GDPR Compliance

[alfaNova]

Hi XenForo Team,

I would like to draw your attention to GDPR compliance. Below are the issues that I consider non-compliance. However, if other members have any observations, please do not hesitate to add them.

I am opening this topic because I think there is a problem with GDPR compliance. According to the GDPR law, XenForo forums are considered to have the status of Data Controller. Therefore, they have the following responsibilities. In addition, if the Forum Administrator has not legally appointed a Data Protection Officer, this responsibility will also be on the Administrator.

Spoiler: Art. 24 GDPR - Responsibility of the controller

• Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
• Those measures shall be reviewed and updated where necessary.
• Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
• Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

[*]

Spoiler: Art. 39 GDPR - Tasks of the data protection officer

The data protection officer shall have at least the following tasks:

• to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
• to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
• to cooperate with the supervisory authority;
• to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
• The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

GDPR Requirement	Concern
Art. 17 GDPR - Right to erasure (‘right to be forgotten’)	According to the GDPR rules, Data Subject, that is members, have the right to be forgotten, in short, to have their personal information deleted. Many people will say that this can be done by contacting the Administrators, but we should have a more automated process. All Admins are very busy so the current process is not effective. Data Retention period should be determined for the forum in general and if the member has not logged in to the forum within this period, an option should be offered to delete his account or an email should be sent to obtain his consent to store the information for another data retention period. And member responses should be stored in their profile for evidence.
Art. 28 GDPR - Processor	Which information is shared with which Processors for which members? How can we, as Data Controller and Data Protection Officer, access this information?
The term ‘personal data’ is the entryway to the application of the General Data Protection Regulation (GDPR). Only if a processing of data concerns personal data, the General Data Protection Regulation applies. The term is defined in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person. The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.	Many of us have seen that member profiles or postbits in messages are indexed by search engines. Postbits, member cards, member profiles, custom user fields should be seen as potential personal information fields and treated accordingly. Therefore, they should not be indexed in search engines and should not be clearly visible or blurred by guests. As an admin, I would like to point out that I have received direct complaints from members on this issue many times.
Chapter 5 (Art. 44 – 50)Transfers of personal data to third countries or international organisations	Many of our forums have members from all over the world, so I think that this cooperation should be considered as international data transfer.
Right of Access	According to this article, members have the right to access their personal data or what data is processed. So how is this done in the current situation? This task can be delegated to the administrator, but there is no direct and easy process for this. Therefore, it may be useful to provide an option to download this data. Of course, in order to use this process, a process such as verification by email is required to ensure that the data is downloaded by the right person.

I know that XenForo is software used worldwide, so if arrangements are to be made, it is useful to make it optional. Perhaps a section for GDPR in the admin panel would be appropriate. The following article is included in the XenForo Licence Agreement.

3. Restrictions
You are solely responsible for ensuring that Your Content and Your use of the Software complies with all applicable legislation and regulations, including but not limited to all applicable Data Protection and Privacy legislation.

This clause protects XenForo as a company and I can hear the admins saying if this contract doesn't suit you, don't use it. But, I think it is fairer to apply this article after the necessary software infrastructure is provided.

In this state, I personally think that XenForo does not fully comply with GDPR requirements. If there are other members or lawyers among us, I would very much like to hear their views and the problems they have identified.

 

[Chris D]

According to the GDPR rules, Data Subject, that is members, have the right to be forgotten, in short, to have their personal information deleted. Many people will say that this can be done by contacting the Administrators, but we should have a more automated process. All Admins are very busy so the current process is not effective.

The point is it can be done by administrators therefore the software is compliant with this point. It doesn't need to be automated, there is no stipulation by any means that this is required. If GDPR is important - which it is - then administrators should make time for this.

Which information is shared with which Processors for which members? How can we, as Data Controller and Data Protection Officer, access this information?

XenForo ships with a standard privacy policy and this can be modified according to the needs of your members and the specifics of your site and what functionality you might use.

Postbits, member cards, member profiles, custom user fields should be seen as potential personal information fields and treated accordingly. Therefore, they should not be indexed in search engines and should not be clearly visible or blurred by guests.

It is down to the administrators to decide what is reasonable and down to users to decide what they choose to display. By default in XenForo this would usually be limited to the user name, but the sign up process makes it clear this is displayed publicly. Everything else is optional and realistically administrators should not be encouraging the display of PII. We have privacy settings for things like displaying age. The user's right to be forgotten if they decide they no longer wish to display such information still applies.

Many of our forums have members from all over the world, so I think that this cooperation should be considered as international data transfer.

Again, the standard privacy policy should be sufficient but in cases where it isn't sufficient for you, you can modify it accordingly.

