GDPR discussion thread

Davyc

Well-known member
You could read up a bit more about the GDPR - not sure what country you reside in but in the UK the ICO has an area dedicated to the GDPR and this part may be of interest:

  • The GDPR introduces a right for individuals to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • Individuals can make a request for erasure verbally or in writing.
  • You have one month to respond to a request.
  • The right is not absolute and only applies in certain circumstances.
  • This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.
As another poster mentioned you could request confirmation from this person that s/he is who they say they are.

It can get a bit messy when dealing with such people, but as they use the GDPR to exercise their (perceived) rights, you can also use the GDPR and other methods to reply.

:)
 

webbouk

Well-known member
Would it be out of the question to send a pdf document requesting that he answers various questions to identify himself including a photo copy of his passport or driving licence with his signature and current postal address, and two copies of recent utility bills to confirm he is who he says he is before you disclose any information?

You are not being unreasonable in doing so.
Also I wouldn't delay it get it done asap to knock him off his perch
 

RobParker

Well-known member
He can't even access his email address for the account any more so not sure there's anything we can do even if we wanted to.

He's a GDPR "expert" though :rolleyes:
 

jmurrayhead

Well-known member
He can't even access his email address for the account any more so not sure there's anything we can do even if we wanted to.

He's a GDPR "expert" though :rolleyes:
I certainly wouldn't risk sending that data to an account that isn't on file with the registration. I'm assuming releasing that information like that is exactly what GDPR was put in place for.
 

RobParker

Well-known member
He's still going on and threatening us with the ICO now. I've been reasonable and explained things but also told him to contact the ICO and we'd be happy to discuss it with them.
 

Kirby

Well-known member
@RobParker
I'd demand an affirmation in lieu of oath from the user that this is his account, if he does you should be fine giving him the data.
Because lying on that would be a crime.
And as always: This is just my personal opinion and not a legal advice.
 

Chris D

XenForo developer
Staff member
Sorry, but if any customer asked us to delete their accounts or provide private information and the only basis for proof that the request is valid was essentially "I promise the account is mine", we'd tell you where to go (politely, of course).

Your responsibility as a data controller is to protect a user's data. Deleting or publishing it to a third party on a whim without proving the request is authenticated would frankly fail in that responsibility. Also not a lawyer, but don't do that ^.
 

zappaDPJ

Well-known member
Would it be out of the question to send a pdf document requesting that he answers various questions to identify himself including a photo copy of his passport or driving licence with his signature and current postal address, and two copies of recent utility bills to confirm he is who he says he is before you disclose any information?
The problem with that is none of the information identifies that person as the forum member. The only information that does in any realistic way is a matched email address and perhaps a static IP.

Sorry, but if any customer asked us to delete their accounts or provide private information and the only basis for proof that the request is valid was essentially "I promise the account is mine", we'd tell you where to go (politely, of course).

Your responsibility as a data controller is to protect a user's data. Deleting or publishing it to a third party on a whim without proving the request is authenticated would frankly fail in that responsibility.
I think this is good advice. I would put the protection of my member's data above and beyond a disclosure/erasure request. Only time will tell whether the regulator or court will agree but until that time I would err on the side of caution.
 

webbouk

Well-known member
Who's not to say that if you gave him (the expert) the information he's requested that he would not run to the ICO on the basis that you've just shared personal data with him ?
 

Mr Lucky

Well-known member
Sorry, but if any customer asked us to delete their accounts or provide private information and the only basis for proof that the request is valid was essentially "I promise the account is mine", we'd tell you where to go (politely, of course).
Is the email address that the request comes from, not proof enough?
 

webbouk

Well-known member
Mr Lucky - In this case if I've read it correctly the address the request has come from is different to the email address saved in the person's profile
 

Sim

Well-known member
He can't even access his email address for the account any more so not sure there's anything we can do even if we wanted to.

He's a GDPR "expert" though :rolleyes:
If he can no longer access the email address, it's no longer his personal information - problem solved :p

Seriously though - can he log into the account? Why can't he contact you via the forum to validate his identity? If he doesn't know the password and can't access the email address, that's two strikes against him for account validation?

You could also email the address on the account to confirm identity (give them 14 days notice) and if it bounces back or receives no response, then depersonalise or delete the account.

I certainly wouldn't ignore the request - but if you can be seen to have gone to some trouble to validate his identity, then I think you'll have a reasonable basis for refusing the request if you've been unable to do so.
 
Last edited:

RobParker

Well-known member
Haha he’s really angry. He’s reporting us to the ICO in a month and will “get our site shut down”.

Any suggestions on what I actually do if/when we hear from the ICO?
 

zappaDPJ

Well-known member
Haha he’s really angry. He’s reporting us to the ICO in a month and will “get our site shut down”.

Any suggestions on what I actually do if/when we hear from the ICO?
I would preempt that. Assuming you are operating within the UK, I would make sure your site is compliant with the regulations. I would then contact the ICO explain the situation and ask for guidance. Explain your concerns about proof of identity and the need to protect your user's data.
 

