GDPR - first ever request

J

JamesAus

Active member
Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

  • Posts made about me in the moderators forum (made between August 2006 and August 2020)
  • Emails between moderators in which I am discussed (between August 2006 and August 2020)
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
  • Any information pertaining to my location (e.g. IP addresses)
  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
  • How many infraction points I currently hold.
If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113
Click to expand...
We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

  • Posts made about me in the moderators forum (made between August 2006 and August 2020
Click to expand...
We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

  • Emails between moderators in which I am discussed (between August 2006 and August 2020
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
Click to expand...
Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse
Click to expand...
I believe I can get this from default XenForo contracts.

  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
Click to expand...
I use Google Analytics. Assume I can then pass him to Google?

  • How many infraction points I currently hold.
Click to expand...
How is this personal data?
 
Sort by date Sort by votes
  • Posts made about me in the moderators forum (made between August 2006 and August 2020)
  • Emails between moderators in which I am discussed (between August 2006 and August 2020)
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
Click to expand...
I don't see how discussions about his behavior on your platform, that do not involve his input, would fall under his personal information. The same with emails from staff. This seems to be done out of spite, which is why the requests are overreaching. They couldn't possibly have any right to private conversations between staff as part of GDPR. However, I am not well versed in that particular law. Maybe someone else could shed more light on how this individual thinks he is entitled to copies of third party conversations.
 
Upvote 0 Downvote
I wouldn’t send any data from about him from the mods etc.

you can export his data via xf into an xml

xenforo.com

Upcoming changes for GDPR compliance in XF1 and XF2

The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is...
xenforo.com xenforo.com

beyond than I don’t think he has any rights to the other data.
 
Upvote 2 Downvote
StryGuardian said:
I don't see how discussions about his behavior on your platform, that do not involve his input, would fall under his personal information. The same with emails from staff. This seems to be done out of spite, which is why the requests are overreaching. They couldn't possibly have any right to private conversations between staff as part of GDPR. However, I am not well versed in that particular law. Maybe someone else could shed more light on how this individual thinks he is entitled to copies of third party conversations.
Click to expand...

Thanks for your thoughts there, certainly appears to be done out of spite with the nature of the request. Especially as it's a long term member who knows the position of the site. Hopefully, someone who knows a bit more about how I could approach this could drop in with some thoughts.
arn said:
I wouldn’t send any data from about him from the mods etc.

you can export his data via xf into an xml

xenforo.com

Upcoming changes for GDPR compliance in XF1 and XF2

The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is...
xenforo.com xenforo.com

beyond than I don’t think he has any rights to the other data.
Click to expand...

Is that through the "Export a User function"?
Brogan said:
I'm not au fait with GDPR, but a forum I am a moderator of has this requirement for the mod forum.



;)
Click to expand...

I'm happy to comply with his request, but don't want to go overboard as this person to me is trying to be difficult.
 
Upvote 0 Downvote
1. export the data for that member from the database

2. only after the export, use the delete option for that member with the "deleted member 123456" option: once you do this, all his information including IP addresses is deleted from the database

As far as I know (and I have worked with GDPR requests), that is all the information you need to provide.
 
Upvote 0 Downvote
Tell him he doesn't seem to underatand what constitutes "personally identifiable information" under the GDPR rules. Could he please update his request as it's not currently a valid request. If he wishes you to advise him on what constuitutes a valid request then you're happy to do so for an admin charge of X.

Yes, we've dealt with lots of GDPR idiots :p
 
Upvote 0 Downvote
Interesting how you will answer if the user already has an account deleted? as there is nothing to export. Also regarding XML file, do you just easy transfer to PDF using online tools ?
 
Upvote 0 Downvote
FaustVasea said:
Interesting how you will answer if the user already has an account deleted? as there is nothing to export. Also regarding XML file, do you just easy transfer to PDF using online tools ?
Click to expand...
I had that happen once. I simply replied that since the user had previously requested that his account be deleted, all information about him was deleted from the database and thus there was no information in the database that could be exported.

Re: request for a PDF version - provide the XML version in a zip file and email that. He can do his own conversion. Your obligation is complete once he is deleted from the database.
 
Upvote 1 Downvote
djbaxter said:
I had that happen once. I simply replied that since the user had previously requested that his account be deleted, all information about him was deleted from the database and thus there was no information in the database that could be exported.

Re: request for a PDF version - provide the XML version in a zip file and email that. He can do his own conversion. Your obligation is complete once he is deleted from the database.
Click to expand...

Thanks a lot for your information and explanation.
 
Upvote 0 Downvote
djbaxter said:
1. export the data for that member from the database

2. only after the export, use the delete option for that member with the "deleted member 123456" option: once you do this, all his information including IP addresses is deleted from the database

As far as I know (and I have worked with GDPR requests), that is all the information you need to provide.
Click to expand...

Thanks a lot for your response, I'll do option 1 and see what happens, and if starts causing trouble, will go ahead with 2.
RobParker said:
Tell him he doesn't seem to underatand what constitutes "personally identifiable information" under the GDPR rules. Could he please update his request as it's not currently a valid request. If he wishes you to advise him on what constuitutes a valid request then you're happy to do so for an admin charge of X.

