GDPR - first ever request

[JamesAus]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any information pertaining to my location (e.g. IP addresses)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113

We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

• Posts made about me in the moderators forum (made between August 2006 and August 2020

We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse

I believe I can get this from default XenForo contracts.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

I use Google Analytics. Assume I can then pass him to Google?

• How many infraction points I currently hold.

How is this personal data?

 

[Faust]

Are you allowed to remove someone's account when they request any data copy?

 

[ChrisTERiS]

Are you allowed to remove someone's account when they request any data copy?

Don't know if this question is to me, but if you ask for my current (vB4) module, here is how it works for CDPR:

1. Any member, from his usercp, can download in PDF his profile data and/or his post history.
2. From the same page he can request account removal. In this case a PM goes to Admin (or to any other member id in settings). From that point and then, Admin can decide what action to get MANUALLY. This means that there is no any automatic deletion.

 

[Faust]

Don't know if this question is to me, but if you ask for my current (vB4) module, here is how it works for CDPR:

1. Any member, from his usercp, can download in PDF his profile data and/or his post history.
2. From the same page he can request account removal. In this case a PM goes to Admin (or to any other member id in settings). From that point and then, Admin can decide what action to get MANUALLY. This means that there is no any automatic deletion.

would be nice to have that within xf too

 

[ChrisTERiS]

would be nice to have that within xf too

There are so many XF good coders. I do believe that someone will get it. Data analysis is ready, functions are ready, templates and css are ready. Just need to recode it for XF.

 

[Faust]

There are so many XF good coders. I do believe that someone will get it. Data analysis is ready, functions are ready, templates and css are ready. Just need to recode it for XF.

Hope someone will get into it .

 

[Faust]

Maybe @Sim will be interested .

 

[Lukas W.]

Maybe interesting to @JamesAus, here's a couple of excerpts from the ICO page regarding right of access, if you want to turn the sword around:

Can we ask for ID?​

Yes. You need to be satisfied that you know the identity of the requester (or the person the request is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity. The timescale for responding to a SAR does not begin until you have received the requested information. However, you should request ID documents promptly.

Make him prove that he's actually who he is. Most individuals will be very reluctant to share their ID with you, but if you have any information that would be present on his, that is also in your system, request a copy of his ID so you can "verify his request". Starts with something simple as proving his physical location.

How do we find and retrieve the relevant information?​

You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.

Most of his requests are unreasonable and excessive and go far beyond personal data that you can share. Search up a little bit more than you're legally required to give him, then deem the request as "unreasonably excessive" and proceed with below.

Can we charge a fee?​

Not usually. In most cases you cannot charge a fee to comply with a SAR. However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.

Charge him money, that's where you hurt people. Especially when he comes back in the future for additional requests.

 

[Faust]

Charge him money, that's where you hurt people. Especially when he comes back in the future for additional requests.

Can we have that on our Terms of Service or privacy policy ?

Can we charge a fee?​

Not usually. In most cases you cannot charge a fee to comply with a SAR. However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.

 

[JamesAus]

On what basis? It is your site, what you decide to do with the data created on it is entirely up to you. Could you imagine if when site owners close their sites down the members could sue them for "loss of data"? It would be absurd.

Honestly I would just comply with the ICO as cleanly as possible then delete him.

Thanks for the advice @Slavik - appreciate it.

That's a very cool mod @ChrisTERiS - someone should definitely take you up on that kind offer!

Charge him money, that's where you hurt people. Especially when he comes back in the future for additional requests.

That's a good find Lukas - thanks for sharing. Shame there's no definition of what is and isn't considered excessive.

 

[Lukas W.]

Shame there's no definition of what is and isn't considered excessive.

Unfortunately. The ICO states the laws are "intentionally vague", to cover as many cases as possible without having to adapt them as new technologies/strategies arise, and intentionally wants people to take a "risk-based approach to meet [them]". It's a pain in the butt for everyone that doesn't have the money to hire a competent lawyer I guess. You may want to read over the ICOs page regarding the GDPR more, their explanation is very exhaustive and covers basically all topics - although they don't go into any more detail as seen in the excerpts above.

If you're a small site, I would deem everything that goes over automated tasks provided by the software as excessive (provided the software is GDPR-compliant, which XenForo states it is), especially if there's no one on board that's very tech savvy. If you're not operating as a company, that's probably even better.

 

[AndrewSimm]

This is what we need! This'd solve so many problems for people that have to deal with those GDPR requests!
This could be a great next addon @AndrewSimm hint!

I don't know enough about GDPR to create an add-on that I would be confident in. Reading these forums, I am not sure anyone knows exactly what the requirements are. I say this because of the amount of dialogue and the wide range of opinions that have been shared.

 

[katoona]

Xenforo needs a good GDPR addon, and if using Google ads, Google recaptcha, Google analytics etc, the user have to be able to turn off those cookies. When testing www.xenforo.com it does not pass GDPR inspection, but that does not necessarily means it is not GDPR compliant.

Most communities I see online uses ads in some form, and very few are GDPR compliant. AVSforums.com is close, but even that site does not pass the test. Cookies are being sent before the user can turn them off.