AzzidReign

Well-known member
@RobParker
Under GDPR I am entitled to ask for you to do this, and cite the following reasons:

* the personal data I gave you is no longer necessary for the purpose which you originally collected or processed it for; as I was banned as a member of your site and you therefore do not need my data
* you are relying on my consent as your lawful basis for holding the data, and I hereby withdraw consent;
* you are relying on legitimate interests as your basis for processing, I objects to the processing of their data, and as I am no longer active on your site and do not wish to be, there is no overriding legitimate interest to continue this processing;
Let's look at a few things as he's provided you with information that is gold :) "Originally collected or processed", if you are like me, you mostly use that information to do a few things:
  1. Make sure he's not a spammer (at sign up if you check against those databases)
  2. To insure a 1 account policy
  3. To keep your members rights and freedoms safe from: scammers, fraud prevention, and any malicious activity, including the breaking the rules in your TOS/board rules.
With that information, those are the exceptions to continuing to hold his data based on the following (linked to the specifics, quoted the lines I think are relevant, and bolded the more relevant stuff):

https://gdpr-info.eu/art-21-gdpr/
Right to object
(6) Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

https://gdpr-info.eu/art-17-gdpr/

(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defence of legal claims

https://gdpr-info.eu/recitals/no-47/
1The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. 2Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. 3At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. 4The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. 5Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. 6The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. 7The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

A lot of what this law allows us to do is in regards to protecting our users (see the underlined "fraud" above). And more on protecting our users:

https://gdpr-info.eu/recitals/no-49/
1The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. 2This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

browser type and version
operating system
referral source
length of visit, page views, website navigation and any other related browsing activity
There are exceptions and I would have to look them up again but keeping data and statistics for historical purposes I believe is an exception to what he's requesting. Plus, I'm not sure, if you are using gA, if you can tie any of this data to his actual account. I haven't looked into the depths of gA for things like that as I'm more so looking for trends than seeing what a single user is actually using when coming to the site. I'm not sure that you can even go into gA and say "erase any info from xx ip address".

Lastly, here comes the irony. I would ask to see his government issued ID, a picture of him holding it with a date (so he can't just pull one off the internet), as well as a recent bill to prove he still lives within the EU. You have to know if he's actually in the EU or not to know how to take action and that seems to be the only way. Here's the info on the Right to Erasure (to be forgotten):
https://gdpr-info.eu/issues/right-to-be-forgotten/

Now view paragraph 5, 2nd sentence: "However, the identity of the impacted person must be proven in a suitable way, as otherwise additional information could be requested from the responsible party, or the erasure could be refused."

This also means that either you have to let him log back into his account to prove such or he should have to email you from his "old" email address. And if he doesn't have the old email address, I believe IP addresses would have to be "used" in combination with other "personal data" to actually be considered "personal data". Otherwise, if you just have an IP address, who's to say it isn't someone else in his household? It talks about identifying a "natural person", thus, if there are more than 1 person in his household, you couldn't tie that to a single person with just the IP address.

What I'm going to be doing here on my site shortly would be opening up the ticket system to banned members and only giving them the option to discuss the Right to Erasure. This can prove their access to their account. In the same token, we will be allowing them to go in and remove any of their profile fields they filled out and the plan is to figure out a way to make it so they can ONLY view THEIR content that they've posted on the site and allow them to search through that for any personal data that they may have submitted to the public and allow them to request deletion of that. Everything else (all the other info like email, IP), especially for banned users, is to prevent them from using the site again. For users with warnings, it's to make sure that we preserve the rights and freedoms of our other members so they don't fall victim to fraud or scams or malicious programs posted publicly or privately to other members.

We will obviously pull those types of emails out of our "email subscriptions".
 

webbouk

Well-known member
Personally I'd make sure your site is compliant and then wait for the ICO to contact you and when they do post their letter on here.
He's gone from wanting to sue the arse off you to going to report your site, all in a day or so, hot air and no trousers springs to mind.
 

picom

Member
Got my first GDPR request today, from someone who I don't believe is even a member of my site. I asked them to send an email from the email on their account.

THis GDPR is going to be a headache I think, especially if every week we get idiots testing the system out.


This is the email I got,

To Whom It May Concern

In accordance with the rights afforded me by the Data Protection Acts 1988 – 2003 and GDPR 2015, please furnish me with a copy of all data that you hold and process in relation to, but not limited to:

Name 1
Name 2
Name 3


Please furnish these documents to my Solicitors (Address Supplied) within 40 days of date hereof. These documents should be sent to my Solicitor in chronological order, properly indexed, tabulated and paginated.

In the event that you fail to send this information to me within the said period, I will make a formal complaint to the Data Protection Commissioner.

I wish to put you on immediate notice that your website is operating in breach of it's own Terms & Conditions in relation to anonymous posts.

Thank you for your co-operation in this matter.
 

Mr Lucky

Well-known member
Got my first GDPR request today, from someone who I don't believe is even a member of my site. I asked them to send an email from the email on their account.

THis GDPR is going to be a headache I think, especially if every week we get idiots testing the system out.


This is the email I got,

To Whom It May Concern

In accordance with the rights afforded me by the Data Protection Acts 1988 – 2003 and GDPR 2015, please furnish me with a copy of all data that you hold and process in relation to, but not limited to:

Name 1
Name 2
Name 3


Please furnish these documents to my Solicitors (Address Supplied) within 40 days of date hereof. These documents should be sent to my Solicitor in chronological order, properly indexed, tabulated and paginated.

In the event that you fail to send this information to me within the said period, I will make a formal complaint to the Data Protection Commissioner.

I wish to put you on immediate notice that your website is operating in breach of it's own Terms & Conditions in relation to anonymous posts.

Thank you for your co-operation in this matter.
So this is someone claing to have three user accounts on your forum?
 

webbouk

Well-known member
I've got a feeling the Mr Unbugunu from Nigeria is going to have a field day with spurious claims and demands aimed at the owners of websites, many of whom will not have a clue.

Also, never mind the SEO demands, you know the ones, they tell you that your offer of Domain Services is about to expire ...
Wait until the GDPR demands start flooding in, 'Your Domain is in breach of GDPR and you are liable for a fine of $enter_amount, click here to let us help you "
 
Top