GDPR discussion thread

Didn't the GDPR also have a clause that you may refuse to delete certain pieces of PII that are relevant to the security of your website and any other legal requirements such as tax?

If someone could request deletion of IP addresses, that would make ban evasion way easier as a banned member could just say "delete my info" then re-register.

I have to imagine that IF IP addresses are considered PII, then they are exempt when they are used to corroborate tax declarations and/or used for account security.


Fillip
 
@DragonByte Tech yes you're correct. If there is a justifiable 'need' to retain certain pieces of PII then you can do so; the key word is 'justifiable', so you would be justified in retaining whatever PII is required in order to facilitate your services (aka as your website lol). Providing you retain this information securely, as you would any other information, then you are entitled to do so. As for tax and other legal reasons, then yes you are not just justified in keeping that information, your may be required to do so by law.

;)
 
Ok, maybe it is not so worrying as I think, but there little details which I don't know how to setup.

For example, the contact form. Anybody knows how to add a required checkbox to the standard contact form? The email address is collected in that form, and because of that we have to add a checkbox to collect the consent of the user and accept the privacy policy, like in the register form.

I agree that a newsletter is not a standard feature of Xenforo, but the contact form it is it.

Thank You for your attention.
 
Cylon said:
Ok, maybe it is not so worrying as I think, but there little details which I don't know how to setup.

For example, the contact form. Anybody knows how to add a required checkbox to the standard contact form?
Click to expand...

I'm not sure you need a required checkbox re: the privacy Policy as it's only the email address that is being collected. Bbut it could well be worth adding some text to the contact_form template

"Why do we need your email address?"

"So that we can reply to your query"

However I can see that requiring them to have agreed to the Privacy Policy may be a good idea anyway, can't do any harm.
 
Well this time, I'm pretty sure that a contact form needs a checkbox to observe the GDPR. The contact form collects a personal data: the email address (and maybe the real name of the sender). And because of that, the user has to consent to it explicitly.

I will try to edit the contact_form template. Thank you for the hint.
 
The contact us form does not collect their email address. Asking for the information so it can be used as the sender email is not the same as collecting, since the address isn't stored anywhere.


Fillip
 
Hi!

I don't want to argue, but I (and the lawyer who I payed for the auditory), we think that this is collecting because you receive an email with the email address of the sender, and it will be stored in your outlook, gmail, or whatever until you delete it (if you delete it).

Take a look at what wordpress takes in account as personal data. And definitely all wp users are changing the contact forms to adapt them.

It is not processing, because it will not be stored in a table in a database and used for example, for a newsletter, but collecting in any case.

As said, I don't want to argue about what is collecting and what is it not (is argue the right word? my english is so poor :S ), and I have buyed "peace o mind" by adding the checkbox to the contact form. It was not difficult finally.

Thanks!
 
Cylon said:
I don't want to argue, but I (and the lawyer who I payed for the auditory), we think that this is collecting because you receive an email with the email address of the sender, and it will be stored in your outlook, gmail, or whatever until you delete it (if you delete it).
Click to expand...
No offense, but that makes no sense at all.
If I call you from my phone and most phones today show up the receiving phone number, are you now collecting my phone number?
If I write a letter to you, and on the envelope for the letter I write my address and your address so they can deliver it to you. When you receive my mail, are you now collecting my address because my address is on the envelope?

As you see, if you want to contact someone, the contacted person will have an information from you, otherwise you can't contact someone.

By consciously deciding to use the contact form, willfully putting your e-mail address there, that is an agreement of that you are okay to share your e-mail with the receiver. Otherwise just don't use the contact form then. He is not collecting it, it is technically required otherwise there is no contact at all. But you decide if you want to contact or not (not like cookies or other stuff which gets information about you without your consent). This is with your consent.
 
  • Like
Reactions: HWS
Hi!

Thats a good question. I did a similar question to my lawyer.

If the purpose of the call /letter/email is private (a friend of you calls you to drink a beer), the GDPR does not affect you.

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Click to expand...

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

But if you are some kind of profesional with a web site, and the call /email/ letter has something to do with your professional activities, then you are under the scope of the GDPR, and the call /letter/ email is considered as personal data (well, the number, name, address or emails contained in it).

My lawyer explained it to me with a sample: imagine a web site without a contact form, but with the email address to contact in text format (the classical contact me at name@mywebsite.com). Obviously the personal information is not processed anywhere, and you don't need a checkbox because the user has to voluntarily click the email address or copy your email address into the recipient field of an email message to contact with you.

