GDPR discussion thread

In fact I think I'll register a domain gdpr.... and start mailbombing websites with demands - whoops judging by the number of gdpr related domains registered it looks like others have already cottoned on to the idea
 
So this is someone claing to have three user accounts on your forum?

I don't even think they have 1 account, more so they are just looking to cause some sort of trouble. I believe they have an issue with a relative that posts on my site and trying to force us to ban that member to settle their family feud.


Incidentally, I just received a response from them after sending an email requesting they validate their id for the requested information.


My reply to their Original request.


Dear XXXXX

In reply to your contact,

As I understand you have requested information relating to 3 people named within your contact to us.

Under the law, I am only able to process requests by the named person who requests information about themselves. we are not allowed to pass on information relating to anyone else who is a third party.

In regards to yourself, as I understand you are not a member of the site, thus we would hold no information relating to you. If you are a member please could you send a data request directly from the email address that is currently associated with your account including the username that you use? We will then forward a copy of all the information we hold on that username and account directly to you by email.

You further claim that our site is in breach of our own terms and conditions relating to anonymous posts, please could you be more specific so that we may further assist you.

Then they replied with this

I am disappointed with your Company's responses to my communications to date.

As a Data Controller/Processor you should be aware that the perceived rights of your members are legally framed within the Data Protection and general GDPR regulation, and your role is to consider the rights and entitlements (and statutory protection) of subjects outside of your membership, specifically in the areas of content and named persons.

Please be aware that I have employed the services of a Solicitor in related matters, and will have no hesitation in initiating legal proceedings if your company does not respond in the spirit of the Law.


Like most my site is run as a hobby, we are not a business other than making some money from Google ads and donations to keep the site running.
 
I've got a feeling the Mr Unbugunu from Nigeria is going to have a field day with spurious claims and demands aimed at the owners of websites, many of whom will not have a clue.

Also, never mind the SEO demands, you know the ones, they tell you that your offer of Domain Services is about to expire ...
Wait until the GDPR demands start flooding in, 'Your Domain is in breach of GDPR and you are liable for a fine of $enter_amount, click here to let us help you "

I get loads of those, mainly asking for £85 per domain. It almost caught me years ago when it foirst happened as it looked so official, luckily I ranhg my host who eductaed me to the fact that they auto renew for £2 a year.

With GDPR, we may get a whole raft of bogus GDPR lawyers asking similar amounts, small enough that you don't go to a real lawyer (at £200 an hour) to check it out. Or else they will offer a quick settlement out of court, ie blackmail.

Hopefully this kind of behavaiour will be reported and force clarifiaction or amendment to the law.
 
I don't even think they have 1 account, more so they are just looking to cause some sort of trouble. I believe they have an issue with a relative that posts on my site and trying to force us to ban that member to settle their family feud.


Incidentally, I just received a response from them after sending an email requesting they validate their id for the requested information.


My reply to their Original request.


Dear XXXXX



Then they replied with this




Like most my site is run as a hobby, we are not a business other than making some money from Google ads and donations to keep the site running.

Personally, I'd just repeat the email you've sent and leave it at that.
I very much doubt you will get a solicitors letter, even if your mail address is on your site.
A solicitor cannot send a legal document via email as there is no proof that the intended recipient has received it, even acknowledging receipt via your email client is not proof as anyone could have opened the email.

If a letter arrives on your door mat, scan and paste it in here, I won't hold my breath
 
I don't even think they have 1 account, more so they are just looking to cause some sort of trouble. I believe they have an issue with a relative that posts on my site and trying to force us to ban that member to settle their family feud.


Incidentally, I just received a response from them after sending an email requesting they validate their id for the requested information.


My reply to their Original request.


Dear XXXXX



Then they replied with this




Like most my site is run as a hobby, we are not a business other than making some money from Google ads and donations to keep the site running.
Try sending them your own request for YOUR PII data from them to be sent to you in a machine readable format. :p

Seriously though that is someone throwing big words around and hope something sticks. You sent them a email asking for verification of account ownership but it seems they’ve have ignored that, you’ve done your part.
 
What homework do they do? I just opened up my website last month, so I only have about 100 registered members with only a handful of posts. I have a trade name with the name of the "company" but no links to the tradename info. I'm not too worried about getting a GDPR notice, but, frankly, I have no clue how to purge IP addresses or do whatever is requested because I am new to this xenforo world. (I need to research more on GDPR.)

So, what address would they send an official notice to? Website email? The registered domain email? Business address?

I wish I was more knowledgeable on... well... everything. (I'm gonna really start reading up.)
 