Yes, we've dealt with lots of GDPR idiots :p
Click to expand...
Haha nice approach! How have you gone with the GDPR idiots? Care to share any of your emails, or how the conversations have involved?
 
Upvote 0 Downvote
And, while its always good to follow as closely to the law as possible, this particular law primarily was built around the large tech companies and the idea of ownership around user data. It's interpretations and case laws are fairly vague and minute at the moment, and serious damages are highly unlikely for any smaller online forum or community. (not sure how big your community reach is, forgive any assumptions)

In other words, if you do not want to bend over backwards for this user, complying with the basics that even XF has out of the box is sufficient imo. They would have to take you to a court which will have to hear it first of all, then they would have to claim you were in breach, then they would have to determine the damages (skipping some steps ofc). And the damages would be quite hard to determine for an individual user. It just doesn't seem like a threat, no matter how formal their request looks. Though again certain people it is best not to argue. Anyone can sue anyone for any reason after all.

Am I to (again) assume you might be Austrialian (from username)? I did a quick search and could not tell how it was being adopted in Australia but of course the idea here is that on the internet you "do business" with EU residents, and therefore must comply on that reason alone. Not sure where the user in question is from, but technically if they are outside the EU then I'm not entirely sure how far you would need to or want to comply with their demands.

^ If anyone can substantiate that let me know, as I am ofc not a lawyer and not entirely sure if that is true or not.
 
Upvote 0 Downvote
Mike Creuzer said:
And, while its always good to follow as closely to the law as possible, this particular law primarily was built around the large tech companies and the idea of ownership around user data. It's interpretations and case laws are fairly vague and minute at the moment, and serious damages are highly unlikely for any smaller online forum or community. (not sure how big your community reach is, forgive any assumptions)

In other words, if you do not want to bend over backwards for this user, complying with the basics that even XF has out of the box is sufficient imo. They would have to take you to a court which will have to hear it first of all, then they would have to claim you were in breach, then they would have to determine the damages (skipping some steps ofc). And the damages would be quite hard to determine for an individual user. It just doesn't seem like a threat, no matter how formal their request looks. Though again certain people it is best not to argue. Anyone can sue anyone for any reason after all.

Am I to (again) assume you might be Austrialian (from username)? I did a quick search and could not tell how it was being adopted in Australia but of course the idea here is that on the internet you "do business" with EU residents, and therefore must comply on that reason alone. Not sure where the user in question is from, but technically if they are outside the EU then I'm not entirely sure how far you would need to or want to comply with their demands.

^ If anyone can substantiate that let me know, as I am ofc not a lawyer and not entirely sure if that is true or not.
Click to expand...
Thanks for the detailed response Mike - appreciate it.

It's a relatively small online forum, not large at all, but this member seems hell-bent on causing trouble for my site.

Yes, I'm in Australia, the member in question who sent the email is in the UK, and my server is hosted in Texas, USA.
 
Upvote 0 Downvote
Dude clearly is blowing smoke. GDPR has nothing to do with what other users content "about" them. Send them their personal information (a link to their profile and posts) and call it a day.
 
Upvote 0 Downvote
Firstly check that the email address he sent the request from is the one he has in his profile.

If not send a reply stating that in line with Data Protection you can only comply with any GDPR requests if the requester is submitting that request from the email address they use within their member profile, or if the request is made whilst logged in.

Or words to the effect of

I covered it all at length in a past thread/post and it's not failed me in several requests

The big point to make is keep any replies short, polite, to the point, and don't enter into discussion as this is what they want you to do.
 
Upvote 0 Downvote
webbouk said:
Firstly check that the email address he sent the request from is the one he has in his profile.

If not send a reply stating that in line with Data Protection you can only comply with any GDPR requests if the requester is submitting that request from the email address they use within their member profile, or if the request is made whilst logged in.
Click to expand...

That's a great point, he's been a member of my forum for 14 years which makes the tone of the request even more odd. What I believe is that he no longer has access to the email address within his profile.

webbouk said:
The big point to make is keep any replies short, polite, to the point, and don't enter into discussion as this is what they want you to do.
Click to expand...

Again, a very great point.

webbouk said:
I covered it all at length in a past thread/post and it's not failed me in several requests
Click to expand...

Would you mind linking me to that?
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Mr. Jinx
GDPR user request regarding private converstation
Replies
3
Views
443
Mr Lucky
Mr Lucky
Stuart Wright
  • Question Question
XF 2.1 GDPR SAR subject access request queries
2 3
Replies
51
Views
5K
Chris D
Chris D
H
Removing trolls personal details with a GDPR request
Replies
3
Views
557
Sperber
S
xpl0iter
Creating my first ever addon
Replies
13
Views
1K
Chris D
Chris D
TheBigK
  • Question Question
XF 1.1 Display Ads After First & Every Fifth Post On All Pages In Thread
Replies
3
Views
780
TheBigK
TheBigK
Back
Top Bottom