GDPR - first ever request

[JamesAus]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any information pertaining to my location (e.g. IP addresses)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113

We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

• Posts made about me in the moderators forum (made between August 2006 and August 2020

We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse

I believe I can get this from default XenForo contracts.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

I use Google Analytics. Assume I can then pass him to Google?

• How many infraction points I currently hold.

How is this personal data?

 

[JamesAus]

Two questions - why would they email you and not write to you if it is an official letter? Have you checked the headers of the email to ensure it has come from them?

Also, if you Google the number on the letter it draws a blank. The number is also different to their actual office number, have you tried calling it?

Directions to head office

ico.org.uk

Thanks for that. I've just checked the headers and yes it has indeed come from them.

Two questions - why would they email you and not write to you if it is an official letter? Have you checked the headers of the email to ensure it has come from them?

Also, if you Google the number on the letter it draws a blank. The number is also different to their actual office number, have you tried calling it?

Directions to head office

ico.org.uk

That's a great point, and no I haven't tried calling it. I'm waiting to hear back from them. I'm happy to share how the process goes, as hopefully, this will help others.

Good points. Best to be cautious.

That said, I had to deal with one requests from GDPR a while back and they initiated (and continued) the communication via email. Not all forums publish a mailing address.

I also found the GDPR office to be quite reasonable. Remember that the communication was probably triggered by a disgruntled ex-member of the forum and they have an obligation to investigate. That doesn't mean they automatically accept the complaint as valid. I suspect that they view many of the complaints they get as just another entitled whiny dumbass ticked off because he didn't get his own way or got banned.

Thanks for that DJ - good to hear the GDPR office are reasonable people. Worst case scenario, if they find the complaint valid, I assume they give me the opportunity to comply before it gets any more serious? And yes, without a doubt it's the person who submitted the email to me in the first post of this thread. As you say a disgruntled member.

 

[JamesAus]

An emailed letter from them has come through now. The key part being:

I can see from the evidence provided that your organisation has responded to XXXXXX's SAR with some of the requested information. If you feel
that you have complied with data protection laws in withholding the remaining information, you need to explain this in detail to XXXXX by providing any exemptions that apply. You also need to be confident that you have done all you can to find an appropriate resolution.

If your organisation could have done more to resolve the concern then we expect you to take steps now to resolve the issue with your customer.

We do not expect to receive complaints when there is still further work that you can do to better explain the processing in question to your customer, or to put things right when they have gone wrong.

We therefore want you to revisit the way you have handled this matter and consider what further action you can now take to resolve this complaint.
We expect organisations to deal with the data protection complaints they receive and to proactively work with their customers to provide an
appropriate resolution.

I have attached a checklist to help you with this, you should be able to tick off all the points on this non exhaustive list.

We expect you to contact XXXXXX within the next 28 days with this further detail. If you are unable to meet this timeframe we expect you to
contact your customer to let them know and to advise them when to expect it. You do not need to provide a response to us at this stage.
However, if we receive a further complaint about this processing, we will carefully review and assess the response you have provided to your
customer. If we consider that you are infringing data protection law then we will consider using our formal powers and any sanctions available.

These were the points I didn't provide the member:

• Posts made about me in the moderators forum (made between August 2006 and August 2020
• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

Any advice?

 

[webbouk]

Has the member been deleted and references to his username removed? (you can make doubly sure by using it as an entry in the profanity filter/word censor)

If the answer is yes then your answer to him would be something along the lines of:

Further to your additional questions:
1) No information can be found relating to you or your username .....
2) No emails can be found relating to....
3) No sent emails can be found on our system relating to.... if emails were sent to you then you should have local copies
4) No marketing ,,,,,,, can be found
5) Username does not exist on our system therefore no infraction points ......

Fill in the gaps.

It's obvious he's just trying to cause you issues. As far as the ICO are concerned you have no details of him on your systems and if they wish to inspect then they are welcome to do so at their/his expense.

 

[webbouk]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email

I trust he has been permanently banned since you posted this?

 

[JamesAus]

Thanks for that @webbouk - silly me, he still hasn't been banned, and is continuing to post on the site.

I've never been in this position and to be honest with you, I'm nervous and scared for my site. It's a fan site that myself and many others have been working on for nearly 20 years and we don't want to be in a position where it could be closed down or me getting fined.

 

[Starbucks]

An emailed letter from them has come through now. The key part being:



These were the points I didn't provide the member:

• Posts made about me in the moderators forum (made between August 2006 and August 2020
• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

Any advice?

This is crazy! Sorry to hear you’ve to go through this.
Now on a legal aspect; is there any way we can avoid this kind of situations?

For example; by adding a line in the terms & rules that there’s no possibility of requesting information about yourself from a private staff forum, nor from a private staff conversation?

I

 

[Ozzy47]

No, GDPR truncates your T&C

 

[Starbucks]

No, GDPR truncates your T&C

Ufff. Is this this the right time to do an addon request?

An addon that let us do a full GDPR export that contains the data of the user, not just the export user, but also messages that contain their username.

 

[Slavik]

No, GDPR truncates your T&C

Wrong.

 

[Slavik]

• Posts made about me in the moderators forum (made between August 2006 and August 2020

Exempt from disclosure as doing so would provide a third parties information (without their consent) (your moderators).

What should we do if the request involves information about other individuals?

ico.org.uk

You could also try say it would break confidentiality of the moderators by disclosing information they would of expected to keep private.

