XF 2.1 GDPR SAR subject access request queries

Stuart Wright

Stuart Wright

Well-known member
When someone puts in an SAR (subject access request) in accordance with GDPR, forum owners have a legal responsibility to reply with a lot of specific information.
Following such a request and a subsequent complaint by a forum member for non compliance to the UK data commissioner’s office, I need to ask this question.
What SQL queries do we need to run to supply all of a member’s information?
We need their user record and all the records from associated user tables including user change logs and IP logs.
Also any records from addons such as the user notes system.
I think it’s reasonable to say that publicly posted information does not need to be sent since this was posted by the person. Similarly private messages including the member are deemed private and so shouldn’t be sent. However, private conversations between moderators about that member may need to be included.

In the above case, I got direct help from a person working in the data commissioner’s office (who was extremely helpful) and though the member’s account has already been deleted, so there was no information to send, that didn’t mean I could send ‘nothing’ as a response. I had to amend our privacy policy significantly to comply with GDPR (including adding their address and phone number) and then reply addressing each specific request.

Also I was told that it is not acceptable to delete someone’s account upon receiving an SAR in order to avoid sending the information.

So could someone help specify the queries to run please?
And ideally there should be a function in Xenforo to output all the data in a relatively easy-to-read format.
 
Last edited:
Sort by date Sort by votes
Kirby said:
Personal Data, yes. Personal data is everything related directly or indirectly to a natural person.
In case of a forum everything linked to the user account through userid, ip or email address.

This is what we've been told.


It is.
www.insideprivacy.com

CJEU Confirms Dynamic IP Addresses To Be Personal Data

On Wednesday October 19, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Case C-582/14, Patrick Breyer v Germany. The CJEU
www.insideprivacy.com www.insideprivacy.com

CURIA - Documents

curia.europa.eu curia.europa.eu
Click to expand...
I agree on IP addresses.

I disagree on the definition of personal information and will continue to do so until the ICO advises otherwise.

If other countries and data protection regulators are manipulating GDPR into being something it isn't and wasn't designed for in your locale then that will, unfortunately, be entirely down to you to bridge that gap (as it sounds like you have done) but we will not be railroaded into adjusting the software in order to follow a very stringent and disproportionately unreasonable interpretation of the regulations.

Stuart Wright said:
Personal information is different to personally identifiable information, but I will check this on Monday.
If the user is deleted, we have no information to send, but her point was that we still have to reply to the request in a ‘proper’ manner. The user wrote a list of the information he wanted and I had to reply with ‘no information’ for each.
It’s not sufficient to reply with a short message stating we have no stored information about the person. An official, clear reply is necessary.
Click to expand...
It's just insanity. There's no difference between personal information and personally identifiable information. It's the same thing.

Of course you still have to reply to the request in the proper manner. I wouldn't argue that. That's not something the software can help you with though.
 
Upvote 0 Downvote
Kirby said:
Personal Data, yes. Personal data is everything related directly or indirectly to a natural person.
In case of a forum everything linked to the user account through userid, ip or email address.

This is what we've been told.

It is.
www.insideprivacy.com

CJEU Confirms Dynamic IP Addresses To Be Personal Data

On Wednesday October 19, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Case C-582/14, Patrick Breyer v Germany. The CJEU
www.insideprivacy.com www.insideprivacy.com

CURIA - Documents

curia.europa.eu curia.europa.eu
Click to expand...
The EU has made it very clear in a number of rulings that they really have no idea how the internet works. The key is "personally identifying information". An IP does not do that.
 
Upvote 0 Downvote
djbaxter said:
The EU has made it very clear in a number of rulings that they really have no idea how the internet works.
Click to expand...
I dont disagree. However, we as forum operators/data controllers have to deal with the law and the rulings the way they are.

@Chris
Well, I did not make up that definition of 'personal data' in post # 13- it's taken literally from the regulation itself

Art. 4 GDPR – Definitions - General Data Protection Regulation (GDPR)

For the purposes of this Regulation: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name...
gdpr-info.eu gdpr-info.eu
Nowhere does the regulation talk about 'personal information' or 'personally identifiable information' - it only talks about 'personal data'.
 
Upvote 0 Downvote
Kirby said:
I dont disagree. However, we as forum operators/data controllers have to deal with the law and the rulings the way they are.

