GDPR - first ever request

[JamesAus]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any information pertaining to my location (e.g. IP addresses)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113

We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

• Posts made about me in the moderators forum (made between August 2006 and August 2020

We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse

I believe I can get this from default XenForo contracts.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

I use Google Analytics. Assume I can then pass him to Google?

• How many infraction points I currently hold.

How is this personal data?

 

[JamesAus]

How many infraction points I currently hold. - "Your account has been deleted and all traces of it have been removed from our database."

Am I allowed to keep his posts?

 

[Slavik]

Am I allowed to keep his posts?

Yes, unless those posts specifically contain personal data.

 

[JamesAus]

Yes, unless those posts specifically contain personal data.

Thanks. He has over 30,000 posts. It's impossible for me to know whether any of his posts contain personal data. Is there a way around this?

 

[Slavik]

Thanks. He has over 30,000 posts. It's impossible for me to know whether any of his posts contain personal data. Is there a way around this?

It falls to him to point them out once you have renamed and deleted his account.

 

[JamesAus]

It falls to him to point them out once you have renamed and deleted his account.

Excellent, thanks Slavik.

 

[JamesAus]

I've put together this draft email to the ICO if anyone has any further thoughts.

Hi XXXX @ ICO,

Thanks for coming back to me with further details.

Regarding the points we didn't respond to. As this member of our fan-site is a regular troublemaker we didn't entertain far-reaching requests which we considered these as.

We plan on responding as follows. Is that acceptable to the ICO?

****
Hi XXXXXXXX Member,

We've been asked to respond to the points about you in further detail.

>Posts made about me in the moderators forum (made between August 2006 and August 2020

This is exempt from disclosure as doing so would provide a third parties information (without their consent [other members reported posts and moderators]) that they would have expected to be kept private.

We make reference to the following:
https://ico.org.uk/for-organisation...f-access/information-about-other-individuals/

>>Emails between moderators in which I am discussed (between August 2006 and August 2020

As above.

>>Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

This is impossible for us to do, as emails are only kept for a period of 3 months and are sent through our official email address of XXXXX. Please let me know if you'd like any sent through to you during this period.

>>Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

We use the Google Analytics platform. To lookup and provide you with the information held, please provide us with your Google Analytics ClientID. To find this, you'll need to go to your browser’s settings and manually look at what cookies there. You should find one named _ga, which is the Google Analytics cookie, and within it is a string like GA1.2-2.318596131.1556642125.

Your ClientID are the numbers before and after the final period (in this case, 318596131.1556642125). If you have multiple _ga cookies on their browser, please send all of the ClientIDs.

>>How many infraction points I currently hold.

Your account has been deleted and all traces of personal information have been removed from our database, so this is not something we are able to provide anymore. Please note that we no longer consider you welcome on the XXXXX Forums.

****

 

[webbouk]

First things first before you do anything else - Permanently Ban him !

No reason, nor excuse - it's your site, he wouldn't be welcome in your home - get rid

He is not part of your community, he is there to cause trouble within it and for you

(I'll read the rest of the posts later)

 

[webbouk]

"Please note that we no longer consider you welcome on the XXXXX Forums"

Leave this out of any communication as you are inviting more questions and problems

 

[JamesAus]

First things first before you do anything else - Permanently Ban him !

No reason, nor excuse - it's your site, he wouldn't be welcome in your home - get rid

He is not part of your community, he is there to cause trouble within it and for you

(I'll read the rest of the posts later)

I'm holding off for the moment, just from the point of view of not antagonizing him until the ICO reply and I know where I stand. He's apparently from what I've heard from a 3rd party - "He could argue the deletion of his data was unlawful in the European Union. That would be a whole other thing. It wouldn't just end with the deletion. He would not have a great case but you'd still be peppered by it. " . I'm planning to reach out to this member and have a chat with him and try and resolve this in a friendly way. Perhaps I'm being stupid, but if something can be worked out in a friendly way, I'm up for trying just so the whole thing can go-away.

I've sent the draft email to the ICO so I'll let everyone know what I get back.

"Please note that we no longer consider you welcome on the XXXXX Forums"

Leave this out of any communication as you are inviting more questions and problems

Thanks for the suggestion.

 

[webbouk]

I'm sorry to disagree with you:

I'm planning to reach out to this member and have a chat with him and try and resolve this in a friendly way - will not happen, this time or the future

I'm being stupid - respectfully - yes

but if something can be worked out in a friendly way, I'm up for trying just so the whole thing can go-away. - it will never go away as he's already done the dirty on you and it will happen again, or he'll brag to his online mates and get them to do the same


There comes a time when you have to be hard, act hard, go in hard - you'll thank yourself for it later.