• Emails between moderators in which I am discussed (between August 2006 and August 2020

As above.

• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

You can reject that on the basis it would be "impossible" as your emails are only kept for X period of time (if at all)

You could also reject it on the grounds that it is manifestly excessive even if those emails were kept given it is asking for 14 years of information.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

Reject on the basis that again its manifestly excessive and over reaching. "what does etc entail".

• How many infraction points I currently hold.

Easy to provide.


All in how you havent renamed and deleted this person from your site is beyond me.

 

[Ozzy47]

Wrong.

Well that's reassuring, thanks.

 

[JamesAus]

Thanks very much for that response @Slavik - really helpful. Anyone else who has comments I'd love to hear them.

 

[JamesAus]

Well that's reassuring, thanks.

What do you have in your T&C to avoid this type of situation that is playing out with me?

 

[Dad.]

Mentioning someone in an email is not only perfectly legal and not at all the purpose of GDPR, it's also impossible to enforce and it's completely ridiculous to ask someone to "get emails when I am discussed" as that is not data, rather that would just be called discourse or communication.

They are acting as if they have claim to that information which is simply false. If you want to talk about how he has been a pain in your butt and do so through whatever medium you choose, carrier pigeon, that is your choice. If, however, you have stored his gender, email, viewing habits and other pieces of data that is owned by the user and can and should be deleteable or shared with him.

I prefer @Slavik s response over mine above as it will be better received to word your rebuttal as such. But the request is baseless. I recommend you share his request with your case officer as well, I'm curious if they agree with me. But even if they don't agree with me, as Slavik said there are plenty of other ways to word the same end result.

 

[Ozzy47]

What do you have in your T&C to avoid this type of situation that is playing out with me?

I wouldn’t take any advice from me on this subject, I’m obviously a boob.

 

[JamesAus]

Mentioning someone in an email is not only perfectly legal and not at all the purpose of GDPR, it's also impossible to enforce and it's completely ridiculous to ask someone to "get emails when I am discussed" as that is not data, rather that would just be called discourse or communication.

They are acting as if they have claim to that information which is simply false. If you want to talk about how he has been a pain in your butt and do so through whatever medium you choose, carrier pigeon, that is your choice. If, however, you have stored his gender, email, viewing habits and other pieces of data that is owned by the user and can and should be deleteable or shared with him.

I prefer @Slavik s response over mine above as it will be better received to word your rebuttal as such. But the request is baseless. I recommend you share his request with your case officer as well, I'm curious if they agree with me. But even if they don't agree with me, as Slavik said there are plenty of other ways to word the same end result.

Thanks for that Mike, appreciate it. What I don't understand is the ICO seem to be taking it seriously as they've seen his request, and have sent it through to me without just disregarding him and telling him to go away.

This is what they said (copied from #42)

I can see from the evidence provided that your organisation has responded to XXXXXX's SAR with some of the requested information. If you feel
that you have complied with data protection laws in withholding the remaining information, you need to explain this in detail to XXXXX by providing any exemptions that apply. You also need to be confident that you have done all you can to find an appropriate resolution.

If your organisation could have done more to resolve the concern then we expect you to take steps now to resolve the issue with your customer.

We do not expect to receive complaints when there is still further work that you can do to better explain the processing in question to your customer, or to put things right when they have gone wrong.

I might share a draft email based off what @Slavik has said to the Case Officer first and get their thoughts.

 

[StryGuardian]

You seem to be giving this even more thought than the ICO officer at this point. They did the bare minimum, which is send an email. This does not mean they are giving credibility to any of his complaints. Your response, as they stated, should be to the user in question and it should go something like this.

Posts made about me in the moderators forum (made between August 2006 and August 2020) - "You are not entitled to access third party private conversations, regardless of the content of that conversation."

Emails between moderators in which I am discussed (between August 2006 and August 2020) - "You are not entitled to access third party private conversations, regardless of the content of that conversation."

Emails sent to me by any members of the moderation team (between August 2006 and August 2020) - "Emails are only kept on record for XX days or are not kept on record at all."

Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.) - "Any analytics mentioned above are anonymized and are not tied to any individual user, thus we have no information in our databases regarding your specific behavior or tracking."

How many infraction points I currently hold. - "Your account has been deleted and all traces of it have been removed from our database."

 

[djbaxter]

^^^ this.

 

[JamesAus]

Thanks for coming in with your thoughts @StryGuardian I'm really enjoying how helpful, kind, and willing to offer assistance the XenForo community is.

Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.) - "Any analytics mentioned above are anonymized and are not tied to any individual user, thus we have no information in our databases regarding your specific behavior or tracking."

I use Google Analytics and looks like Google does maintain information about each user, so I'll make mention of that.

The 2020 Guide to Google Analytics and GDPR Compliance

An overview of how publishers can make Google Analytics usage compliant under the EU's General Data Protection Regulation, or GDPR.

adzerk.com

 

[Slavik]

Well that's reassuring, thanks.

Ill expand for clarity, GDPR is not some overarching monster that takes absolute precedence over all data on your site. Yes it needs to be considered with and dealt with appropriately but at the same time just because someone quotes GDPR doesnt mean you have to bend over backwards to accommodate them.

In fact the last person on my site who quoted GDPR was entirely expunged. He lost years of personal blogs, content, guides, private messages, access to private forums, exclusive offers, discounts etc etc. It was quite a public erasure from existence on the site... and since then not a single request or threat, I guess people like having their stuff