There is a lot of discussion going on about the topic, but there seems to be a lot of confusion, but one thing is for sure - there are lots of Xenforo forums out there who is not GDPR compliant, and the question is how the rules will be applied in real life for forums. In other words - what will happen if anybody reports/press charges against a forum site who only uses the standard Xenforo Cookie warning + e.g. using Google ads or other addons to their site.

In this thread users seems more concerned about user data, but the use of cookies and information being sent to other countries are equally as important, and perhaps a bigger problem.

 

[djbaxter]

No. I disagree.

Most of these are the responsibility of the owners/admins and/or the users and are beyond the responsibilities of Xenforo. Xenforo already gives you the tools to conform to GDPR and other privacy legislation. It's your responsibility to use the tolls provided... or not as you see fit.

Xenforo needs a good GDPR addon, and if using Google ads, Google recaptcha, Google analytics etc, the user have to be able to turn off those cookies. When testing www.xenforo.com it does not pass GDPR inspection, but that does not necessarily means it is not GDPR compliant.

You can turn off 3rd party cookies in all of the major browsers, both mobile and desktop.

Most communities I see online uses ads in some form, and very few are GDPR compliant. AVSforums.com is close, but even that site does not pass the test. Cookies are being sent before the user can turn them off.

Your privacy form should list any third party advertisers you use with a link to that advertiser's privacy page and/or a page lisdting the cookies in use and showing how to turn off cookies .

There is a lot of discussion going on about the topic, but there seems to be a lot of confusion, but one thing is for sure - there are lots of Xenforo forums out there who is not GDPR compliant, and the question is how the rules will be applied in real life for forums. In other words - what will happen if anybody reports/press charges against a forum site who only uses the standard Xenforo Cookie warning + e.g. using Google ads or other addons to their site.

That's up to the owner/admin/user. Nobody should be expecting Xenforo to babysit them or mandate how you should set up your privacy options. There is more to the world than the EU - a LOT more.

In this thread users seems more concerned about user data, but the use of cookies and information being sent to other countries are equally as important, and perhaps a bigger problem.

Again, this is the responsibility of the owner/admins. The owner has an obligation, IMO opinion, to inform users of the forum what data is being collected and by whom and what cookies are being used and by whom. This is YOUR responsibility, NOT the responsibility of Xenforo. All of the things you need to do can be done in stock Xenforo including the inclusion of templates for Privacy and ToS. Just take those and do it to your own satisfaction and to the legal requirements in place in your location. Don't expect anyone else to do it for you. We are not children and we don't need babysitters. (I may have to change that given the widespread childish behavior of COVID deniers but it's still not the responsibility of Xenforo to do everything for upui.)

 

[katoona]

No. I disagree.

Most of these are the responsibility of the owners/admins and/or the users and are beyond the responsibilities of Xenforo. Xenforo already gives you the tools to conform to GDPR and other privacy legislation. It's your responsibility to use the tolls provided... or not as you see fit.

I did not say that Xenforo has the responsibility, I said that Xenforo needs an addon, and this could be a 3party addon.

It is the forum owners responsibility, but this applies to pretty much all forum owners, and it would make most sense if Xenforo made the addon, but again, it is also legal to sell "tuning parts" for cars, you are just not allowed to use them for street use.

 

[djbaxter]

What addon is needed? Everything you need is in stock Xenforo.

 

[Faust]

What addon is needed? Everything you need is in stock Xenforo.

I would say an addon which will allow user to download its own data. I think someone here already mentioned

 

[djbaxter]

I would say an addon which will allow user to download its own data. I think someone here already mentioned

I guess so. I've only had that request once though and I just exported the user records from MyphpAdmin and zipped it up and made it available for download for 24 hours from a private location on the forum server. I don't know if you really need an addon unless you are getting a lot of requests. Remember that all (or at least many) of the addons you install come with the potential for a security vulnerability or slowing down your page load speeds, just like with WordPress. Be careful what you install and ask yourself if you really need it.

 

[Faust]

I guess so. I've only had that request once though and I just exported the user records from MyphpAdmin and zipped it up and made it available for download for 24 hours from a private location on the forum server. I don't know if you really need an addon unless you are getting a lot of requests. Remember that all (or at least many) of the addons you install come with the potential for a security vulnerability or slowing down your page load speeds, just like with WordPress. Be careful what you install and ask yourself if you really need it.

It's better to have it, than no. I also believe from who you install addons. Too. I've seen some members saying that have 100+ addons

 

[RobParker]

I would say an addon which will allow user to download its own data. I think someone here already mentioned

What do you mean by "data"? Specifically, what do you mean by a "users own data"? Anything someone posts on your forum is your data, not theirs. Post content is not their data.

The users data is their email address, date of birth, etc and there's already a built-in tool in XF to download that and give it to them.

 

[Mr Lucky]

Anything someone posts on your forum is your data, not theirs. Post content is not their data.

Wouldn’t that depend on your terms and conditions? With the default terms indeed it is without argument the right of the site owner to keep it there.

But if someone had a photo attached which is a picture of their home, and was named after their mother’s maiden name, the car in the driveway with a personalised number plate with your first school/pet and your date of birth I’d suggest they have the right get that taken down.