Deleted member querying data removal - GDPR

Slavik said:
which can include IP addresses,
Click to expand...
Careful with that. I purposefully keep IP addresses - even after deletion of accounts - for 30 days, longer if the IP address came up in a ban.

The rationale I give for this is because while the spirit of the GDPR is privacy, this does not extend to a miscreant causing trouble, getting banned, then requesting account deletion which in theory should include the ban because IP addresses.

When I asked the ICO about this, they seemed happy enough that the use was valid provided that I disclosed it in the terms & conditions and privacy policy, and that this was used from a security standpoint, to deal with individuals aiming to prevent the service being used. It's been a while since I had the actual references to hand but there are provisions in there for security considerations.
 
Nothing about the GDPR says you have to respect the request immediately. You can take a little time to process it, you just can't string it out indefinitely citing how difficult it is. So put it in the T&Cs that you'll get to it within 30 days of request (this is considered reasonable from what I remember of discussing this). This gives the slam-the-door types time to simmer down and back out without causing you or them trouble.

The reality is also that it might well take a little longer to filter out through backups etc. if there was a burning need to resurrect the account, but it's usually quite hard to substantiate that the account might want to be resurrected for content purposes.

Now, if the account had made a purchase, particularly if the purchase were a downloadable good or similar, that's an easier sell for people - you can tell them that you're less inclined to delete the account because loss of access to purchase but if they want to delete their account, that's fine, as long as they also understand no takebacks. They lose that access to their purchase, and would need to re-purchase otherwise.

You can't really keep data 'just in case' you might need it. But you can demonstrate that there is value in keeping what you have a little longer, depending on what it's connected to.
 
Alvin63 said:
You mean not worth the risk of making that argument?!
Click to expand...
I'd say it's not worth risking the wrath of the ICO, if you get a GDPR request I'd honor it.

I make it very clear on receiving a request from a member that it is non-reversible and if you've done the job as requested by the ICO then there should be no way back i.e. how do you satisfy yourself that the person asking for the reversal is one and the same?
 
zappaDPJ said:
how do you satisfy yourself that the person asking for the reversal is one and the same?
Click to expand...
This could be quite a concern if there is a chance the account was hacked. If their email is the same as the account (and that it hasn't been altered according the change log) then I would have thought that is reasonable proof. If it was altered then there could be some suspicion that the account may have been hacked.
 
Mr Lucky said:
This could be quite a concern if there is a chance the account was hacked. If their email is the same as the account (and that it hasn't been altered according the change log) then I would have thought that is reasonable proof. If it was altered then there could be some suspicion that the account may have been hacked.
Click to expand...
I would have no way of checking that because there would be nothing left to check against. I realise there are some exceptions but in general email addresses are consider to be PII by the UK's ICO so that information would be deleted and unavailable to check against.
 
This is also why you don't just do it immediately, gives you time to inquire and learn more (and verify it's not exactly the sort of thing you're talking about)
 
Alvin63 said:
What does yours say? I did think about that but then read that GDPR overrides any terms and conditions.
Click to expand...
Well mostly yes.
I've read this when the question came up years ago on a Dutch site of a IT lawyer already in 2013.
You can read it here and if necessary pull the page through Google translate.

Juridische vraag: moet forum data ex-leden verwijderen? - Security.NL

www.security.nl www.security.nl

Shortly said, it also depends on what the forum is about. One has to way the privacy rights against the journalistic rights and freedom of speech rights. Also with foto's and text, there is the copyright thing, but if the license is stated as forever, and even somethings withtout that, just for forums it can be hard or impossible to retract that copyright permission.

However, for photo copyrights, it can become an issue but it's not just "take it away" but the user has to proove that his copyright of foto is more important than the freedom of speech rights the forum owner's right is based on.

Now we have a newer part from 2018 for this, as the AVG people allready forseen this.
blog.iusmentis.com

Geldt het vergeetrecht onder de AVG ook bij forumdiscussies? - Ius Mentis

Een lezer vroeg me: Ik beheer een relatief groot discussieforum. Moet ik straks onder de AVG van iedereen die dat vraagt zijn berichten weghalen onder het vergeetrecht? Dan houd ik straks geen historie meer over! Het klopt dat je als aanbieder van internetdiensten al snel te maken krijgt met de...
blog.iusmentis.com

Also, we have some extra law in the Netherlands, which partly overrules the AVG. It's cal;led the implementing law AVG and that has some exceptions to the AVG rules.

Freely translated by Google Translate:
In addition to the GDPR, the so-called AVG Implementation Act will be introduced in the Netherlands, containing a number of important exceptions for “journalistic purposes or academic, artistic or literary forms of expression”. All rights you normally have, such as inspection, correction and deletion, do not apply to these forms of expression. As a forum you can therefore also parry other requests, at least insofar as it concerns personal data that can be interpreted as journalistic or literary. As far as I'm concerned, that is limited to the postings or comments themselves. Things like someone's profile or interests are not included.
Click to expand...

I wrote it a bit nicer, but....
In my rules I've stated that the user gives all copyright the the forum owner forever if he becomes a member, and also that my forum appeals to the exceptions mentioned in the quote.
Ofcourse, one's profile has to be deleted if requested. But this prevents postings to be removed. And again... this law is in the Netherlands, I don't know if other country's also created an implementation act.
 
