GDPR discussion thread

Whois violates GDPR...

They may well do but probably a lot less so now. Icann's request for a delay to comply with GDPR was turned down and as a result they have been forced to strip out most of the information on their site. This has not gone down too well with cyber-security firms and law enforcement agencies.
 
Got my first GDPR request today, from someone who I don't believe is even a member of my site. I asked them to send an email from the email on their account.

THis GDPR is going to be a headache I think, especially if every week we get idiots testing the system out.


This is the email I got,

To Whom It May Concern

In accordance with the rights afforded me by the Data Protection Acts 1988 – 2003 and GDPR 2015, please furnish me with a copy of all data that you hold and process in relation to, but not limited to:

Name 1
Name 2
Name 3


Please furnish these documents to my Solicitors (Address Supplied) within 40 days of date hereof. These documents should be sent to my Solicitor in chronological order, properly indexed, tabulated and paginated.

In the event that you fail to send this information to me within the said period, I will make a formal complaint to the Data Protection Commissioner.

I wish to put you on immediate notice that your website is operating in breach of it's own Terms & Conditions in relation to anonymous posts.

Thank you for your co-operation in this matter.


In situations like this, I just put the ball back in their court with a quick letter. Any arguing back and forth is pointless and is just what they want. Once I've sent this letter I will only respond if the claim is escalated but of course, they rarely are and I enjoy imagining them read it. my letter :) . Here it is, feel free to copy it :)

Dear Mr Prat

Thankyou for your letter of .... We have carefully considered your claim against us and now consider the matter closed.

Yours etc...
 
Which companies are they?

I haven't heard of any companies closing down as a result of not being able to comply unless they're a small non-profit making concern which I could understand. They might choose to use GDPR as an excuse to close a failing business, but from a business perspective if one cannot comply with GDPR yet the business is profitable, then the path to follow would be to continue trading until such time that the business was hit with a big fine and then to liquidate the business on the grounds of not being able to meet it's financial obligations - ie GDPR forced the business to close.

You havent heard?
Was someone supposed to call and inform you?
Go read some GDPR lawsuit articles....
 
In fact I think I'll register a domain gdpr.... and start mailbombing websites with demands - whoops judging by the number of gdpr related domains registered it looks like others have already cottoned on to the idea

GDPRPolicy.com is forsale
($2,095)

GDPRSucks.com
(has been taken)

not my domains...
 
Haha he’s really angry. He’s reporting us to the ICO in a month and will “get our site shut down”.

Any suggestions on what I actually do if/when we hear from the ICO?

"im going to report you in a month"?

Like, why wait? Obviously just blowing smoke.
 
Part of that article

That would appear to be a commonsense response to a law that can see the company fined millions of dollars for failing to keep personal details private. But it earned the ire of several companies that make a living from accessing such details.

Those ired companies are surely the fraudsters that send you official looking letters that attempt to charge you £100 to renew your domain?
 
Part of that article

Those ired companies are surely the fraudsters that send you official looking letters that attempt to charge you £100 to renew your domain?

There are actually a great many legitimate reasons for looking up WHOIS information. For instance, finding a contact to send a copyright infringement notice to, identifying a domain as part of a large set of throwaway domains used for spam, and so forth. Security companies make extensive use of WHOIS data.
 
Just wait until GDPR trolls go after firewalls, routers, spam honeypot services, SMTP RBL services, and the like. So much of what makes the Internet useful relies on logging data.

Worst case I'll write an add-on, but would prefer it was something built in.
 
Last edited:
There are actually a great many legitimate reasons for looking up WHOIS information. For instance, finding a contact to send a copyright infringement notice to, identifying a domain as part of a large set of throwaway domains used for spam, and so forth. Security companies make extensive use of WHOIS data.

Yes, I'm aware of that but surely you can hide your data there merely be paying a bit extra. Anyone spamming or file sharing would have paid that extra £10 or whatever.
 
Anyone spamming or file sharing would have paid that extra £10 or whatever.
I wanted it for my privacy. Too many nut jobs on the internet that were trying to steal my identity as well as anyone in my family. So paying the extra for that security had helped me a ton.
 
For me, privacy wasn't the issue. I operate my forums from one of my LLC companies, and it does not use my home address. I registered mine private because of the enormous amount of spam I receive when my email address is visible on WHOIS.
 
So does every website have to implement this? What if my site is U.S. based? My forum is not a business as well. Does this mean I am exempt? Or do I still have to enable it?
 
“This law is applicable to any and all website and forum owners who may have members who reside within the EU with various degrees of uncertainty on what needs to be done to maintain compliance.”
 
“This law is applicable to any and all website and forum owners who may have members who reside within the EU with various degrees of uncertainty on what needs to be done to maintain compliance.”
So as long as I don’t have members from the EU, I am ok then?
 
Correct, but you need to be 100% certain you do not have any EU members, or allow the EU access to the site.
 
You are never 100% certain because it's not only a matter where the user resides but also a matter where his data processing happens. When one of your members sitting in an airplane from the U.S. to an other non-EU-country flying over one EU Country and browsing your website, you are obligated in this moment of time to comply the GDPR BS.

On the other hand. Authorities dont look at little forum owners because they have not infinity time and capacities. German data protection authorities made a list for the article 35 "Data protection impact assessment" that imho covers pretty well the fields they will look at:

- social networks
- dating, contact and rating portals
- mobility services and optoelectronic registration of public areas by vehicles, which is necessary for networked and autonomous driving,
- insolvency registers and debt collection services and scoring by credit agencies, banks and insurance companies.
- big data analyses of customer data that are enriched with third party sources.
- offline tracking of customer movements in department stores, traffic flow analyses using mobile phone data and the geolocalisation of employees, for example via vehicles or work Equipment.

source: https://www.heise.de/newsticker/mel...Aufsichtsbehoerden-konzentrieren-4060400.html

But competitors finking or suing each other is another matter. :(
The first law firms report warnings because of alleged violations of the new EU data protection basic regulation (DSGVO). This concerns complaints from companies about websites of competitors.

What many German legal experts feared is imminent: The new basic EU data protection regulation (DSGVO) apparently invites companies to send a reminder to competitors with costs because of incorrect implementation of the new regulations. Two law firms reported today that they received their first warnings with costs, which were already received on 25 May - the day the DSGVO became valid.

source: https://www.heise.de/newsticker/meldung/DSGVO-Die-Abmahn-Maschinerie-ist-angelaufen-4061044.html

DSGVO = German term for GDPR
 
So the user we banned finally reported us to the ICO as they sent a letter asking us to review how we handled it.

They said I need to inform the user how they can verify their identify given they no longer have access to the email address on the account. Any ideas? @Chris D @Slavik

Also is the data exported by XF the full extent of what I need to send for a subject access request? That doesn’t include IP addresses etc, do I need to also provide them? If so, can someone suggest an SQL query that will list a users IP addresses.

I’ve got 10 days to respond to this (and am on holiday!) so any advice would be great :-)
 
Top Bottom