Deleted member querying data removal - GDPR
- Thread starter Alvin63
- Start date
@Mr Lucky
Sure, but IMHO that's their problem, they asked for deletion and got exactly what they asked for.:
If they want to further exercise this right after account deletion they have to show that they are the data subject in question.
What would happen if they wanted to go to court to enforce removal?
They would have to demonstrate that they have the right to demand removal, they can't just state "Meeh, but this for sure was my account - I swear!"
Really, we shouldn't waste too much time thinking about how to please deleted members - just doing what's legally required should be well sufficient.
Sure, but IMHO that's their problem, they asked for deletion and got exactly what they asked for.:
If they want to further exercise this right after account deletion they have to show that they are the data subject in question.
What would happen if they wanted to go to court to enforce removal?
They would have to demonstrate that they have the right to demand removal, they can't just state "Meeh, but this for sure was my account - I swear!"
Really, we shouldn't waste too much time thinking about how to please deleted members - just doing what's legally required should be well sufficient.
Mr Lucky
Well-known member
I agree, I wasn’t suggesting anything else.
Just wickedly enjoying the irony of the deleted member getting their knickers in a twist over trying to reverse their decision. I’d certainly waste no time on them beyond a short note telling them they got their request to be deleted (forgotten) and anything further they want must supply proof of id.
Just wickedly enjoying the irony of the deleted member getting their knickers in a twist over trying to reverse their decision. I’d certainly waste no time on them beyond a short note telling them they got their request to be deleted (forgotten) and anything further they want must supply proof of id.
zappaDPJ
Well-known member
I beleive there are a number of add-ons that might help with that, this being one of them: https://xenforo.com/community/resources/021-multi-account-detector.7623/
Mr Lucky
Well-known member
Yes but if you want to be compliant with privacy laws etc, which this thread is about, you would be questioning using an addon that appears that it may not be compliant with privacy.
Last edited:
TPerry
Well-known member
Personally... you want your data deleted? After a short cooling off period it's gone unless you request otherwise before that time expires.
If you have regrets afterwards... too bad, so sad. You had a period you could think about it and didn't revoke your request so you are history.
You come back as a new user and then want your "old" data re-associated with your new username? Welcome to the world of being banned. I personally would NOT want such a user back on my site. Of course, I'm not really THAT concerned with GDPR since I since the ONLY place that is in the EU that I would even be tempted to visit would be Scotland and Ireland... and honestly, there's MORE than enough of the US that I haven't visited to last me the rest of my life. So GOOD LUCK to the EU on enforcing their "crap" on me. Yes, my site is hosted by a German company with a hosting presence based in the US. I can make a pretty good argument that US law trumps (sorry for the pun) and even if not, it's VERY easy to find a U.S. owned/based VPS provider. Hell, if nothing else I can grab a dedicated server and do a local CoLo.
If you have regrets afterwards... too bad, so sad. You had a period you could think about it and didn't revoke your request so you are history.
You come back as a new user and then want your "old" data re-associated with your new username? Welcome to the world of being banned. I personally would NOT want such a user back on my site. Of course, I'm not really THAT concerned with GDPR since I since the ONLY place that is in the EU that I would even be tempted to visit would be Scotland and Ireland... and honestly, there's MORE than enough of the US that I haven't visited to last me the rest of my life. So GOOD LUCK to the EU on enforcing their "crap" on me. Yes, my site is hosted by a German company with a hosting presence based in the US. I can make a pretty good argument that US law trumps (sorry for the pun) and even if not, it's VERY easy to find a U.S. owned/based VPS provider. Hell, if nothing else I can grab a dedicated server and do a local CoLo.
Last edited:
Good point - you could just ban them if they rejoin. It's kind of a quirky argument that they wanted GDPR level deletion - but then rejoined - therefore they didn't want GDPR level deletion as they then replaced their PII back on the site. So if they asked for it again, in a way they wouldn't have a leg to stand on because it had already been done and then they opted to put it all back again. Although I wouldn't like to argue that point in a court of law.
So if they rejoin then ban them - which means they can't contact you to ask for data deletion! If it's a difficult member. Mine was marginally difficult but had reasons for wanting to bolt, so gave them the benefit of the doubt. For now. But yes it is a lot of hassle reinstating a new name on a deleted account. I only did it so my forum didn't look messy but wouldn't want to do it too often.
So if they rejoin then ban them - which means they can't contact you to ask for data deletion! If it's a difficult member. Mine was marginally difficult but had reasons for wanting to bolt, so gave them the benefit of the doubt. For now. But yes it is a lot of hassle reinstating a new name on a deleted account. I only did it so my forum didn't look messy but wouldn't want to do it too often.
Mr Lucky
Well-known member
They can if you have a contact form.
zappaDPJ
Well-known member
I agree it's questionable. I don't know how this particular add-on works but you are entitled to retain certain information for operational purposes.
Good point. Yes they can. I guess banning an IP address then if you don't want them to rejoin - but then there are VPN options.
wedgar
Well-known member
Perhaps limit the contact form to registered users...
Mr Lucky
Well-known member
In this case you cannot ban their IP because you no longer have it - it was deleted along with their other personal info, remember?
Then how do unregistered users contact you? Or legit enquiries from users with login or registration issues. Or potential advertisers wanting to throw money at you ?
wedgar
Well-known member
You have a good point, however depending upon the purpose of the forum, perhaps an admin doesn't want unregisstered users to contact them.
So ban them first then delete them?! Assuming banning also bans the IP address? Actually it's not really possible to stop someone rejoining is it - they could just use a different IP address or VPN.
What I meant earlier though was, if a deleted member then rejoined. Make a note of the IP address on their new account, ban that and then delete the new account.
Mr Lucky
Well-known member
I don’t assume that. Two separate actions.
I don’t delete banned users, it only makes it easier for some of them to rejoin. Obviously not foolproof but banning means they cannot join up with same name and email. It also leaves a record of why they were banned and makes it possible to find their content, warnings and other stuff that may be useful,
Last edited:
Doesn't make any sense - when you delete an account the ban also gets deleted.
It doesn't.
Yeah, banning IPs doesn't make much sense.
If you properly delete an account you won't be able to detect when the user rejoins because everything that could identify the account has been forgotten.
Or in other words: If you are able to detet that a user rejoins after deleting an account your deletion process doesn't fulfill GDPR requirements.
IMHO it doesn't matter much what the admin doesn't want - what matters is compliance.
GDPR Art. 13 linked above makes it pretty clear that the data controller has to provide contact details for guests.
Actually I believe if you for example, hash the IP or email using a 1 way algorithm, you can sidestep this rule.
Was talking to a german based client about this a few weeks back and their lawyers seemed to agree that as long as you cant "realistically" reverse the hash to recover the data, then its not PII even when combined with other information.
Similar threads
- Question
