GDPR - first ever request

[JamesAus]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any information pertaining to my location (e.g. IP addresses)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113

We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

• Posts made about me in the moderators forum (made between August 2006 and August 2020

We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse

I believe I can get this from default XenForo contracts.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

I use Google Analytics. Assume I can then pass him to Google?

• How many infraction points I currently hold.

How is this personal data?

 

[Faust]

Interesting how you will answer if the user already has an account deleted? as there is nothing to export. Also regarding XML file, do you just easy transfer to PDF using online tools ?

 

[Faust]

I had that happen once. I simply replied that since the user had previously requested that his account be deleted, all information about him was deleted from the database and thus there was no information in the database that could be exported.

Re: request for a PDF version - provide the XML version in a zip file and email that. He can do his own conversion. Your obligation is complete once he is deleted from the database.

Thanks a lot for your information and explanation.

 

[JamesAus]

1. export the data for that member from the database

2. only after the export, use the delete option for that member with the "deleted member 123456" option: once you do this, all his information including IP addresses is deleted from the database

As far as I know (and I have worked with GDPR requests), that is all the information you need to provide.

Thanks a lot for your response, I'll do option 1 and see what happens, and if starts causing trouble, will go ahead with 2.

Tell him he doesn't seem to underatand what constitutes "personally identifiable information" under the GDPR rules. Could he please update his request as it's not currently a valid request. If he wishes you to advise him on what constuitutes a valid request then you're happy to do so for an admin charge of X.

Yes, we've dealt with lots of GDPR idiots

Haha nice approach! How have you gone with the GDPR idiots? Care to share any of your emails, or how the conversations have involved?

 

[Dad.]

And, while its always good to follow as closely to the law as possible, this particular law primarily was built around the large tech companies and the idea of ownership around user data. It's interpretations and case laws are fairly vague and minute at the moment, and serious damages are highly unlikely for any smaller online forum or community. (not sure how big your community reach is, forgive any assumptions)

In other words, if you do not want to bend over backwards for this user, complying with the basics that even XF has out of the box is sufficient imo. They would have to take you to a court which will have to hear it first of all, then they would have to claim you were in breach, then they would have to determine the damages (skipping some steps ofc). And the damages would be quite hard to determine for an individual user. It just doesn't seem like a threat, no matter how formal their request looks. Though again certain people it is best not to argue. Anyone can sue anyone for any reason after all.

Am I to (again) assume you might be Austrialian (from username)? I did a quick search and could not tell how it was being adopted in Australia but of course the idea here is that on the internet you "do business" with EU residents, and therefore must comply on that reason alone. Not sure where the user in question is from, but technically if they are outside the EU then I'm not entirely sure how far you would need to or want to comply with their demands.

^ If anyone can substantiate that let me know, as I am ofc not a lawyer and not entirely sure if that is true or not.

 

[JamesAus]

And, while its always good to follow as closely to the law as possible, this particular law primarily was built around the large tech companies and the idea of ownership around user data. It's interpretations and case laws are fairly vague and minute at the moment, and serious damages are highly unlikely for any smaller online forum or community. (not sure how big your community reach is, forgive any assumptions)

In other words, if you do not want to bend over backwards for this user, complying with the basics that even XF has out of the box is sufficient imo. They would have to take you to a court which will have to hear it first of all, then they would have to claim you were in breach, then they would have to determine the damages (skipping some steps ofc). And the damages would be quite hard to determine for an individual user. It just doesn't seem like a threat, no matter how formal their request looks. Though again certain people it is best not to argue. Anyone can sue anyone for any reason after all.

Am I to (again) assume you might be Austrialian (from username)? I did a quick search and could not tell how it was being adopted in Australia but of course the idea here is that on the internet you "do business" with EU residents, and therefore must comply on that reason alone. Not sure where the user in question is from, but technically if they are outside the EU then I'm not entirely sure how far you would need to or want to comply with their demands.

^ If anyone can substantiate that let me know, as I am ofc not a lawyer and not entirely sure if that is true or not.

Thanks for the detailed response Mike - appreciate it.

It's a relatively small online forum, not large at all, but this member seems hell-bent on causing trouble for my site.

