

So that's why I was thinking if may depend on what the member specifically asks for. Whether they are just asking for their account to be closed. Or whether they are specifically asking for their data to be deleted as well.