If it was a member you would expect them to email the admin or use the contact us form.
If a solicitor or a legal challenge they would have to use the postal address either directly or indirectly via your host or the contact address in your 'whois' domain information https://www.whois.com/whois/
 
  • Like
Reactions: CJ6
I know that when you delete a user, you can rename them to a different unknown user. The work is still there to go through their posts and look for other personal info. Is it wrong to have the requester fill out a form specifying which posts contain information to be removed? Would it be against GDPR to have that happen... put the workload on the person requesting removal?
 
Over time we've had several requests to remove information from posts, prior to GDPR implementation and that is the approach we have - put the onus on the person to identify the posts that need deleting or editing.
You'd not be surprised how unimportant their request becomes when they find that they have to do the leg work
 
  • Like
Reactions: CJ6
I already have some forms for people to fill out on my website. Maybe I'll simply add another one for GDRP requests with a place for them to complete all posts requiring edits. I'll throw a link to it within the privacy policy or FAQ. I wonder if that might appease the GDRP gods.
 
I know that when you delete a user, you can rename them to a different unknown user.

Obviously at this stage almost everything is still open to some degree of interpretation but I'd say that wouldn't satisfy the regulations.

If you delete a user then generally they are gone along with all their details and post history so there would be nothing left to rename. If however you anonymize a user by renaming them thus leaving elements of their account intact, you should probably anonymize their user name properly i.e. I don't believe you can simply substitute one unique user name for another.
 
Obviously at this stage almost everything is still open to some degree of interpretation but I'd say that wouldn't satisfy the regulations.

If you delete a user then generally they are gone along with all their details and post history so there would be nothing left to rename. If however you anonymize a user by renaming them thus leaving elements of their account intact, you should probably anonymize their user name properly i.e. I don't believe you can simply substitute one unique user name for another.
That's where much of this is up for interpretation. If you anonymize the user, remove the email address, and ip address, the only thing that could possibly be considered personal identification information is something in their posts, but not all their posts would be PII.
 
  • Like
Reactions: CJ6
Obviously at this stage almost everything is still open to some degree of interpretation but I'd say that wouldn't satisfy the regulations.

If you delete a user then generally they are gone along with all their details and post history so there would be nothing left to rename. If however you anonymize a user by renaming them thus leaving elements of their account intact, you should probably anonymize their user name properly i.e. I don't believe you can simply substitute one unique user name for another.
I noticed that in one of the last updates of xenforo 2.0, when you go to delete a user, it asks if you want to anonymize that user instead. I think that's great in terms of keeping the information that they posted.
 
That's where much of this is up for interpretation.

It really is at this stage and that applies to some extent with the commissioning bodies tasked with administrating the regulation. That is until the regulation is tested in a court of law.
 
Last edited:
  • Like
Reactions: CJ6
I don't even think they have 1 account, more so they are just looking to cause some sort of trouble. I believe they have an issue with a relative that posts on my site and trying to force us to ban that member to settle their family feud.


Incidentally, I just received a response from them after sending an email requesting they validate their id for the requested information.


My reply to their Original request.


Dear XXXXX



Then they replied with this




Like most my site is run as a hobby, we are not a business other than making some money from Google ads and donations to keep the site running.

This is a bluff. People who hire attorneys.... don't do the talking. Their attorneys do. That's the first thing any attorney will tell a client... "cease direct communications the other party and have them go through us."
 
Last edited:
I've got a feeling the Mr Unbugunu from Nigeria is going to have a field day with spurious claims and demands aimed at the owners of websites, many of whom will not have a clue.

Also, never mind the SEO demands, you know the ones, they tell you that your offer of Domain Services is about to expire ...
Wait until the GDPR demands start flooding in, 'Your Domain is in breach of GDPR and you are liable for a fine of $enter_amount, click here to let us help you "

I think people should part ways with the EU, oh wait, they already are, some EU companies have already shut down as they felt that they could not comply with GDPR, and some newspapers are shutting down access to EU citizens, and I think FB did the right thing, some tech giant needs to stand up for their rights rather than someone across the pond telling them they have no rights, so here is your multi-billion fine, sooner or later GDPR/EU will start coming around and see this is going to effect business in a negative way, until then, sue me, I have nothing anyways....
 
some EU companies have already shut down as they felt that they could not comply with GDPR,

Which companies are they?

I haven't heard of any companies closing down as a result of not being able to comply unless they're a small non-profit making concern which I could understand. They might choose to use GDPR as an excuse to close a failing business, but from a business perspective if one cannot comply with GDPR yet the business is profitable, then the path to follow would be to continue trading until such time that the business was hit with a big fine and then to liquidate the business on the grounds of not being able to meet it's financial obligations - ie GDPR forced the business to close.
 
Top Bottom