GDPR - first ever request

[JamesAus]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any information pertaining to my location (e.g. IP addresses)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113

We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

• Posts made about me in the moderators forum (made between August 2006 and August 2020

We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse

I believe I can get this from default XenForo contracts.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

I use Google Analytics. Assume I can then pass him to Google?

• How many infraction points I currently hold.

How is this personal data?

 

[arn]

I wouldn’t send any data from about him from the mods etc.

you can export his data via xf into an xml

Upcoming changes for GDPR compliance in XF1 and XF2

The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is...

xenforo.com

beyond than I don’t think he has any rights to the other data.

 

[Slavik]

• Posts made about me in the moderators forum (made between August 2006 and August 2020

Exempt from disclosure as doing so would provide a third parties information (without their consent) (your moderators).

What should we do if the request involves information about other individuals?

ico.org.uk

You could also try say it would break confidentiality of the moderators by disclosing information they would of expected to keep private.

• Emails between moderators in which I am discussed (between August 2006 and August 2020

As above.

• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

You can reject that on the basis it would be "impossible" as your emails are only kept for X period of time (if at all)

You could also reject it on the grounds that it is manifestly excessive even if those emails were kept given it is asking for 14 years of information.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

Reject on the basis that again its manifestly excessive and over reaching. "what does etc entail".

• How many infraction points I currently hold.

Easy to provide.


All in how you havent renamed and deleted this person from your site is beyond me.

 

[djbaxter]

Interesting how you will answer if the user already has an account deleted? as there is nothing to export. Also regarding XML file, do you just easy transfer to PDF using online tools ?

I had that happen once. I simply replied that since the user had previously requested that his account be deleted, all information about him was deleted from the database and thus there was no information in the database that could be exported.

Re: request for a PDF version - provide the XML version in a zip file and email that. He can do his own conversion. Your obligation is complete once he is deleted from the database.

 

[Slavik]

Thanks. He has over 30,000 posts. It's impossible for me to know whether any of his posts contain personal data. Is there a way around this?

It falls to him to point them out once you have renamed and deleted his account.

 

[webbouk]

First things first before you do anything else - Permanently Ban him !

No reason, nor excuse - it's your site, he wouldn't be welcome in your home - get rid

He is not part of your community, he is there to cause trouble within it and for you

(I'll read the rest of the posts later)

 

[webbouk]

"Please note that we no longer consider you welcome on the XXXXX Forums"

Leave this out of any communication as you are inviting more questions and problems

 

[webbouk]

I'm sorry to disagree with you:

I'm planning to reach out to this member and have a chat with him and try and resolve this in a friendly way - will not happen, this time or the future

I'm being stupid - respectfully - yes

but if something can be worked out in a friendly way, I'm up for trying just so the whole thing can go-away. - it will never go away as he's already done the dirty on you and it will happen again, or he'll brag to his online mates and get them to do the same


There comes a time when you have to be hard, act hard, go in hard - you'll thank yourself for it later.

 

[webbouk]

And I suspect if it was to cost him anything he wouldn't pursue it either - he's a troublemaker, and bullying you, he's doing this because he can - look at it as him vs the moderating team, as long as he's a member he's sticking two fingers up at them and you and laughing about it.

 

[webbouk]

I use Google Analytics and looks like Google does maintain information about each user, so I'll make mention of that.

If you have not been asked, mention nothing

 

[Slavik]

He could argue the deletion of his data was unlawful in the European Union

On what basis? It is your site, what you decide to do with the data created on it is entirely up to you. Could you imagine if when site owners close their sites down the members could sue them for "loss of data"? It would be absurd.

Honestly I would just comply with the ICO as cleanly as possible then delete him.

 

[ChrisTERiS]

would be nice to have that within xf too

There are so many XF good coders. I do believe that someone will get it. Data analysis is ready, functions are ready, templates and css are ready. Just need to recode it for XF.

