GDPR - first ever request

[JamesAus]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any information pertaining to my location (e.g. IP addresses)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113

We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

• Posts made about me in the moderators forum (made between August 2006 and August 2020

We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse

I believe I can get this from default XenForo contracts.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

I use Google Analytics. Assume I can then pass him to Google?

• How many infraction points I currently hold.

How is this personal data?

 

[ChrisTERiS]

I checked his IP, I also use one of addon which shows the country flag where they are living

If he connects with VPN he can choose which country to appear. As for the addon. Does it shows the country getting it from the profile or from IP. Both can be fake.

 

[Faust]

If he connects with VPN he can choose which country to appear. As for the addon. Does it shows the country getting it from the profile or from IP. Both can be fake.

You right. Anyway, I already have deleted his account. But will know that for the future.

 

[Faust]

Yes and No. By replacing username with something like XXXX does not solves the problem. Maybe on his post there are (as text) some personal data, eg an email address. Avatar is also identifier. Get as example my avatar which is my real photo while yours not. Is very complicated Law. Has so many "small letters", that for me the only real and secure way is to delete everything.

As for the "copy of content". Yes, in this topic the right is with him. What you'll deliver to him must be an exact copy. If the post has avatar, it must also contain the avatar etc etc.

In the xml file there is not included the avatar, and wasn't included his content and he wasn't really satisfied with response. However, got reply back as he didn't wanted his account to be removed which happened.

 

[ChrisTERiS]

Have coded a module for vBulletin 4.2.5 100% compatible with EU Cookie Law and GDPR. Pity that none of XF coders shown interest to recode it for XenForo, even if I was giving full copyright perimissions free of any charge. Not a single cent. Totally free. I'm 65yo with many serious health issues so no time and courage to learn XF coding style.

See the screenshot below from the GDPR section of the mod, and you'll see that has everything that Law says. And YES, I've recoded vB4 templating system to be responsive (Bootstrap 3)

1.- UserCP. All Options that a user needs. Option to download Profile Data, Option to Download Post history, Option to reset Cookies. Below is the form for posting to Admin an Account Removal Request:



2.- Download Profile Data (in PDF format)



3.- Download Post History (PDF format)



4.- The form to request account removal. Admin can set in option a message to appear at the top.

 

[djbaxter]

@Ozzy47 ^^^

 

[Azaly]

3.- Download Post History (PDF format)

I'm just curious how busy would be this query for users with for example 3000 public post, 2000 posts in conversation, 500 post in users profiles…

 

[ChrisTERiS]

I'm just curious how busy would be this query for users with for example 3000 public post, 2000 posts in conversation, 500 post in users profiles…

On now days, this is a myth.

1. Servers are much more fasten (and cheaper)
2. At least 30% of messages are just a "Thank you". PS: Only user post appears. eg if the user has quote another post the quoted text does not appears.
3. .....and most important..... You're talking for 1% (don't say 0.1%) of the forums. Who has so high activity?

But the above is just the reality. Technically, at least in my code, it can be done:

1. As PDF for sure should have limits on how many pages can include, is splitting in parts. If I remember well something like 500 pages, but is easy to change it.
2. You can set it to work with cronjob and not immediately action. In this case a message appears to user that his file will be ready to download next day.

 

[ChrisTERiS]

And some smart features that I had in mind to add, but never added due to lack of interest

1. Checking a $_SESSION variable (so no extra query) to see how many posts has the user, you can let the system to decide if will print immediately or will add it on queue to print with cronjob.
2. Set a timestamp stamp to user profile each time that he downloads something. So the next time the system will prints only the newer posts and not the full history.

 

[FTL]

Great thread. I’ve recently started my own forum so this makes for a very handy reference.

 

[Ozzy47]

@Ozzy47 ^^^

Unfortunately it’s something that I wouldn’t be willing to get into. Law is to gauge, open to interpretation and it’s different in different regions. Too much grey area and I wouldn’t want someone to come after me if they got sued/fined because something was missing .

 

[ChrisTERiS]

@Ozzy47 GDPR section has nothing to do with the Law. You just give to the users the ability to Download their Profile data or their Post History, to clear stored Cookies, and finally to request (is just a request, nothing automatic), their account removal.
I just named it "GDPR". Even "My History" is a valid name for it. None webmaster will be sued because he is giving his members the ability to download their history or print their profile. Instead they'll congratulate him for this given transparency.

 

[Kirby]

GDPR protects only EU citizens or residents.

