GDPR - first ever request

[JamesAus]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any information pertaining to my location (e.g. IP addresses)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113

We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

• Posts made about me in the moderators forum (made between August 2006 and August 2020

We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse

I believe I can get this from default XenForo contracts.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

I use Google Analytics. Assume I can then pass him to Google?

• How many infraction points I currently hold.

How is this personal data?

 

[Slavik]

No, GDPR truncates your T&C

Wrong.

 

[Ozzy47]

Wrong.

Well that's reassuring, thanks.

 

[JamesAus]

Thanks very much for that response @Slavik - really helpful. Anyone else who has comments I'd love to hear them.

 

[JamesAus]

Well that's reassuring, thanks.

What do you have in your T&C to avoid this type of situation that is playing out with me?

 

[Dad.]

Mentioning someone in an email is not only perfectly legal and not at all the purpose of GDPR, it's also impossible to enforce and it's completely ridiculous to ask someone to "get emails when I am discussed" as that is not data, rather that would just be called discourse or communication.

They are acting as if they have claim to that information which is simply false. If you want to talk about how he has been a pain in your butt and do so through whatever medium you choose, carrier pigeon, that is your choice. If, however, you have stored his gender, email, viewing habits and other pieces of data that is owned by the user and can and should be deleteable or shared with him.

I prefer @Slavik s response over mine above as it will be better received to word your rebuttal as such. But the request is baseless. I recommend you share his request with your case officer as well, I'm curious if they agree with me. But even if they don't agree with me, as Slavik said there are plenty of other ways to word the same end result.

 

[Ozzy47]

What do you have in your T&C to avoid this type of situation that is playing out with me?

I wouldn’t take any advice from me on this subject, I’m obviously a boob.

 

[JamesAus]

Mentioning someone in an email is not only perfectly legal and not at all the purpose of GDPR, it's also impossible to enforce and it's completely ridiculous to ask someone to "get emails when I am discussed" as that is not data, rather that would just be called discourse or communication.

They are acting as if they have claim to that information which is simply false. If you want to talk about how he has been a pain in your butt and do so through whatever medium you choose, carrier pigeon, that is your choice. If, however, you have stored his gender, email, viewing habits and other pieces of data that is owned by the user and can and should be deleteable or shared with him.

I prefer @Slavik s response over mine above as it will be better received to word your rebuttal as such. But the request is baseless. I recommend you share his request with your case officer as well, I'm curious if they agree with me. But even if they don't agree with me, as Slavik said there are plenty of other ways to word the same end result.

Thanks for that Mike, appreciate it. What I don't understand is the ICO seem to be taking it seriously as they've seen his request, and have sent it through to me without just disregarding him and telling him to go away.

This is what they said (copied from #42)

I can see from the evidence provided that your organisation has responded to XXXXXX's SAR with some of the requested information. If you feel
that you have complied with data protection laws in withholding the remaining information, you need to explain this in detail to XXXXX by providing any exemptions that apply. You also need to be confident that you have done all you can to find an appropriate resolution.

If your organisation could have done more to resolve the concern then we expect you to take steps now to resolve the issue with your customer.

We do not expect to receive complaints when there is still further work that you can do to better explain the processing in question to your customer, or to put things right when they have gone wrong.

I might share a draft email based off what @Slavik has said to the Case Officer first and get their thoughts.

 

[StryGuardian]

You seem to be giving this even more thought than the ICO officer at this point. They did the bare minimum, which is send an email. This does not mean they are giving credibility to any of his complaints. Your response, as they stated, should be to the user in question and it should go something like this.

Posts made about me in the moderators forum (made between August 2006 and August 2020) - "You are not entitled to access third party private conversations, regardless of the content of that conversation."

Emails between moderators in which I am discussed (between August 2006 and August 2020) - "You are not entitled to access third party private conversations, regardless of the content of that conversation."

Emails sent to me by any members of the moderation team (between August 2006 and August 2020) - "Emails are only kept on record for XX days or are not kept on record at all."

Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.) - "Any analytics mentioned above are anonymized and are not tied to any individual user, thus we have no information in our databases regarding your specific behavior or tracking."

How many infraction points I currently hold. - "Your account has been deleted and all traces of it have been removed from our database."

 

[djbaxter]

^^^ this.

 

[JamesAus]

Thanks for coming in with your thoughts @StryGuardian I'm really enjoying how helpful, kind, and willing to offer assistance the XenForo community is.

Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.) - "Any analytics mentioned above are anonymized and are not tied to any individual user, thus we have no information in our databases regarding your specific behavior or tracking."

I use Google Analytics and looks like Google does maintain information about each user, so I'll make mention of that.

The 2020 Guide to Google Analytics and GDPR Compliance

An overview of how publishers can make Google Analytics usage compliant under the EU's General Data Protection Regulation, or GDPR.

adzerk.com

 

[Slavik]

Well that's reassuring, thanks.

