GDPR - first ever request

[JamesAus]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any information pertaining to my location (e.g. IP addresses)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113

We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

• Posts made about me in the moderators forum (made between August 2006 and August 2020

We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse

I believe I can get this from default XenForo contracts.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

I use Google Analytics. Assume I can then pass him to Google?

• How many infraction points I currently hold.

How is this personal data?

 

[Mr Lucky]

It could be they are confused between GDPR and a subject access request under the Freedom of Information act.

 

[Lawrence]

How is this personal data?

Most of what he is demanding is not his personal information. Send him his IP address(es) and whatever he filled out on his profile in a plain one line text file. Or just ignore him, as you are not an organisation but rather a small fan site and this is not what the subject access request was meant to target.

 

[JamesAus]

Thanks for all the information to date, everyone. As a progress update, I sent him this:

We've taken advice, and all that we'll send are your personal details you've provided XXXXXX through your account, along with your IP Address records. These are attached to this email. We have discussed this within the moderation team and we are standing by our decision not to provide members with their infraction points on request, as outlined by the makers of the XenForo software. We now consider the matter to be closed and won't be corresponding further.

If you wish to have any i) posts (self-identifying or otherwise) you have made in the forum in the past edited or ii) posts made by other posters with personal information about you edited to have the same removed, we would be happy to accommodate you if you could direct us to said posts.

He responded with:

Thanks James - no worries.

I've passed it on to the data protection authority.

You'd like to think the regulator would see this for what it is.

 

[djbaxter]

You've done what you need to do. Anything else is just him trying to save face, frustrated that he couldn't create any more fuss or work for you to do.

 

[JamesAus]

You've done what you need to do. Anything else is just him trying to save face, frustrated that he couldn't create any more fuss or work for you to do.

Thanks for your response.

 

[webbouk]

Just delete him if you haven't done so already, and change his username in the deletion options.

Any future searches will have no bearing on his previous username and that includes all reactions, comments, conversations, etc.

 

[JamesAus]

Just delete him if you haven't done so already, and change his username in the deletion options.

Any future searches will have no bearing on his previous username and that includes all reactions, comments, conversations, etc.

I haven't deleted him, I thought that would antagonize him and cause more problems.

Is your suggestion to prevent further trouble to delete him?

 

[djbaxter]

I haven't deleted him, I thought that would antagonize him and cause more problems.

Is your suggestion to prevent further trouble to delete him?

I would, using the "change name to Member 9999" as @webbouk suggested.

 

[JamesAus]

I would, using the "change name to Member 9999" as @webbouk suggested.

Thanks for coming in as well @djbaxter - what makes you guys suggest I should delete him now ?

 

[djbaxter]

I assume you have already exported his data from the database. Before you go any further, blacklist his email address and IP address in the AdminCP (see below).

I also assume you don't want him back causing trouble on your forum.

Once he is deleted as a member:

1. you can tell him all his records have been deleted from the database and you have no more data to give him; and
2. he can no longer log in to your forum.

Watch out for new registrations, though, and blacklist his email address and IP address in the AdminCP. He may come back as a new member to create more chaos for you.

 

[Matthew S]

what makes you guys suggest I should delete him now ?

I think people are advising to delete him due to the fact that he is apparently disruptive and vindictive. Essentially, he probably doesn't fit in with the values and goals of your community any more.

 

[djbaxter]

I think people are advising to delete him due to the fact that he is apparently disruptive and vindictive. Essentially, he probably doesn't fit in with the values and goals of your community any more.

Exactly. And he seems bound and determined to cause trouble. Get rid of him.

 

[webbouk]

Once he is deleted as a member:

1. you can tell him all his records have been deleted from the database and you have no more data to give him; and

^^ This

I'm not too sure about banning his IP address though as it is a pretty useless method nowadays, plus you run the risk of blocking other users if the IP is that of a mobile provider as they're often allocated as random

 

[JamesAus]

Thanks for the solid feedback and advice @Matthew S, @djbaxter, @webbouk - I really do appreciate it

If I receive anything from the data protection authority, I'll certainly post it here for comment.

 

[Jon12345]

I would delete him. Then you have no further records to provide him with.

 

[JamesAus]

2 and a half weeks have passed and nothing from the ICO in case anyone is wondering. I'll post back if the ICO decide to email me.

 

[webbouk]

I won't wait around

 

[JamesAus]

So I got this yesterday..... I've replied.... Nothing back yet.

27 November 2020

Case Reference: XXXXXXXXXXX

Dear Sir or Madam

We received a data protection concern regarding XXXXXXXXX information rights practices and I am writing to confirm if you would be the appropriate member of staff to direct this concern to.

If you would not be the appropriate member of staff to contact please could you provide me with an email address and direct telephone number to contact them on.

If you wish to discuss any of the above please call me on the number below.


Yours faithfully

XXXXXXXXXXX
Case Officer
Information Commissioner's Office

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
T. 0330 414 6729 ico.org.uk twitter.com/iconews
Please consider the environment before printing this email.

For information about what we do with personal data see our privacy notice at www.ico.org.uk/privacy-notice.

 

[webbouk]

Two questions - why would they email you and not write to you if it is an official letter? Have you checked the headers of the email to ensure it has come from them?

Also, if you Google the number on the letter it draws a blank. The number is also different to their actual office number, have you tried calling it?

Directions to head office

ico.org.uk

 

[djbaxter]

Two questions - why would they email you and not write to you if it is an official letter? Have you checked the headers of the email to ensure it has come from them?

Also, if you Google the number on the letter it draws a blank. The number is also different to their actual office number, have you tried calling it?

Directions to head office

ico.org.uk

Good points. Best to be cautious.

That said, I had to deal with one official request from GDPR a while back and they initiated (and continued) the communication via email. Not all forums publish a mailing address.

I also found the GDPR office to be quite reasonable. Remember that the communication was probably triggered by a disgruntled ex-member of the forum and they have an obligation to investigate. That doesn't mean they automatically accept the complaint as valid. I suspect that they view many of the complaints they get as just another entitled whiny dumbass ticked off because he didn't get his own way or got banned.