 

[Lukas W.]

Maybe interesting to @JamesAus, here's a couple of excerpts from the ICO page regarding right of access, if you want to turn the sword around:

Can we ask for ID?​

Yes. You need to be satisfied that you know the identity of the requester (or the person the request is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity. The timescale for responding to a SAR does not begin until you have received the requested information. However, you should request ID documents promptly.

Make him prove that he's actually who he is. Most individuals will be very reluctant to share their ID with you, but if you have any information that would be present on his, that is also in your system, request a copy of his ID so you can "verify his request". Starts with something simple as proving his physical location.

How do we find and retrieve the relevant information?​

You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.

Most of his requests are unreasonable and excessive and go far beyond personal data that you can share. Search up a little bit more than you're legally required to give him, then deem the request as "unreasonably excessive" and proceed with below.

Can we charge a fee?​

Not usually. In most cases you cannot charge a fee to comply with a SAR. However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.

Charge him money, that's where you hurt people. Especially when he comes back in the future for additional requests.

 

[webbouk]

I'm not sure how valid the reports are...

I've just run the report on my website and the scan seems to bypass the cookie controls in place and looks for cookies in the code circumventing the cookie acceptance notices, which are plain to see.

Bearing in mind Cookiebot is a commercial website one has to wonder if their method of reporting is biased in their favour as it does not reflect the controls an actual person sees.

 

[webbouk]

But the question of whether or not Cookiebot has actually downloaded the cookies or simply found reference to them has not been answered.
I could walk past a Porsche showroom and see a number of models for sale on display, it doesn't mean they are mine unless I have accepted them.
So have any cookies actually been sent to the user's system or are they awaiting the user to click to accept them?

 

[StryGuardian]

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

I don't see how discussions about his behavior on your platform, that do not involve his input, would fall under his personal information. The same with emails from staff. This seems to be done out of spite, which is why the requests are overreaching. They couldn't possibly have any right to private conversations between staff as part of GDPR. However, I am not well versed in that particular law. Maybe someone else could shed more light on how this individual thinks he is entitled to copies of third party conversations.

 

[Paul B]

I'm not au fait with GDPR, but a forum I am a moderator of has this requirement for the mod forum.

A private forum for moderators. While it's a private forum, post like it's a public one.

 

[JamesAus]

I don't see how discussions about his behavior on your platform, that do not involve his input, would fall under his personal information. The same with emails from staff. This seems to be done out of spite, which is why the requests are overreaching. They couldn't possibly have any right to private conversations between staff as part of GDPR. However, I am not well versed in that particular law. Maybe someone else could shed more light on how this individual thinks he is entitled to copies of third party conversations.

Thanks for your thoughts there, certainly appears to be done out of spite with the nature of the request. Especially as it's a long term member who knows the position of the site. Hopefully, someone who knows a bit more about how I could approach this could drop in with some thoughts.

I wouldn’t send any data from about him from the mods etc.

you can export his data via xf into an xml

Upcoming changes for GDPR compliance in XF1 and XF2

The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is...

xenforo.com

beyond than I don’t think he has any rights to the other data.

Is that through the "Export a User function"?

I'm not au fait with GDPR, but a forum I am a moderator of has this requirement for the mod forum.

I'm happy to comply with his request, but don't want to go overboard as this person to me is trying to be difficult.

 

[djbaxter]

1. export the data for that member from the database

2. only after the export, use the delete option for that member with the "deleted member 123456" option: once you do this, all his information including IP addresses is deleted from the database

As far as I know (and I have worked with GDPR requests), that is all the information you need to provide.

 

[RobParker]

Tell him he doesn't seem to underatand what constitutes "personally identifiable information" under the GDPR rules. Could he please update his request as it's not currently a valid request. If he wishes you to advise him on what constuitutes a valid request then you're happy to do so for an admin charge of X.

Yes, we've dealt with lots of GDPR idiots