 

[JamesAus]

I'm sorry to disagree with you:

I'm planning to reach out to this member and have a chat with him and try and resolve this in a friendly way - will not happen, this time or the future

I'm being stupid - respectfully - yes

but if something can be worked out in a friendly way, I'm up for trying just so the whole thing can go-away. - it will never go away as he's already done the dirty on you and it will happen again, or he'll brag to his online mates and get them to do the same


There comes a time when you have to be hard, act hard, go in hard - you'll thank yourself for it later.

I don't disagree with anything you have said. I'm just nervous about whether there are any gotchas lurking that he could exploit. My site is a simple fan-site with a fairly small community, and I can really do without the headaches if he wants to take this any further. I don't have the $ or the time to engage lawyers, etc.

 

[webbouk]

And I suspect if it was to cost him anything he wouldn't pursue it either - he's a troublemaker, and bullying you, he's doing this because he can - look at it as him vs the moderating team, as long as he's a member he's sticking two fingers up at them and you and laughing about it.

 

[webbouk]

I use Google Analytics and looks like Google does maintain information about each user, so I'll make mention of that.

If you have not been asked, mention nothing

 

[Dad.]

Fwiw, the idea of "going hard" almost never works out. You just create a person with an agenda and even sometimes hell bent on causing you headaches. I think keeping a level head, staying unprovoked, is the wiser choice.

 

[JamesAus]

Fwiw, the idea of "going hard" almost never works out. You just create a person with an agenda and even sometimes hell bent on causing you headaches. I think keeping a level head, staying unprovoked, is the wiser choice.

Yes, that's my line of thinking too. See what the ICO has to say, but attempt to engage with the member and work out a common-sense middle-ground.

I appreciate where @webbouk is coming from though, and can certainly see his point of view.

 

[webbouk]

common-sense middle-ground.

...left the field of play when he involved the ICO

Did he attempt to engage with the moderators/yourself and work out a common-sense middle-ground relating to his ban and membership issues?
Somehow I doubt it.

Once you engage with him, bearing in mind the point you are now at, you've lost the upper hand and he'll take it as carte blanche that he is in control, which to be fair it sounds like he is.

Anyway, I'll bid you good luck, I've offered my advices, the ball (or what's left of it) is in your court <no puns intended>

 

[JamesAus]

...left the field of play when he involved the ICO

Did he attempt to engage with the moderators/yourself and work out a common-sense middle-ground relating to his ban and membership issues?
Somehow I doubt it.

Once you engage with him, bearing in mind the point you are now at, you've lost the upper hand and he'll take it as carte blanche that he is in control, which to be fair it sounds like he is.

Anyway, I'll bid you good luck, I've offered my advices, the ball (or what's left of it) is in your court <no puns intended>

Don't get me wrong webbouk. I honestly really appreciate your take on the situation and as I said, I may well be left looking the fool but it's something I think is worth trying.

I can't fault your logic and everything you said there is correct. I'll keep posting updates in this thread to hopefully gain opinions from helpful people like yourself.

 

[Slavik]

He could argue the deletion of his data was unlawful in the European Union

On what basis? It is your site, what you decide to do with the data created on it is entirely up to you. Could you imagine if when site owners close their sites down the members could sue them for "loss of data"? It would be absurd.

Honestly I would just comply with the ICO as cleanly as possible then delete him.

 

[ChrisTERiS]

Have coded a bundle module for vBulletin 4, which includes better EU Cookies policy and complete GDPR functions. I'm not familiar with XF coding and my age does not permits me to spend time learning something new. But if any XF coder wish to port it for XF, I'm willing to give him full rights to modify my code, without to ask even a single cent. It's up to him to release it for Free or Paid mod, I don't care.







As you can see a user can download in PDF format, all his data and all his post history.

- Chris

PS: Design is responsive.

 

[Starbucks]

Have coded a bundle module for vBulletin 4, which includes better EU Cookies policy and complete GDPR functions. I'm not familiar with XF coding and my age does not permits me to spend time learning something new. But if any XF coder wish to port it for XF, I'm willing to give him full rights to modify my code, without to ask even a single cent. It's up to him to release it for Free or Paid mod, I don't care.

View attachment 240990

View attachment 240992

View attachment 240991

As you can see a user can download in PDF format, all his data and all his post history.

- Chris

PS: Design is responsive.

This is what we need! This'd solve so many problems for people that have to deal with those GDPR requests!
This could be a great next addon @AndrewSimm hint!