BUT, as soon as the email lands in your inbox, this personal information is in your hands. It makes no difference if the personal information is stored in a mysql database, or in an outlook pst file. You have personal information from a client, and you are liable for it.

With the law in the hand, in such case, you are allowed to retain these information as long as you need it to answer the question of this person, and after that, you have to delete it.

Yes, it sound crazy, but that's life.

Again, I'm do not agree with that interpretation of the law, but look at all the things that the WP community is doing to adapt himself to the GDPR. A blog is not so different from a forum.

Regards!
 
Thank you for explaining it fully, appreciated.

I see that they make a difference between private and commercial. So far so good. And also I understand that there is no difference in storing it as sql or mail format. Also so far so good.

But a checkbox for the contact form for the consent of the user makes not much sense. As one consciously deciding to write an e-mail, typing your own e-mail is already meaning that you give your consent. I understand that it is just a checkbox and probably be better safe than to be sorry, but again, the consent is already implied when you write the e-mail. An extra checkbox shouldn't be needed. As you decide what to do with your information by writing the e-mail, you give your consent. But anyway, it is better to be safe.
 
Yes, you are right. The consent is already implied when you write the email. But consent, for what? That's the difference between before the GDPR and now. Prior to the GDPR you could use this email, not only to answer the question of the sender, but also to other purposes, for example, add the email to a newsletter list. Yes, I know, this would be not elegant and maybe not very intelligent, but it could be done.

With the GDPR, the user provides a consent, and theoretically the user has to know for what exactly this consent is for. Because of that some say that it is not enough to provide the checkbox with a phrase "I accept the privacy policy".

Some say that there has to be a little text below the checkbox explaining with accuracy the purpose of the data collection. For example, in a contact form, the info will be used only to answer the user's question and for nothing more. In a subscription form, the info will be used only to add the email to a newsletter list. In a registration form the purpose is to give you an account to access the forum... and so on.

Again, to buy me peace of mind, I modified my forms in this way.

In my research, I saw two tendences about this topic. The "English" tendencies and the European-Non-English tendency. All the samples, articles talking about GDPR that I found in English language, are saying that with a checkbox to accept the privacy policy you are done.

On the other hand, the articles that I found in Spanish, German or French (the other languages I know), all of them take it a step further, and they do it in the hard way: Below each form, there has to be a summary explaining at least:

- who is asking for the info (the legal liable person or company behind the form)
- for what this info is collected for
- why you have to provide this information and what happens if you don't do it (for example, if you don't provide an email address, we can not contact you, because of that you have to provide the email address).
- if you are planning to transfer this info to third parties
- the rights of the person about the information he provides...

Take a look at this sample of a contact form of a spanish law firm: https://www.lexblogger.com/contacto/

Sorry that the example is in spanish, maybe you can use google translate to understand what the summary below the form tells. In the wp world, everybody is adopting this type from summaries for the forms...

Regards.

PS: again, apologizes about my English. I'm really at my limit trying to explain how we are doing the things here :)
 
Thanks again for explaing it. Your English is good, better than mine for sure and your exlanations are clear and on point.

I see now that they want you to express specifically everything, so in the case above the consent of using the receiving e-mail address only for responding back to it and for no other purposes.

Actually this is a good thing, because many websites in the past, also many shady ones, were selling those mail address they collected over the time. Now it seems that with the new regulations, they want the gray area to disappear. To stop shady things.

I have one more question. For me any website (or forum) which earns money by ads or google AdSense or whatever is operating commercially. So I think all of them, even the tiniest one, which has 1 banner ad, should be seen as commercial.

But what about those sites which are not operating commercially, are fully non-commercial? No income, no ads, nothing (other than donations). Are they also seen as "profesionals". We established a difference between private and commercial use. But is there a difference between commercial and non-commercial but not private?
I assume the same is applied to non-commercial ones, but on the other hand not operating commercially (as a profession), there should be a difference in treatment. Any information about that.

Thank you.
 
@sbj: I'm sorry but I can not answer your last question. I don't know where the border between a commercial and a pure private website is.

But at the end, in your case I would stay safe and adapt you website to the gdpr. It is not very difficult. You need a new privacy policy, checkboxes in your forms and maybe the text below the forms with de details for who, for what, and so on.

