@RobParker
Under GDPR I am entitled to ask for you to do this, and cite the following reasons:
* the personal data I gave you is no longer necessary for the purpose which you originally collected or processed it for; as I was banned as a member of your site and you therefore do not need my data
* you are relying on my consent as your lawful basis for holding the data, and I hereby withdraw consent;
* you are relying on legitimate interests as your basis for processing, I objects to the processing of their data, and as I am no longer active on your site and do not wish to be, there is no overriding legitimate interest to continue this processing;
Let's look at a few things as he's provided you with information that is gold
"Originally collected or processed", if you are like me, you mostly use that information to do a few things:
- Make sure he's not a spammer (at sign up if you check against those databases)
- To insure a 1 account policy
- To keep your members rights and freedoms safe from: scammers, fraud prevention, and any malicious activity, including the breaking the rules in your TOS/board rules.
With that information, those are the exceptions to continuing to hold his data based on the following (linked to the specifics, quoted the lines I think are relevant, and bolded the more relevant stuff):
https://gdpr-info.eu/art-21-gdpr/
Right to object
(6) Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
https://gdpr-info.eu/art-17-gdpr/
(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims
https://gdpr-info.eu/recitals/no-47/
1The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. 2Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. 3At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. 4The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. 5Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. 6The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. 7The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
A lot of what this law allows us to do is in regards to protecting our users (see the underlined "fraud" above). And more on protecting our users:
https://gdpr-info.eu/recitals/no-49/
1The
processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or
unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
2This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and
damage to computer and electronic communication systems.
browser type and version
operating system
referral source
length of visit, page views, website navigation and any other related browsing activity
There are exceptions and I would have to look them up again but keeping data and statistics for historical purposes I believe is an exception to what he's requesting. Plus, I'm not sure, if you are using gA, if you can tie any of this data to his actual account. I haven't looked into the depths of gA for things like that as I'm more so looking for trends than seeing what a single user is actually using when coming to the site. I'm not sure that you can even go into gA and say "erase any info from xx ip address".
Lastly, here comes the irony. I would ask to see his government issued ID, a picture of him holding it with a date (so he can't just pull one off the internet), as well as a recent bill to prove he still lives within the EU. You have to know if he's actually in the EU or not to know how to take action and that seems to be the only way. Here's the info on the Right to Erasure (to be forgotten):
https://gdpr-info.eu/issues/right-to-be-forgotten/
Now view paragraph 5, 2nd sentence: "However, the identity of the impacted person must be proven in a suitable way, as otherwise additional information could be requested from the responsible party, or the erasure could be refused."
This also means that either you have to let him log back into his account to prove such or he should have to email you from his "old" email address. And if he doesn't have the old email address, I believe IP addresses would have to be "used" in combination with other "personal data" to actually be considered "personal data". Otherwise, if you just have an IP address, who's to say it isn't someone else in his household? It talks about identifying a "natural person", thus, if there are more than 1 person in his household, you couldn't tie that to a single person with just the IP address.
What I'm going to be doing here on my site shortly would be opening up the ticket system to banned members and only giving them the option to discuss the Right to Erasure. This can prove their access to their account. In the same token, we will be allowing them to go in and remove any of their profile fields they filled out and the plan is to figure out a way to make it so they can ONLY view THEIR content that they've posted on the site and allow them to search through that for any personal data that they may have submitted to the public and allow them to request deletion of that. Everything else (all the other info like email, IP), especially for banned users, is to prevent them from using the site again. For users with warnings, it's to make sure that we preserve the rights and freedoms of our other members so they don't fall victim to fraud or scams or malicious programs posted publicly or privately to other members.
We will obviously pull those types of emails out of our "email subscriptions".