GDPR - first ever request

JamesAus

Active member
Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

  • Posts made about me in the moderators forum (made between August 2006 and August 2020)
  • Emails between moderators in which I am discussed (between August 2006 and August 2020)
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
  • Any information pertaining to my location (e.g. IP addresses)
  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
  • How many infraction points I currently hold.
If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113
We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

  • Posts made about me in the moderators forum (made between August 2006 and August 2020
We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

  • Emails between moderators in which I am discussed (between August 2006 and August 2020
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse
I believe I can get this from default XenForo contracts.

  • Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
I use Google Analytics. Assume I can then pass him to Google?

  • How many infraction points I currently hold.
How is this personal data?
 
  • Posts made about me in the moderators forum (made between August 2006 and August 2020)
  • Emails between moderators in which I am discussed (between August 2006 and August 2020)
  • Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
I don't see how discussions about his behavior on your platform, that do not involve his input, would fall under his personal information. The same with emails from staff. This seems to be done out of spite, which is why the requests are overreaching. They couldn't possibly have any right to private conversations between staff as part of GDPR. However, I am not well versed in that particular law. Maybe someone else could shed more light on how this individual thinks he is entitled to copies of third party conversations.
 
I wouldn’t send any data from about him from the mods etc.

you can export his data via xf into an xml


beyond than I don’t think he has any rights to the other data.
 
I don't see how discussions about his behavior on your platform, that do not involve his input, would fall under his personal information. The same with emails from staff. This seems to be done out of spite, which is why the requests are overreaching. They couldn't possibly have any right to private conversations between staff as part of GDPR. However, I am not well versed in that particular law. Maybe someone else could shed more light on how this individual thinks he is entitled to copies of third party conversations.

Thanks for your thoughts there, certainly appears to be done out of spite with the nature of the request. Especially as it's a long term member who knows the position of the site. Hopefully, someone who knows a bit more about how I could approach this could drop in with some thoughts.
I wouldn’t send any data from about him from the mods etc.

you can export his data via xf into an xml


beyond than I don’t think he has any rights to the other data.

Is that through the "Export a User function"?
I'm not au fait with GDPR, but a forum I am a moderator of has this requirement for the mod forum.



;)

I'm happy to comply with his request, but don't want to go overboard as this person to me is trying to be difficult.
 
1. export the data for that member from the database

2. only after the export, use the delete option for that member with the "deleted member 123456" option: once you do this, all his information including IP addresses is deleted from the database

As far as I know (and I have worked with GDPR requests), that is all the information you need to provide.
 
Tell him he doesn't seem to underatand what constitutes "personally identifiable information" under the GDPR rules. Could he please update his request as it's not currently a valid request. If he wishes you to advise him on what constuitutes a valid request then you're happy to do so for an admin charge of X.

Yes, we've dealt with lots of GDPR idiots :p
 
Interesting how you will answer if the user already has an account deleted? as there is nothing to export. Also regarding XML file, do you just easy transfer to PDF using online tools ?
 
Interesting how you will answer if the user already has an account deleted? as there is nothing to export. Also regarding XML file, do you just easy transfer to PDF using online tools ?
I had that happen once. I simply replied that since the user had previously requested that his account be deleted, all information about him was deleted from the database and thus there was no information in the database that could be exported.

Re: request for a PDF version - provide the XML version in a zip file and email that. He can do his own conversion. Your obligation is complete once he is deleted from the database.
 
I had that happen once. I simply replied that since the user had previously requested that his account be deleted, all information about him was deleted from the database and thus there was no information in the database that could be exported.

Re: request for a PDF version - provide the XML version in a zip file and email that. He can do his own conversion. Your obligation is complete once he is deleted from the database.

Thanks a lot for your information and explanation.
 
1. export the data for that member from the database

2. only after the export, use the delete option for that member with the "deleted member 123456" option: once you do this, all his information including IP addresses is deleted from the database

As far as I know (and I have worked with GDPR requests), that is all the information you need to provide.

