GDPR - first ever request

J

JamesAus

Active member
Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

  • Posts made about me in the moderators forum (made between August 2006 and August 2020)
  • Emails between moderators in which I am discussed (between August 2006 and August 2020)
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
  • Any information pertaining to my location (e.g. IP addresses)
  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
  • How many infraction points I currently hold.
If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113
Click to expand...
We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

  • Posts made about me in the moderators forum (made between August 2006 and August 2020
Click to expand...
We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

  • Emails between moderators in which I am discussed (between August 2006 and August 2020
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
Click to expand...
Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse
Click to expand...
I believe I can get this from default XenForo contracts.

  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
Click to expand...
I use Google Analytics. Assume I can then pass him to Google?

  • How many infraction points I currently hold.
Click to expand...
How is this personal data?
 
Sort by date Sort by votes
I assume you have already exported his data from the database. Before you go any further, blacklist his email address and IP address in the AdminCP (see below).

I also assume you don't want him back causing trouble on your forum.

Once he is deleted as a member:
  1. you can tell him all his records have been deleted from the database and you have no more data to give him; and
  2. he can no longer log in to your forum.
Watch out for new registrations, though, and blacklist his email address and IP address in the AdminCP. He may come back as a new member to create more chaos for you.
 
Upvote 0 Downvote
djbaxter said:
Once he is deleted as a member:
  1. you can tell him all his records have been deleted from the database and you have no more data to give him; and
Click to expand...
^^ This

I'm not too sure about banning his IP address though as it is a pretty useless method nowadays, plus you run the risk of blocking other users if the IP is that of a mobile provider as they're often allocated as random
 
Upvote 0 Downvote
So I got this yesterday..... I've replied.... Nothing back yet.

27 November 2020

Case Reference: XXXXXXXXXXX

Dear Sir or Madam

We received a data protection concern regarding XXXXXXXXX information rights practices and I am writing to confirm if you would be the appropriate member of staff to direct this concern to.

If you would not be the appropriate member of staff to contact please could you provide me with an email address and direct telephone number to contact them on.

If you wish to discuss any of the above please call me on the number below.


Yours faithfully

XXXXXXXXXXX
Case Officer
Information Commissioner's Office

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
T. 0330 414 6729 ico.org.uk twitter.com/iconews
Please consider the environment before printing this email.

For information about what we do with personal data see our privacy notice at www.ico.org.uk/privacy-notice.
Click to expand...
 
Upvote 0 Downvote
Two questions - why would they email you and not write to you if it is an official letter? Have you checked the headers of the email to ensure it has come from them?

Also, if you Google the number on the letter it draws a blank. The number is also different to their actual office number, have you tried calling it?

Directions to head office

ico.org.uk ico.org.uk
 
Upvote 0 Downvote
webbouk said:
Two questions - why would they email you and not write to you if it is an official letter? Have you checked the headers of the email to ensure it has come from them?

Also, if you Google the number on the letter it draws a blank. The number is also different to their actual office number, have you tried calling it?

Directions to head office

ico.org.uk ico.org.uk
Click to expand...
Good points. Best to be cautious.

That said, I had to deal with one official request from GDPR a while back and they initiated (and continued) the communication via email. Not all forums publish a mailing address.

I also found the GDPR office to be quite reasonable. Remember that the communication was probably triggered by a disgruntled ex-member of the forum and they have an obligation to investigate. That doesn't mean they automatically accept the complaint as valid. I suspect that they view many of the complaints they get as just another entitled whiny dumbass ticked off because he didn't get his own way or got banned.
 
Last edited:
Upvote 0 Downvote
webbouk said:
Two questions - why would they email you and not write to you if it is an official letter? Have you checked the headers of the email to ensure it has come from them?

Also, if you Google the number on the letter it draws a blank. The number is also different to their actual office number, have you tried calling it?

Directions to head office

ico.org.uk ico.org.uk
Click to expand...

Thanks for that. I've just checked the headers and yes it has indeed come from them.

webbouk said:
Two questions - why would they email you and not write to you if it is an official letter? Have you checked the headers of the email to ensure it has come from them?

Also, if you Google the number on the letter it draws a blank. The number is also different to their actual office number, have you tried calling it?

Directions to head office

ico.org.uk ico.org.uk
Click to expand...

That's a great point, and no I haven't tried calling it. I'm waiting to hear back from them. I'm happy to share how the process goes, as hopefully, this will help others.

djbaxter said:
Good points. Best to be cautious.