Ill expand for clarity, GDPR is not some overarching monster that takes absolute precedence over all data on your site. Yes it needs to be considered with and dealt with appropriately but at the same time just because someone quotes GDPR doesnt mean you have to bend over backwards to accommodate them.

In fact the last person on my site who quoted GDPR was entirely expunged. He lost years of personal blogs, content, guides, private messages, access to private forums, exclusive offers, discounts etc etc. It was quite a public erasure from existence on the site... and since then not a single request or threat, I guess people like having their stuff

 

[JamesAus]

How many infraction points I currently hold. - "Your account has been deleted and all traces of it have been removed from our database."

Am I allowed to keep his posts?

 

[Slavik]

Am I allowed to keep his posts?

Yes, unless those posts specifically contain personal data.

 

[JamesAus]

Yes, unless those posts specifically contain personal data.

Thanks. He has over 30,000 posts. It's impossible for me to know whether any of his posts contain personal data. Is there a way around this?

 

[JamesAus]

It falls to him to point them out once you have renamed and deleted his account.

Excellent, thanks Slavik.

 

[JamesAus]

I've put together this draft email to the ICO if anyone has any further thoughts.

Hi XXXX @ ICO,

Thanks for coming back to me with further details.

Regarding the points we didn't respond to. As this member of our fan-site is a regular troublemaker we didn't entertain far-reaching requests which we considered these as.

We plan on responding as follows. Is that acceptable to the ICO?

****
Hi XXXXXXXX Member,

We've been asked to respond to the points about you in further detail.

>Posts made about me in the moderators forum (made between August 2006 and August 2020

This is exempt from disclosure as doing so would provide a third parties information (without their consent [other members reported posts and moderators]) that they would have expected to be kept private.

We make reference to the following:
https://ico.org.uk/for-organisation...f-access/information-about-other-individuals/

>>Emails between moderators in which I am discussed (between August 2006 and August 2020

As above.

>>Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

This is impossible for us to do, as emails are only kept for a period of 3 months and are sent through our official email address of XXXXX. Please let me know if you'd like any sent through to you during this period.

>>Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

We use the Google Analytics platform. To lookup and provide you with the information held, please provide us with your Google Analytics ClientID. To find this, you'll need to go to your browser’s settings and manually look at what cookies there. You should find one named _ga, which is the Google Analytics cookie, and within it is a string like GA1.2-2.318596131.1556642125.

Your ClientID are the numbers before and after the final period (in this case, 318596131.1556642125). If you have multiple _ga cookies on their browser, please send all of the ClientIDs.

>>How many infraction points I currently hold.

Your account has been deleted and all traces of personal information have been removed from our database, so this is not something we are able to provide anymore. Please note that we no longer consider you welcome on the XXXXX Forums.

****

 

[JamesAus]

First things first before you do anything else - Permanently Ban him !

No reason, nor excuse - it's your site, he wouldn't be welcome in your home - get rid

He is not part of your community, he is there to cause trouble within it and for you

(I'll read the rest of the posts later)

I'm holding off for the moment, just from the point of view of not antagonizing him until the ICO reply and I know where I stand. He's apparently from what I've heard from a 3rd party - "He could argue the deletion of his data was unlawful in the European Union. That would be a whole other thing. It wouldn't just end with the deletion. He would not have a great case but you'd still be peppered by it. " . I'm planning to reach out to this member and have a chat with him and try and resolve this in a friendly way. Perhaps I'm being stupid, but if something can be worked out in a friendly way, I'm up for trying just so the whole thing can go-away.

I've sent the draft email to the ICO so I'll let everyone know what I get back.

"Please note that we no longer consider you welcome on the XXXXX Forums"

Leave this out of any communication as you are inviting more questions and problems

Thanks for the suggestion.

 

[JamesAus]

I'm sorry to disagree with you:

I'm planning to reach out to this member and have a chat with him and try and resolve this in a friendly way - will not happen, this time or the future

I'm being stupid - respectfully - yes

but if something can be worked out in a friendly way, I'm up for trying just so the whole thing can go-away. - it will never go away as he's already done the dirty on you and it will happen again, or he'll brag to his online mates and get them to do the same


There comes a time when you have to be hard, act hard, go in hard - you'll thank yourself for it later.

I don't disagree with anything you have said. I'm just nervous about whether there are any gotchas lurking that he could exploit. My site is a simple fan-site with a fairly small community, and I can really do without the headaches if he wants to take this any further. I don't have the $ or the time to engage lawyers, etc.

 

[Dad.]

Fwiw, the idea of "going hard" almost never works out. You just create a person with an agenda and even sometimes hell bent on causing you headaches. I think keeping a level head, staying unprovoked, is the wiser choice.

 

[JamesAus]

Fwiw, the idea of "going hard" almost never works out. You just create a person with an agenda and even sometimes hell bent on causing you headaches. I think keeping a level head, staying unprovoked, is the wiser choice.

Yes, that's my line of thinking too. See what the ICO has to say, but attempt to engage with the member and work out a common-sense middle-ground.

I appreciate where @webbouk is coming from though, and can certainly see his point of view.