So somebody else has jumped on the bandwagon! A slightly disgruntled member, who hasn't been on for a long time, has seen "Previous Member" listed (ie the account I deleted the other day) and has now messaged saying the can't see the option to delete their account so can I delete it.

I'm not making the same mistake again - they can wait a bit. But I did reply - you can close down your account in your privacy and preferences settings and remove your Avatar.

They replied again that they could see another member had been "deleted properly" and was now called Previous User.

How do they know it was "deleted properly" and I didn't just change the username to Previous User?

I will probably have to delete this account as well. It's not someone who is likely to want to come back. But I'm not rushing into it.

So I'm back to semantics again. The last one (deleted the other day) was very specific and asked for account to closed and all data deleted. No arguing with the meaning of that.

This one has just asked for "account to be deleted" and no mention of data. So could I just kind of close it down without deleting it? Or maybe it won't make much difference if the username changes to "Previous user" anyway.

So - I'm not keen on this member - which is why they haven't been on for ages and probably just causing trouble now - having seen another deleted member. So what are the options now?

Could I just say - well I can ban you if you like? Does banning actually delete an account?
 
Sorted it out and talked them out of it. But if anyone gets chance, please could you explain the difference between banning and deleting the account? I assume banning blocks the IP and stops them logging in - but doesn't actually remove the email address does it?
 
Alvin63 said:
Does banning actually delete an account?
Click to expand...
No it doesn't.

I've read you sorted it out and talked about it. But this way you have the answer to this question for the future.
Maybe it's a good idea to make a deleted user something else than "previous user", maybe the default or "former (or removed) member xxx" where xxx is a random number so you are saved from questions about this of others in the future.

Banning the account -> user is not possible to do anything anymore, it does not necessary block the ip (but it can) but removes all permissions from the account. But since a banned user can (principally) also be unbanned, nothing is deleted, so all data, e-mail address, pm's etc. are all kept in the database. So no data is removed!

Deleting an account -> user's profile get's deleted and name gets anonimized (if setup that way) and since profile is removed, also is the users other data like e-mail address. That is removed.
Might be some ip address used is left in the database as it's possible to restore a user, but in that case you would need to know the XX number of the "deleted user xx" when a user get's "deleted". I'm sure about that restoring, not sure if the ip address is left too.

Personally I find it a pity that deleting users is not done like it was done in the past with forum software (before Xen) that users which would get deleted, really got deleted. Not their threads/postings, but their name, profile and pmbox.
Nowadays the username is changed into something random. But maybe that also has something to do with being able to conform to GPDR options, I don't know. I would just like I could delete users as could be done in the past. :)
 
Black Tiger said:
No it doesn't.

I've read you sorted it out and talked about it. But this way you have the answer to this question for the future.
Maybe it's a good idea to make a deleted user something else than "previous user", maybe the default or "former (or removed) member xxx" where xxx is a random number so you are saved from questions about this of others in the future.

Banning the account -> user is not possible to do anything anymore, it does not necessary block the ip (but it can) but removes all permissions from the account. But since a banned user can (principally) also be unbanned, nothing is deleted, so all data, e-mail address, pm's etc. are all kept in the database. So no data is removed!

Deleting an account -> user's profile get's deleted and name gets anonimized (if setup that way) and since profile is removed, also is the users other data like e-mail address. That is removed.
Might be some ip address used is left in the database as it's possible to restore a user, but in that case you would need to know the XX number of the "deleted user xx" when a user get's "deleted". I'm sure about that restoring, not sure if the ip address is left too.

Personally I find it a pity that deleting users is not done like it was done in the past with forum software (before Xen) that users which would get deleted, really got deleted. Not their threads/postings, but their name, profile and pmbox.
Nowadays the username is changed into something random. But maybe that also has something to do with being able to conform to GPDR options, I don't know. I would just like I could delete users as could be done in the past. :)
Click to expand...

Thank you. That's what I thought really.
 
So basically there's no legal way round avoiding complete account deletion in the Uk. On this occasion I had suggested they just change their privacy settings and remove the avatar if they wanted to leave. With an option to change username if they wanted. When that didn't wash I said well I could do a voluntary ban. They backed down and then said maybe they'd not close the account after all in case they wanted to come back.

But if they had insisted I would have had to delete. So I was incorrect in offering a voluntary ban (although it did the trick). I don't want my newish forum littered with deleted members jumping on the bandwagon because they're not posting any more!
 
You must log in or register to reply here.

Similar threads

H
GDPR Terms and Conditions
Replies
4
Views
700
HBOB
H
Shion
  • Question Question
XF 2.1 Deleted Member Posts Break
Replies
1
Views
251
Chris D
Chris D
Stuart Wright
  • Question Question
XF 2.1 GDPR SAR subject access request queries
2 3
Replies
51
Views
5K
Chris D
Chris D
R
  • Suggestion Suggestion
Lack of interest GDPR: Data retention for banned accounts
Replies
3
Views
711
Alpha1
Alpha1
D
How implement GDPR on your site
Replies
0
Views
2K
dondomainer
D
Top Bottom