That said, I had to deal with one requests from GDPR a while back and they initiated (and continued) the communication via email. Not all forums publish a mailing address.

I also found the GDPR office to be quite reasonable. Remember that the communication was probably triggered by a disgruntled ex-member of the forum and they have an obligation to investigate. That doesn't mean they automatically accept the complaint as valid. I suspect that they view many of the complaints they get as just another entitled whiny dumbass ticked off because he didn't get his own way or got banned.
Click to expand...

Thanks for that DJ - good to hear the GDPR office are reasonable people. Worst case scenario, if they find the complaint valid, I assume they give me the opportunity to comply before it gets any more serious? And yes, without a doubt it's the person who submitted the email to me in the first post of this thread. As you say a disgruntled member.
 
Upvote 0 Downvote
An emailed letter from them has come through now. The key part being:

I can see from the evidence provided that your organisation has responded to XXXXXX's SAR with some of the requested information. If you feel
that you have complied with data protection laws in withholding the remaining information, you need to explain this in detail to XXXXX by providing any exemptions that apply. You also need to be confident that you have done all you can to find an appropriate resolution.

If your organisation could have done more to resolve the concern then we expect you to take steps now to resolve the issue with your customer.

We do not expect to receive complaints when there is still further work that you can do to better explain the processing in question to your customer, or to put things right when they have gone wrong.

We therefore want you to revisit the way you have handled this matter and consider what further action you can now take to resolve this complaint.
We expect organisations to deal with the data protection complaints they receive and to proactively work with their customers to provide an
appropriate resolution.

I have attached a checklist to help you with this, you should be able to tick off all the points on this non exhaustive list.

We expect you to contact XXXXXX within the next 28 days with this further detail. If you are unable to meet this timeframe we expect you to
contact your customer to let them know and to advise them when to expect it. You do not need to provide a response to us at this stage.
However, if we receive a further complaint about this processing, we will carefully review and assess the response you have provided to your
customer. If we consider that you are infringing data protection law then we will consider using our formal powers and any sanctions available.
Click to expand...

These were the points I didn't provide the member:
  • Posts made about me in the moderators forum (made between August 2006 and August 2020
  • Emails between moderators in which I am discussed (between August 2006 and August 2020
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
  • How many infraction points I currently hold.

Any advice?
 
Upvote 0 Downvote
Has the member been deleted and references to his username removed? (you can make doubly sure by using it as an entry in the profanity filter/word censor)

If the answer is yes then your answer to him would be something along the lines of:

Further to your additional questions:
1) No information can be found relating to you or your username .....
2) No emails can be found relating to....
3) No sent emails can be found on our system relating to.... if emails were sent to you then you should have local copies
4) No marketing ,,,,,,, can be found
5) Username does not exist on our system therefore no infraction points ......

Fill in the gaps.

It's obvious he's just trying to cause you issues. As far as the ICO are concerned you have no details of him on your systems and if they wish to inspect then they are welcome to do so at their/his expense.
 
Upvote 0 Downvote
Thanks for that @webbouk - silly me, he still hasn't been banned, and is continuing to post on the site.

I've never been in this position and to be honest with you, I'm nervous and scared for my site. It's a fan site that myself and many others have been working on for nearly 20 years and we don't want to be in a position where it could be closed down or me getting fined.
 
Upvote 0 Downvote
JamesAus said:
An emailed letter from them has come through now. The key part being:



These were the points I didn't provide the member:
  • Posts made about me in the moderators forum (made between August 2006 and August 2020
  • Emails between moderators in which I am discussed (between August 2006 and August 2020
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
  • How many infraction points I currently hold.

Any advice?
Click to expand...
This is crazy! Sorry to hear you’ve to go through this.
Now on a legal aspect; is there any way we can avoid this kind of situations?

For example; by adding a line in the terms & rules that there’s no possibility of requesting information about yourself from a private staff forum, nor from a private staff conversation?

I
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Mr. Jinx
GDPR user request regarding private converstation
Replies
3
Views
440
Mr Lucky
Mr Lucky
Stuart Wright
  • Question Question
XF 2.1 GDPR SAR subject access request queries
2 3
Replies
51
Views
5K
Chris D
Chris D
H
Removing trolls personal details with a GDPR request
Replies
3
Views
556
Sperber
S
xpl0iter
Creating my first ever addon
Replies
13
Views
1K
Chris D
Chris D
TheBigK
  • Question Question
XF 1.1 Display Ads After First & Every Fifth Post On All Pages In Thread
Replies
3
Views
779
TheBigK
TheBigK
Top Bottom