Yes, I'm in Australia, the member in question who sent the email is in the UK, and my server is hosted in Texas, USA.

 

[rfc0001]

Dude clearly is blowing smoke. GDPR has nothing to do with what other users content "about" them. Send them their personal information (a link to their profile and posts) and call it a day.

 

[Matthew S]

I'd also ask if they'd like to be deleted from the forum in accordance with their rights.

We're a small fan site and can't afford to engage any legal assistance

Unlikely that the person can, either.

 

[JamesAus]

Thanks RFC & Matthew.

 

[webbouk]

Firstly check that the email address he sent the request from is the one he has in his profile.

If not send a reply stating that in line with Data Protection you can only comply with any GDPR requests if the requester is submitting that request from the email address they use within their member profile, or if the request is made whilst logged in.

Or words to the effect of

I covered it all at length in a past thread/post and it's not failed me in several requests

The big point to make is keep any replies short, polite, to the point, and don't enter into discussion as this is what they want you to do.

 

[JamesAus]

Firstly check that the email address he sent the request from is the one he has in his profile.

If not send a reply stating that in line with Data Protection you can only comply with any GDPR requests if the requester is submitting that request from the email address they use within their member profile, or if the request is made whilst logged in.

That's a great point, he's been a member of my forum for 14 years which makes the tone of the request even more odd. What I believe is that he no longer has access to the email address within his profile.

The big point to make is keep any replies short, polite, to the point, and don't enter into discussion as this is what they want you to do.

Again, a very great point.

I covered it all at length in a past thread/post and it's not failed me in several requests

Would you mind linking me to that?

 

[webbouk]

Here you are...

XF 2.1 - GDPR SAR subject access request queries

When someone puts in an SAR (subject access request) in accordance with GDPR, forum owners have a legal responsibility to reply with a lot of specific information. Following such a request and a subsequent complaint by a forum member for non compliance to the UK data commissioner’s office, I...

xenforo.com

 

[JamesAus]

Thanks @webbouk - that's a great post of yours. Shame we have to put up with these sorts of people that are only out to cause trouble!

 

[Mr Lucky]

It could be they are confused between GDPR and a subject access request under the Freedom of Information act.

 

[Lawrence]

How is this personal data?

Most of what he is demanding is not his personal information. Send him his IP address(es) and whatever he filled out on his profile in a plain one line text file. Or just ignore him, as you are not an organisation but rather a small fan site and this is not what the subject access request was meant to target.

 

[JamesAus]

Thanks for all the information to date, everyone. As a progress update, I sent him this:

We've taken advice, and all that we'll send are your personal details you've provided XXXXXX through your account, along with your IP Address records. These are attached to this email. We have discussed this within the moderation team and we are standing by our decision not to provide members with their infraction points on request, as outlined by the makers of the XenForo software. We now consider the matter to be closed and won't be corresponding further.

If you wish to have any i) posts (self-identifying or otherwise) you have made in the forum in the past edited or ii) posts made by other posters with personal information about you edited to have the same removed, we would be happy to accommodate you if you could direct us to said posts.

He responded with:

Thanks James - no worries.

I've passed it on to the data protection authority.

You'd like to think the regulator would see this for what it is.

 

[djbaxter]

You've done what you need to do. Anything else is just him trying to save face, frustrated that he couldn't create any more fuss or work for you to do.

 

[JamesAus]

You've done what you need to do. Anything else is just him trying to save face, frustrated that he couldn't create any more fuss or work for you to do.

Thanks for your response.

 

[webbouk]

Just delete him if you haven't done so already, and change his username in the deletion options.

Any future searches will have no bearing on his previous username and that includes all reactions, comments, conversations, etc.

 

[JamesAus]

Just delete him if you haven't done so already, and change his username in the deletion options.

Any future searches will have no bearing on his previous username and that includes all reactions, comments, conversations, etc.

I haven't deleted him, I thought that would antagonize him and cause more problems.

Is your suggestion to prevent further trouble to delete him?

 

[djbaxter]

I haven't deleted him, I thought that would antagonize him and cause more problems.

Is your suggestion to prevent further trouble to delete him?

I would, using the "change name to Member 9999" as @webbouk suggested.