Thanks a lot for your response, I'll do option 1 and see what happens, and if starts causing trouble, will go ahead with 2.
Tell him he doesn't seem to underatand what constitutes "personally identifiable information" under the GDPR rules. Could he please update his request as it's not currently a valid request. If he wishes you to advise him on what constuitutes a valid request then you're happy to do so for an admin charge of X.

Yes, we've dealt with lots of GDPR idiots :p
Haha nice approach! How have you gone with the GDPR idiots? Care to share any of your emails, or how the conversations have involved?
 
And, while its always good to follow as closely to the law as possible, this particular law primarily was built around the large tech companies and the idea of ownership around user data. It's interpretations and case laws are fairly vague and minute at the moment, and serious damages are highly unlikely for any smaller online forum or community. (not sure how big your community reach is, forgive any assumptions)

In other words, if you do not want to bend over backwards for this user, complying with the basics that even XF has out of the box is sufficient imo. They would have to take you to a court which will have to hear it first of all, then they would have to claim you were in breach, then they would have to determine the damages (skipping some steps ofc). And the damages would be quite hard to determine for an individual user. It just doesn't seem like a threat, no matter how formal their request looks. Though again certain people it is best not to argue. Anyone can sue anyone for any reason after all.

Am I to (again) assume you might be Austrialian (from username)? I did a quick search and could not tell how it was being adopted in Australia but of course the idea here is that on the internet you "do business" with EU residents, and therefore must comply on that reason alone. Not sure where the user in question is from, but technically if they are outside the EU then I'm not entirely sure how far you would need to or want to comply with their demands.

^ If anyone can substantiate that let me know, as I am ofc not a lawyer and not entirely sure if that is true or not.
 
And, while its always good to follow as closely to the law as possible, this particular law primarily was built around the large tech companies and the idea of ownership around user data. It's interpretations and case laws are fairly vague and minute at the moment, and serious damages are highly unlikely for any smaller online forum or community. (not sure how big your community reach is, forgive any assumptions)

In other words, if you do not want to bend over backwards for this user, complying with the basics that even XF has out of the box is sufficient imo. They would have to take you to a court which will have to hear it first of all, then they would have to claim you were in breach, then they would have to determine the damages (skipping some steps ofc). And the damages would be quite hard to determine for an individual user. It just doesn't seem like a threat, no matter how formal their request looks. Though again certain people it is best not to argue. Anyone can sue anyone for any reason after all.

Am I to (again) assume you might be Austrialian (from username)? I did a quick search and could not tell how it was being adopted in Australia but of course the idea here is that on the internet you "do business" with EU residents, and therefore must comply on that reason alone. Not sure where the user in question is from, but technically if they are outside the EU then I'm not entirely sure how far you would need to or want to comply with their demands.

^ If anyone can substantiate that let me know, as I am ofc not a lawyer and not entirely sure if that is true or not.
Thanks for the detailed response Mike - appreciate it.

It's a relatively small online forum, not large at all, but this member seems hell-bent on causing trouble for my site.

Yes, I'm in Australia, the member in question who sent the email is in the UK, and my server is hosted in Texas, USA.
 
Dude clearly is blowing smoke. GDPR has nothing to do with what other users content "about" them. Send them their personal information (a link to their profile and posts) and call it a day.
 
Firstly check that the email address he sent the request from is the one he has in his profile.

If not send a reply stating that in line with Data Protection you can only comply with any GDPR requests if the requester is submitting that request from the email address they use within their member profile, or if the request is made whilst logged in.

Or words to the effect of

I covered it all at length in a past thread/post and it's not failed me in several requests

The big point to make is keep any replies short, polite, to the point, and don't enter into discussion as this is what they want you to do.
 
Firstly check that the email address he sent the request from is the one he has in his profile.

If not send a reply stating that in line with Data Protection you can only comply with any GDPR requests if the requester is submitting that request from the email address they use within their member profile, or if the request is made whilst logged in.

That's a great point, he's been a member of my forum for 14 years which makes the tone of the request even more odd. What I believe is that he no longer has access to the email address within his profile.

The big point to make is keep any replies short, polite, to the point, and don't enter into discussion as this is what they want you to do.

Again, a very great point.

I covered it all at length in a past thread/post and it's not failed me in several requests

Would you mind linking me to that?
 
Top Bottom