According to this article, members have the right to access their personal data or what data is processed. So how is this done in the current situation? This task can be delegated to the administrator, but there is no direct and easy process for this. Therefore, it may be useful to provide an option to download this data. Of course, in order to use this process, a process such as verification by email is required to ensure that the data is downloaded by the right person.

There is a Data Portability section in the admin control panel. Upon request, an administrator can download this for a specific user and provide it to them.

In this state, I personally think that XenForo does not fully comply with GDPR requirements.

We've been here before and we have verified multiple times: XenForo does fully comply with GDPR requirements.

 

[Kirby]

There is a Data Portability section in the admin control panel. Upon request, an administrator can download this for a specific user and provide it to them.

This export does not include IP adresses which may be considered PII.

 

[Chris D]

Well, technically, data portability isn't necessarily designed for "right of access" but it gets most of the way there -- you wouldn't want to import/export a user's IP addresses for the purposes of moving the data elsewhere - that doesn't make sense in that context.

But IP addresses are logged and you can provide those separately if the request warrants it.

Most things do not need a software solution. You have the data, you can access the data, you can find a way to provide the data. We will consider ways to make that easier, particularly for the cases that occur most frequently, but it would need to be proportionate.

If we're talking about features being added to the software that the majority won't ever use, spending a significant number of developer hours in the short term and long term in order to implement, support and maintain such functionality, when the solution is to copy and paste some information into a spreadsheet or document, it's just not worth it.

 

[alfaNova]

The point is it can be done by administrators therefore the software is compliant with this point. It doesn't need to be automated, there is no stipulation by any means that this is required. If GDPR is important - which it is - then administrators should make time for this.

I have also stated that accounts can be deleted manually, but I'm sure you understand the point I'm trying to make. We are all busy, including you, and many admins manage the forum with their professional life. For this reason, it is natural to need tools that will help Administrators and reduce their workload. That's why I gave the example in my first message.

XenForo ships with a standard privacy policy and this can be modified according to the needs of your members and the specifics of your site and what functionality you might use.

In cases where the standard policy is not enough, I do not think that a simple apology will be enough in case of a possible complaint as Admins. The standard policy specifies what data is collected and I have made the necessary arrangements for my own forum. It is also stated that this collected information will be shared with 3rd parties. So what information was shared with which 3rd party? How will we protect ourselves in a possible legal trouble?

I would like to add that some minimum requirements or rules should be set for add-on developers. For example, there are dozens of add-ons that use external services and APIs. Is any information shared with these services? If shared, what information? I have never seen a warning or notification about this in any add-on I have installed so far.

It is down to the administrators to decide what is reasonable and down to users to decide what they choose to display. By default in XenForo this would usually be limited to the user name, but the sign up process makes it clear this is displayed publicly. Everything else is optional and realistically administrators should not be encouraging the display of PII. We have privacy settings for things like displaying age. The user's right to be forgotten if they decide they no longer wish to display such information still applies.

I have been keeping member profiles private to search engines for years. I do this both from member group permissions and with config.php editing. But despite this, I receive complaints from members that their profiles, names, avatars, etc. appear in search engines. I think I'm not the only one facing this situation.

There is a Data Portability section in the admin control panel. Upon request, an administrator can download this for a specific user and provide it to them.

I am sorry for my insufficient knowledge. I searched with different keywords but I couldn't find the Data Portability section. Combining with my 1st message, yes, maybe we can download some information as admin (although I can't find the place), but you can reduce the workload of admins in this regard. Of course, the member can download his own data.

View attachment 315815

We've been here before and we have verified multiple times: XenForo does fully comply with GDPR requirements.

Please reconsider this issue by considering people who do not know coding or who do not devote all day to forum management.

I certainly don't intend to be controversial or offensive with my messages. Please don't take it that way, but I don't agree with you. Considering the serious fines of the GDPR law, this is an issue that should be given importance.

 

[Chris D]

We'll agree to disagree.

We've spent enough time on this.

 

[alfaNova]

This export does not include IP adresses which may be considered PII.

Many people collect additional user information with Custom User Field. I guess Custom User Fields were developed for this. So, when Data Portability is used, is it included in the newly added Custom User Fields? I am asking because I have not used this feature before and even just learnt about its existence.

 

[Suzanne O]

Many people collect additional user information with Custom User Field. I guess Custom User Fields were developed for this. So, when Data Portability is used, is it included in the newly added Custom User Fields? I am asking because I have not used this feature before and even just learnt about its existence.

Add it into your forum rules.

 

[Mr Lucky]

But despite this, I receive complaints from members that their profiles, names, avatars, etc. appear in search engines. I think I'm not the only one facing this situation.

In which case your privacy policy can make it clear the information they choose to add to the site may be in the public realm. Notwithstanding users have control over who sees their profile.

Moaning to you about search engines makes no sense to me.

People who can’t be bothered to read a simple forum privacy policy yet can read a 94 page EU regulations document, well…