GDPR - first ever request

[JamesAus]

Hi All, one of my members who has recently been banned for 7 days seems to want to cause time-wasting and problems for our site, and sent this email:

Subject access request

In accordance with Article 15 of the General Data Protection Regulation (GDPR) of the European Union, by which XXXXXXX is bound, I am hereby making a data subject access request in respect of the personal data you (i.e. XXXXXXXXX) hold in relation to me.

Please supply the personal data you hold about me, which I am entitled to receive under data protection law.

In particular, I am interested in receiving personal data relating to:

• Posts made about me in the moderators forum (made between August 2006 and August 2020)
• Emails between moderators in which I am discussed (between August 2006 and August 2020)
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)
• Any information pertaining to my location (e.g. IP addresses)
• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)
• How many infraction points I currently hold.

If you need any more information, please let me know as soon as possible.

I would prefer to receive the data in MS Word/PDF format.

It may be helpful for you to know that GDPR requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, you may wish to consult a solicitor or other data protection professional.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk, or it can be contacted on 0303 123 1113

We're a small fan site and can't afford to engage any legal assistance so I hoped the forum community here would be able to offer some advice.

In relation to the points:

• Posts made about me in the moderators forum (made between August 2006 and August 2020

We were using vBulletin up until recently and when a reported post was made, it automatically created a thread in the subforum that we would sometimes merge into a thread about the member if they were problematic. This member was and the mod team would discuss what approach to take.

• Emails between moderators in which I am discussed (between August 2006 and August 2020
• Emails sent to me by any members of the moderation team (between August 2006 and August 2020)

Moderators are volunteers and other members on the site - would have thought what they do in their own personal email addresses is outside what is a reasonable request of my site?

Any information pertaining to my location (e.g. IP addresse

I believe I can get this from default XenForo contracts.

• Any marketing tracking or behaviour data (e.g. click rate, website user behaviour, browser user agent, user preferences, inferred user behaviour etc.)

I use Google Analytics. Assume I can then pass him to Google?

• How many infraction points I currently hold.

How is this personal data?

 

[RobParker]

Wouldn’t that depend on your terms and conditions? With the default terms indeed it is without argument the right of the site owner to keep it there.

But if someone had a photo attached which is a picture of their home, and was named after their mother’s maiden name, the car in the driveway with a personalised number plate with your first school/pet and your date of birth I’d suggest they have the right get that taken down.

You're confusing several things there under one banner.

GDPR requires proviidng users with their own data. It's clear what that data is. The "right to be forgotten" is a different part of GDPR legislation.

If someone posted an identifable photo of their home and asked for it to be removed, I'd like to think that we'd all comply and do the right thing. There's absolutely no requirement on us to be able to search through every photo someone's posted, work out if it contains identifiable information and then export that data and provide a copy of it to them.

 

[wedgar]

I guess so. I've only had that request once though and I just exported the user records from MyphpAdmin and zipped it up and made it available for download for 24 hours from a private location on the forum server. I don't know if you really need an addon unless you are getting a lot of requests. Remember that all (or at least many) of the addons you install come with the potential for a security vulnerability or slowing down your page load speeds, just like with WordPress. Be careful what you install and ask yourself if you really need it.

And also using an add-on from someone you trust as a developer as well.

 

[katoona]

What addon is needed? Everything you need is in stock Xenforo.

There is more to the world than the EU - a LOT more.

Here is a report of Xenforo.com (which I just use as an example since this is the mother-forum of all Xenforo forums). I have attached a report from Cookiebot.com, and I can't vouch for this site, but they seem to be pretty spot on when you look at the GDPR laws and look at their results. So, the question stands - is an addon needed or not?

I am not trying to argue, but I think a lot of website owners might be interested, and perhaps this is worth some attention. I don't think it helps much to say that "we are compliant" just because you feel or think that you are, nor does it help to say that the world is a lot more than EU. I think we need to figure out if this is something that needs to be adressed. The moment you make money from your website, I believe it is even more important to be compliant, and personally I hate these laws since they apply to everyone while the whole thing started because of large websites like Google, FB, Amazon etc.

I am located inside EU, and I have access to this website - hence GDPR applies. If you feel that this is all wrong, then I will keep my mouth shut. I am not looking to cause any problems, and I am merely trying to avoid problems (for everyone).

Here is the summary of the report, and the full report can be read in the attached PDF file.

Xenforo.com: Not compliant

The following requirements in the General Data Protection Regulation (GDPR) and the ePrivacy Directive 2009/136/EC (ePR) have been tested:

NOT COMPLIANT - Prior consent on other than strictly necessary cookies (ePR)
YES (Compliant) - Prior consent on personal data (GDPR)
NOT COMPLIANT - Personal data is transmitted to 'adequate countries' only (GDPR)

 

[webbouk]

I'm not sure how valid the reports are...

I've just run the report on my website and the scan seems to bypass the cookie controls in place and looks for cookies in the code circumventing the cookie acceptance notices, which are plain to see.

Bearing in mind Cookiebot is a commercial website one has to wonder if their method of reporting is biased in their favour as it does not reflect the controls an actual person sees.

 

[katoona]

I'm not sure how valid the reports are...

I've just run the report on my website and the scan seems to bypass the cookie controls in place and looks for cookies in the code circumventing the cookie acceptance notices, which are plain to see.

Bearing in mind Cookiebot is a commercial website one has to wonder if their method of reporting is biased in their favour as it does not reflect the controls an actual person sees.

This is quite possible, but according to GDPR you are not allowed to send any cookies (expect the necessary ones) before the user has accepted. Even if Cookiebot is a commercial site, it seems to me like their test is valid, but as I said - I am not stating anything as 100% fact, I am just saying that it is worth looking into to be sure.

