GDPR discussion thread

Hi

Sorry if this already been answered, but how can I dump all user information (personal, posts, pm's, gallery photos) to give to the user?
Does XF1 and XF2 give us a way of doing this?

Thanks
 
Chris D said:
Of the changes we were considering, we have started implementing some and that’s for both XF 1.5.20 and XF 2.0.6.
Click to expand...
Thanks for the info Chris - and the team.

DragonByte Tech said:
Don't worry, there will still be plenty of people who have consulted a legal advisor and been informed they will serve 17 consecutive life sentences if they run an XF forum after those versions are released 😂


Fillip
Click to expand...
yeah yeah. :D :D The sky is falling in on us!
Crazy stuff....
 
Nuno said:
Hi

Sorry if this already been answered, but how can I dump all user information (personal, posts, pm's, gallery photos) to give to the user?
Does XF1 and XF2 give us a way of doing this?

Thanks
Click to expand...
No, and it likely won't do. We're working on some basic data portability for personal data for the upcoming releases but a system for downloading all of a user's content is totally unreasonable under data portability rules and that is not required by the GDPR.
 
Chris D said:
No, and it likely won't do. We're working on some basic data portability for personal data for the upcoming releases but a system for downloading all of a user's content is totally unreasonable under data portability rules and that is not required by the GDPR.
Click to expand...

How far will you go into this part? Because this is also one of the subjects thats up for interpretation by each reader.
 
Actual personal data that may or may not be hidden on your profile, rather than content you most likely posted publicly. Including custom fields. Also likely IP addresses but frankly I think they are wrong to classify that as personal data.

That data will also be importable to other XF forums.
 
Chris D said:
Actual personal data that may or may not be hidden on your profile, rather than content you most likely posted publicly. Including custom fields. Also likely IP addresses but frankly I think they are wrong to classify that as personal data.

That data will also be importable to other XF forums.
Click to expand...

Thanks! Sounds good.

I know there are add-ons today that lets users delete their own account, but will you add that to core functionality now? Or is it not being looked at?
 
@Chris D
Will it be logged when a user agreed to the privacy policy, terms and which version? i.e. if we change the privacy policy and terms, will the user have to agree again?
 
There will not be a versioning system.

The GDPR text (Article 7) does not actually imply that you need record specifically what was consented to, just that they have consented.
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Click to expand...
As with anything, it's open to interpretation, so of course you may prefer to maintain a manual log of a) the date the policy changed and b) what the policy was changed to, but it's far from being a requirement, in our opinion.
 
I've seen it. However I'm not sure how they've interpreted that from the official text.

So we don't feel that recording what they were told is necessary. Even so, the software doesn't have to do everything. If you feel that you need to record what was told at any given time, then you can keep your own document somewhere (or indeed a thread on the forum) that contains the date the policy was changed and what it was changed to.

The only bit that's missing, which we will help with, is recording the date a user agreed to whatever the terms/policy was at the time.
 
I see. How would you record consent of updated privacy policy?
Facebook & Google stuff their new privacy policy in my face until I take action on it.
 
Chris D said:
As with anything, it's open to interpretation, so of course you may prefer to maintain a manual log of a) the date the policy changed and b) what the policy was changed to, but it's far from being a requirement, in our opinion.
Click to expand...

It may not be a GDPR requirement, however isn't it more like common sense that it would be useful to automatically log that somebody had consented to a change in privacy or T&C? How about rather than just do stuff "because it's a GDPR requirement" we take this opportunity to improve the way we interact with members.
 
I'm simply saying that we're not going to be recording the specific version (i.e. the specific text) of what was consented to. I didn't really comment on anything else.
 
More so in XF2.

The import/export code in XF1 is very similar to the current code we have there for things like exporting BB codes etc.

The code in XF2 is in a couple of services, and the specific fields which are imported/exported are in various methods so should be extendable as you might expect.
 
GDPR said:
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Click to expand...
Chris D said:
I've seen it. However I'm not sure how they've interpreted that from the official text.
Click to expand...
The GDPR has various articles including 32 which stipulate that consent needs to be specific for it to be valid. It makes sense to me that this implies that we require to record specific consent. i.e. who, when, what. They should have clarified or mentioned that in the directive.

After digging some more, I found that the EU WP29 guidelines on consent do explicitly clarify this:
EU said:
5.1.Demonstrate consent
In Article 7(1), the GDPR clearly outlines the explicit obligation of the controller to demonstrate a data subject's consent. The burden of proof will be on the controller, according to Article 7(1).
Recital 42 states: “Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

Controllers are free to develop methods to comply with this provision in a way that is fitting in their daily operations. At the same time, the duty to demonstrate that valid consent has been obtained by a controller, should not in itself lead to excessive amounts of additional data processing. This means that controllers should have enough data to show a link to the processing (to show consent was obtained) but they shouldn’t be collecting any more information than necessary.

It is up to the controller to prove that valid consent was obtained from the data subject. The GDPR does not prescribe exactly how this must be done. However, the controller must be able to prove that a data subject in a given case has consented. As long as a data processing activity in question lasts, the obligation to demonstrate consent exists. After the processing activity ends, proof of consent should be kept no longer then strictly necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims, in accordance with Article 17(3)(b) and (e).

For instance, the controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to show that the data subject was informed and the controller´s workflow met all relevant criteria for a valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable with regard to obtaining valid consent from data subjects and the consent mechanisms they have put in place. For example, in an online context, a controller could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time. It would not be sufficient to merely refer to a correct configuration of the respective website.
Click to expand...

I hope the guidelines from the EU WP29 guidelines on transparency may be of use to you: http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48850
EU said:
when changing the contents/ conditions of existing privacy statements/ notices. The controller should adhere to the same principles when communicating both the initial privacy statement/ notice and any subsequent changes to this statement. Since most existing customers or users will only glance over communications of changes to privacy statements/ notices, the controller should take all measures necessary to ensure that these changes are communicated in such a way that ensures that most recipients will actually notice them. This means for example that a notification of changes should always be communicated by way of an appropriate modality (e.g. email/ hard copy letter etc.) specifically devoted to those changes (e.g. not together with direct marketing content), with such a communication meeting the Article 12 requirements of being concise, intelligible, easily accessible and using clear and plain language. References in the privacy statement/ notice to the effect that the data subject should regularly check the privacy statement/notice for changes or updates are considered not only insufficient but also unfair in the context of Article 5.1(a). Further guidance in relation to the timing for notification of changes to data subjects is considered below at paragraph 26.
Click to expand...
I'm posting this in the hope that the above is of use to you.
 
You must log in or register to reply here.

Similar threads

M
  • Question Question
Integration of subdomain with Shopify website
Replies
4
Views
695
MadHatter
M
Dakis
Online course for forum owners
2
Replies
26
Views
2K
Dakis
Dakis
Top Bottom