I am not a lawyer, but I think this is not correct:

Art. 3 GDPR – Territorial scope - General Data Protection Regulation (GDPR)

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data...

gdpr-info.eu

To me this means that GDPR does apply if
a) The service is being offered by an entity from the EU
or
b) The service is being offered to someone in the EU

So for a US citizen who is on holiday in Germany and does access a service offered by an entity from the EU - not limited to processing actually being done in the EU - GDPR would apply.
Likewiese, if a German citizen is on holiday in the US and does access a service offered by an entity from the US in the US, GDPR would not apply.

 

[ChrisTERiS]

I am not a lawyer, but I think this is not correct:

Like you, I'm not also a Lawyer, but what I wrote have been told by a friend with 32 years experience in EU Law. Actually, in my country he is specialist only for topics relevant to EU Law.

So I need to ask him for clarification. From my own knowledge only, many people confuse the obligation of the webmaster with the rights of a member (who is protected by the Law and who not). For sure (eg) a US Citizen can't ask to be protected when he is in US. Maybe if he is protected in a trip to Europe, don't know.

But as I don't believe that there is any webmaster having more than 250 employees, the 2nd exception (by the end of page) at:

Does the GDPR apply to companies outside of the EU? - GDPR.eu

Under certain conditions, the GDPR applies to companies that are not in Europe. In this article, we’ll explain when and how the GDPR applies outside the EU. The European...

gdpr.eu

says:

The second exception is for organizations with fewer than 250 employees. Small- and medium-sized enterprises (SMEs) are not totally exempt from the GDPR, but the regulation does free them from record-keeping obligations in most cases (see Article 30.5).

PS: Somewhere in that article you'll find:

The whole point of the GDPR is to protect data belonging to EU citizens and residents.

 

[Kirby]

Like you, I'm not also a Lawyer, but what I wrote have been told by a friend with 32 years experience in EU Law. Actually, in my country he is specialist only for topics relevant to EU Law.

[...]

So I need to ask him for clarification.

[...]

Maybe if he is protected in a trip to Europe, don't know.

Would be quite interesting if you could ask your friend
What I posted was the information I got from our company data protection officer.

But as I don't believe that there is any webmaster having more than 250 employees, the 2nd exception (by the end of page)

Unfortunately the article is over-simplified and in many cases (eg. in case of forums with several thousand members), the 250 empoyee exception does not apply as the exception has an expection :

The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless [...] the processing is not occasional

In case of forums, personal data (email, IP) is constantly being processed, not just occasionally - so teh exception does not apply, no matter the amount of employees.

Again, IANAL.

 

[ChrisTERiS]

Would be quite interesting if you could ask your friend

I'll do. But what is interest is what he said when for first time I asked him (as he knew that I work with forums).
"Just delete him". Without even to give him details. He understood what I was ready to ask!!

Then he open an article (maybe it was the same, I don't know) and he point me to the phrase "The second exception is for organizations with fewer than 250 employees". He said "Look here.... look at the tricks (or small letters as I call them). Is talking for companies and employees. You're not a company but a webmaster. You don't have employees but you've members. So, is solely dependent on how the judge, will "translate" the law".

 

[djbaxter]

I guess that's why we have courts, courts of appeal, and supreme courts. Few laws are written so clearly and comprehensively tghat they are not open to some degree of interpretation.

But I would think that most forum owners would rather not be involved in any of that and would try to do tgheir bedst to avoid it.

 

[RobParker]

Post history absolutely does not fall under GDPR.

Furthermore, they have access to their post history themselves. By visiting your website and searching themselves. We've had lots of discussions on this in the past and many of us have received clarification from the official bodies (UK in my case) that oversee this.

 

[ChrisTERiS]

Post history absolutely does not fall under GDPR.

Furthermore, they have access to their post history themselves. By visiting your website and searching themselves. We've had lots of discussions on this in the past and many of us have received clarification from the official bodies (UK in my case) that oversee this.

Is there any "Download the list" (expanded content)? The law say to get in hands a copy and not see them in the screen.

 

[RobParker]

Is there any "Download the list" (expanded content)? The law say to get in hands a copy and not see them in the screen.

The law says absolutely nothing about post history. It's not PII. It doesn't count.

If anything, giving them a huge dump of all of their posts which may contain some PII within them (e.g. if they've ever say included their phone number in a post) is not in the spirit of the law.

 

[Abizaga]

(Your terms of use statement should include a statement something like "By posting on this forum, you agree that you conveyed a license in perpetuity to the owners of this forum to display your content on the forum". If you don't have that yet, add it.)

So I have the following in my terms, ans I'm curious if it covers this, or if I should add the extra clause to be safe.

We may remove or modify any Content submitted at any time, with or without cause, with or without notice. Requests for Content to be removed or modified will be undertaken only at our discretion. We may terminate your access to all or any part of the Service at any time, with or without cause, with or without notice.