More complicated is the case i ff you have a newsletter. I renounced to mine (9000 active subscriptors) because I do not see a clean way to ask for the consent to my 9000 subscriptors and store it in an organized/integrated way in xf. I will start again from scratch with sendy or threadloom, I'm not sure.

Fortunately I'm not an E-Commerce, and the newsletter is not providing me much value...
 
  • Like
Reactions: sbj
One idea is to send out a mail shot now with an opt in or subscribe button to your entire current mailing list.

If the users want to stay on the mailing list, it's a single click. If not they'll get cleaned from the list when GDPR comes into effect.

1524495572873.webp
 
Cylon said:
@sbj: I'm sorry but I can not answer your last question. I don't know where the border between a commercial and a pure private website is.

But at the end, in your case I would stay safe and adapt you website to the gdpr. It is not very difficult. You need a new privacy policy, checkboxes in your forms and maybe the text below the forms with de details for who, for what, and so on.

More complicated is the case i ff you have a newsletter. I renounced to mine (9000 active subscriptors) because I do not see a clean way to ask for the consent to my 9000 subscriptors and store it in an organized/integrated way in xf. I will start again from scratch with sendy or threadloom, I'm not sure.

Fortunately I'm not an E-Commerce, and the newsletter is not providing me much value...
Click to expand...
Say a social network that collects information on people with no ads, membership or other means of income and is fully funded by its owner, they are still data controllers. I definitely agree that an email address collected on a contact us form is personal data. An email sent to you also contains personal data (the avatar, email, name for one, and probably things in the body also). Being non-commercial, however, does not exempt you from data protection requirements.

The scope of the GDPR is outlined in Article 2:
m8HmeBY.png


Hence, non-commercial activity falls under the scope of the GDPR. Part C prevents this affecting individuals storing contacts on their phone, for example. But it does seem to be given wide scope.

BassMan said:
Interesting, but for example SparkPost adds some text for consent in their contact form: https://www.sparkpost.com/sales/
Click to expand...
The collection of emails, names and avatars (as sent in an email) are definitely under the scope of the GDPR. Consent is required to process personal data, and since people using the contact form there are probably not already signed up and hence haven't already given consent, it would be required to process personal information even purely for the purpose of contact inquiries. Perhaps you can further go and say that a business or other entity that receives emails directly from customers is also subject to the regulation. Yet, do you think they really expect every little project to register as data controllers?

That said, I think people on this forum have far bigger things to worry about. It isn't just GDPR compliance, you also need to register as a data controller if in the EU, or if outside then appoint a representative to act as a data controller, and this representative needs to be from the EU I think. The registration needs to be maintained. Most forum owners probably don't plan to register, and I bet most in this thread that are still scared of the GDPR after pages of going around nothing specific are not registering either, so there's your basic compliance issue already.
 
  • Like
Reactions: sbj
Robust said:
and I bet most in this thread that are still scared of the GDPR after pages of going around nothing specific are not registering either,
Click to expand...

I am only slightly scared but very confused. As with the recent changes in EU VAT laws for digital downloads, it's the small businesses who cannot bafford a lawyer to do their ncompliance checks, and instead rely onattemopting to interpret the lengthy and complex regulations, or wading through all the blogs that attempt to interpret for you or give you easy guidelines.

I'm hoping that what I heard on the radio recently, a spokesperson for the ICO saying their policy will be educative rather than punitive - the heavy fines will be for those companies that continue to flout the rules in spite of a few warnings.

I don't think they will be trawling the internet looking for forum owners and investigating them, however our main worry would be users making vindictive reports.

I have sent out newsletters in the past via Mailchimp in which I make it very clear that if the recipient thinks they are on the list wrongly, then please do use the big unsubscribe link, yet still I got a few abuse reports - some from people who actually opted in and obviously forgot, or else they were just feeling like complaining.
 
Mr Lucky said:
I don't think they will be trawling the internet looking for forum owners and investigating them, however our main worry would be users making vindictive reports.
Click to expand...

Quite, the reality is most forum owners will never even bump into the GDPR apart from the occasional member who might use it as a way of having a moan.

The likelihood of a forum owner being fined is even slimmer. The only forums which may actually end up being punished punitively are those owned by big parent companies (say, a forum of a game produced by sony or ubisoft etc).
 
You must log in or register to reply here.

Similar threads

M
  • Question Question
Integration of subdomain with Shopify website
Replies
4
Views
702
MadHatter
M
Dakis
Online course for forum owners
2
Replies
26
Views
2K
Dakis
Dakis
Back
Top Bottom