 

[webbouk]

But the question of whether or not Cookiebot has actually downloaded the cookies or simply found reference to them has not been answered.
I could walk past a Porsche showroom and see a number of models for sale on display, it doesn't mean they are mine unless I have accepted them.
So have any cookies actually been sent to the user's system or are they awaiting the user to click to accept them?

 

[djbaxter]

I've just asked the site for a review of three Xenforo sites I manage. Will post the results when I receive them (they apparently only email them so you have to provide and confirm an email address for each test which is annoying, especially from a commercial site.)

 

[katoona]

But the question of whether or not Cookiebot has actually downloaded the cookies or simply found reference to them has not been answered.
I could walk past a Porsche showroom and see a number of models for sale on display, it doesn't mean they are mine unless I have accepted them.
So have any cookies actually been sent to the user's system or are they awaiting the user to click to accept them?

Some sites that I have tested pass the test, and typically government sites and other sites that typically has to follow the rules to the letter.

My intention here is not to argue, nor to be difficult. Like many others I guess I am just afraid of "angry" users using the law to "attack" us, and I am a forum owner like most people in here. I have already been threatened, and it is typically from users that have been thrown out or competitors that want to cause harm upon us.

I agree with djbaxter that it is the forum owners responsibility, and I am in no way saying that this is Xenforo's problem, but I guess we are all in this together.

 

[Faust]

I got an user which seems to cause issues, I’ve sent him all data, but he is asking about his photos, avatar stored on forum and forum posts. Really confused. Should I delete his account or how should I proceed?

 

[djbaxter]

1. Delete his account: that will also delete his avatar.

2. Let him know that you will not delete his forum posts but that his posts will now be attributed to Deleted Member XXXX. (Your terms of use statement should include a statement something like "By posting on this forum, you agree that you conveyed a license in perpetuity to the owners of this forum to display your content on the forum". If you don't have that yet, add it.)

3. He may well complain that posts quoted by others still have his user name in the quote. You can resolve this using the Xenforo censor: Replace {original username} by Deleted Member XXX.

4. Now all his personal information is removed from the database and from the forum content.

 

[Faust]

1. Delete his account: that will also delete his avatar.

2. Let him know that you will not delete his forum posts but that his posts will now be attributed to Deleted Member XXXX. (Your terms of use statement should include a statement something like "By posting on this forum, you agree that you conveyed a license in perpetuity to the owners of this forum to display your content on the forum". If you don't have that yet, add it.)

3. He may well complain that posts quoted by others still have his user name in the quote. You can resolve this using the Xenforo censor: Replace {original username} by Deleted Member XXX.

4. Now all his personal information is removed from the database and from the forum content.

He said that he doesn’t want his account to be deleted, however is complaining that in the xml file is not included all his posts, images posted and his avatar …

 

[webbouk]

Let him know that you will not delete his forum posts but that his posts will now be attributed to Deleted Member XXXX.

i wouldn't bother with telling him that as it will give him something else to complain about

 

[djbaxter]

Just ban him and delete his account as outlined above. Who needs that kind of aggravation?

 

[RobParker]

I got an user which seems to cause issues, I’ve sent him all data, but he is asking about his photos, avatar stored on forum and forum posts. Really confused. Should I delete his account or how should I proceed?

None of that is personally identifiable information and does NOT fall under GDPR.

He also has access to it himself should he want it.

 

[ChrisTERiS]

Have you checked that he is EU citizen or resident? GDPR protects only EU citizens or residents.
I'm saying it as many people found GDPR as a way to tease webmasters.

 

[Faust]

Have you checked that he is EU citizen or resident? GDPR protects only EU citizens or residents.
I'm saying it as many people found GDPR as a way to tease webmasters.

Yes he is. Otherwise, I wouldn't even bother.

 

[ChrisTERiS]

Yes he is. Otherwise, I wouldn't even bother.

While he is trying to do your life difficult, do the same to him. How you know it? Because he has an address or phone eg from Greece. In such case you've legal right (as the Law is clear that protects only EU citizens and residents), to ask more proofs. eg Copy of his passport or any bill showing his address etc. Much more you can refuse to accept scanned documents but to ask to be delivered to you by normal mail.

 

[Faust]

While he is trying to do your life difficult, do the same to him. How you know it? Because he has an address or phone eg from Greece. In such case you've legal right (as the Law is clear that protects only EU citizens and residents), to ask more proofs. eg Copy of his passport or any bill showing his address etc. Much more you can refuse to accept scanned documents but to ask to be delivered to you by normal mail.

I checked his IP, I also use one of addon which shows the country flag where they are living.

 

[RobParker]

Have you checked that he is EU citizen or resident? GDPR protects only EU citizens or residents.
I'm saying it as many people found GDPR as a way to tease webmasters.

As I said, what he's asking for is NOT relevant to GDPR. You've met the requirements by giving him the personally identifiable info that you had on him.

 

[ChrisTERiS]

As I said, what he's asking for is NOT relevant to GDPR. You've met the requirements by giving him the personally identifiable info that you had on him.

Yes and No. By replacing username with something like XXXX does not solves the problem. Maybe on his post there are (as text) some personal data, eg an email address. Avatar is also identifier. Get as example my avatar which is my real photo while yours not. Is very complicated Law. Has so many "small letters", that for me the only real and secure way is to delete everything.

As for the "copy of content". Yes, in this topic the right is with him. What you'll deliver to him must be an exact copy. If the post has avatar, it must also contain the avatar etc etc.