GDPR - first ever request

JamesAus

Active member
Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

  • Posts made about me in the moderators forum (made between August 2006 and August 2020)
  • Emails between moderators in which I am discussed (between August 2006 and August 2020)
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
  • Any information pertaining to my location (e.g. IP addresses)
  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
  • How many infraction points I currently hold.
If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113
We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

  • Posts made about me in the moderators forum (made between August 2006 and August 2020
We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

  • Emails between moderators in which I am discussed (between August 2006 and August 2020
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse
I believe I can get this from default XenForo contracts.

  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
I use Google Analytics. Assume I can then pass him to Google?

  • How many infraction points I currently hold.
How is this personal data?
 

RobParker

Well-known member
Wouldn’t that depend on your terms and conditions? With the default terms indeed it is without argument the right of the site owner to keep it there.

But if someone had a photo attached which is a picture of their home, and was named after their mother’s maiden name, the car in the driveway with a personalised number plate with your first school/pet and your date of birth I’d suggest they have the right get that taken down.

You're confusing several things there under one banner.

GDPR requires proviidng users with their own data. It's clear what that data is. The "right to be forgotten" is a different part of GDPR legislation.

If someone posted an identifable photo of their home and asked for it to be removed, I'd like to think that we'd all comply and do the right thing. There's absolutely no requirement on us to be able to search through every photo someone's posted, work out if it contains identifiable information and then export that data and provide a copy of it to them.
 

wedgar

Well-known member
I guess so. I've only had that request once though and I just exported the user records from MyphpAdmin and zipped it up and made it available for download for 24 hours from a private location on the forum server. I don't know if you really need an addon unless you are getting a lot of requests. Remember that all (or at least many) of the addons you install come with the potential for a security vulnerability or slowing down your page load speeds, just like with WordPress. Be careful what you install and ask yourself if you really need it.
And also using an add-on from someone you trust as a developer as well.
 

katoona

Member
What addon is needed? Everything you need is in stock Xenforo.

There is more to the world than the EU - a LOT more.

Here is a report of Xenforo.com (which I just use as an example since this is the mother-forum of all Xenforo forums). I have attached a report from Cookiebot.com, and I can't vouch for this site, but they seem to be pretty spot on when you look at the GDPR laws and look at their results. So, the question stands - is an addon needed or not?

I am not trying to argue, but I think a lot of website owners might be interested, and perhaps this is worth some attention. I don't think it helps much to say that "we are compliant" just because you feel or think that you are, nor does it help to say that the world is a lot more than EU. I think we need to figure out if this is something that needs to be adressed. The moment you make money from your website, I believe it is even more important to be compliant, and personally I hate these laws since they apply to everyone while the whole thing started because of large websites like Google, FB, Amazon etc.

I am located inside EU, and I have access to this website - hence GDPR applies. If you feel that this is all wrong, then I will keep my mouth shut. I am not looking to cause any problems, and I am merely trying to avoid problems (for everyone).

Here is the summary of the report, and the full report can be read in the attached PDF file.

Xenforo.com: Not compliant

The following requirements in the General Data Protection Regulation (GDPR) and the ePrivacy Directive 2009/136/EC (ePR) have been tested:

NOT COMPLIANT - Prior consent on other than strictly necessary cookies (ePR)
YES (Compliant) - Prior consent on personal data (GDPR)
NOT COMPLIANT - Personal data is transmitted to 'adequate countries' only (GDPR)
 

Attachments

  • xenforo-cookie-test.pdf
    180 KB · Views: 8

webbouk

Well-known member
I'm not sure how valid the reports are...

I've just run the report on my website and the scan seems to bypass the cookie controls in place and looks for cookies in the code circumventing the cookie acceptance notices, which are plain to see.

Bearing in mind Cookiebot is a commercial website one has to wonder if their method of reporting is biased in their favour as it does not reflect the controls an actual person sees.
 

katoona

Member
I'm not sure how valid the reports are...

I've just run the report on my website and the scan seems to bypass the cookie controls in place and looks for cookies in the code circumventing the cookie acceptance notices, which are plain to see.

Bearing in mind Cookiebot is a commercial website one has to wonder if their method of reporting is biased in their favour as it does not reflect the controls an actual person sees.

This is quite possible, but according to GDPR you are not allowed to send any cookies (expect the necessary ones) before the user has accepted. Even if Cookiebot is a commercial site, it seems to me like their test is valid, but as I said - I am not stating anything as 100% fact, I am just saying that it is worth looking into to be sure.
 

webbouk

Well-known member
But the question of whether or not Cookiebot has actually downloaded the cookies or simply found reference to them has not been answered.
I could walk past a Porsche showroom and see a number of models for sale on display, it doesn't mean they are mine unless I have accepted them.
So have any cookies actually been sent to the user's system or are they awaiting the user to click to accept them?
 

djbaxter

Well-known member
I've just asked the site for a review of three Xenforo sites I manage. Will post the results when I receive them (they apparently only email them so you have to provide and confirm an email address for each test which is annoying, especially from a commercial site.)
 

katoona

Member
But the question of whether or not Cookiebot has actually downloaded the cookies or simply found reference to them has not been answered.
I could walk past a Porsche showroom and see a number of models for sale on display, it doesn't mean they are mine unless I have accepted them.
So have any cookies actually been sent to the user's system or are they awaiting the user to click to accept them?

Some sites that I have tested pass the test, and typically government sites and other sites that typically has to follow the rules to the letter.

My intention here is not to argue, nor to be difficult. Like many others I guess I am just afraid of "angry" users using the law to "attack" us, and I am a forum owner like most people in here. I have already been threatened, and it is typically from users that have been thrown out or competitors that want to cause harm upon us.

I agree with djbaxter that it is the forum owners responsibility, and I am in no way saying that this is Xenforo's problem, but I guess we are all in this together.
 
Top