@Chris
Well, I did not make up that definition of 'personal data' in post # 13- it's taken literally from the regulation itself

Art. 4 GDPR – Definitions - General Data Protection Regulation (GDPR)

For the purposes of this Regulation: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name...
gdpr-info.eu gdpr-info.eu
Nowhere does the regulation talk about 'personal information' or 'personally identifiable information' - it only talks about 'personal data'.
Click to expand...
Still, it seems strange that in all of that there is not one mention of IP addresses as an example of personal information, if they consider it as such. And I've seen many headlines over the years of courts ruling that IP addresses are not sufficient to identify a person in copyright cases, so I'm still not convinced that ICO believes that they can be used to "identify" a person. If they do, it would certainly be (another) unreasonable clause.
 
Upvote 0 Downvote
imno007 said:
Still, it seems strange that in all of that there is not one mention of IP addresses as an example of personal information, if they consider it as such.
Click to expand...
It is. They consider an IP address (or an IMEI, a MAC, etc.) to be an 'online identifier', which is specifically listed in GDPR Art. 4 (1).

Recital 30 - Online Identifiers for Profiling and Identification - General Data Protection Regulation (GDPR)

1Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. 2This may leave traces which, in particular when...
gdpr-info.eu gdpr-info.eu
GDPR Recital 30: Online Identifiers for Profiling and Identification said:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
Click to expand...

I'm still not convinced that ICO believes that they can be used to "identify" a person. If they do, it would certainly be (another) unreasonable clause.
Click to expand...
The ruling I linked above was made by the CJEU, the highest court in the European Union.
So this is "the final decision" (until laws/regulations are spedifically modified to change this).
 
Upvote 0 Downvote
Right, but I'm still not clear on whether their definition of personal data is the same definition being used in Art.4. In other words, because the former defines it as one thing, does that necessarily mean that the same definition has to be used and is legally enforceable for the latter, just because they both make use of the term "personal data"? I think the problem with this is basically that, like many laws, it's all written so broadly that it's open for all kinds of interpretations - and misinterpretations - by even the people who are supposed to be the experts, as is evident by the different answers people here have gotten from the authorities they've consulted.
 
Upvote 0 Downvote
Alfa1 said:
The GDPR considers email insecure and its not allowed to send PII through email without explicit permission.
Click to expand...


If the request is sent via email then that in effect is giving permission to reply using the same means.

Stuart Wright said:
It's actually easy to complain to the ICO and we've had one person do it following our first SAR.
Click to expand...

It may be quite easy to complain to the ICO but on the other hand they can only advise and instruct, they cannot enforce any action -- a toothless quango
 
Upvote 0 Downvote
Liam W said:
In some cases. In others, it does. Some people have static IPs (or IP ranges) that are linked directly to their address.
Click to expand...
But most don't, and even in the case of static addresses it can't always be definitely linked to one person. But either way, it's a stupid rule and does more harm than good. How many people really need an IP address to be forgotten, especially considering that so many of them are on mobile devices and those addresses are constantly changing all the time? And what's to stop spammers from requesting their IP addresses be forgotten? Anyway, hopefully enough people will pressure their reps over the coming years to inject a little more commonsense into it all.
 
Last edited:
Upvote 0 Downvote
What do they consider a trusted channel then? Email is as secure as anything else. More secure, in most instances I'd've thought actually.
 
Upvote 0 Downvote
We'll have to agree to disagree on that Kirby

As an example, you have a problematic ex-member who is intent on causing you problems, you need to pull the rug out from under them as soon as possible, take the wind out of their sails so to speak.
The more you pamper to them, the more you reply and respond to them, the more they are having your pants down.

See the issue, resolve it quickly and professionally, end of issue
 
Upvote 0 Downvote
Liam W said:
What do they consider a trusted channel then? Email is as secure as anything else. More secure, in most instances I'd've thought actually.
Click to expand...
E-Mail is inherently insecure as it is unencrypted plaintext, eg. the equivalent of a postcard.
If the request was made electronically, the reply should also be made electronically via a secure way.
How this could be done with just email (it is not possible) is left as an exercise to those having to deal with such requests ;)

When we get such a request we offer the user to
a) download the export while being logged in (transmission is secured via HTTPS)
b) send us a GPG key
c) explicitly acknowledge that they want the export via unencrypted email
 
Last edited:
Upvote 0 Downvote
Yeah, that's the point - you do not know if TLS is being used by every intermediary mailserver.
You could enforce TLS from your mailserver to the first hop, but that's it; you don't know nor can't control delivery after that.
 
Upvote 0 Downvote
Here is some info from ICO

Right of access

ico.org.uk ico.org.uk

What is personal information: a guide

ico.org.uk ico.org.uk

What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
Click to expand...

If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
Click to expand...
A registration date by itself is not personal data. A registration date of a specific user is personal data if combined with the userid (=number) of that user, which it is as it is stored in the database and displaed on the profile (or post if enabled).
 
Upvote 0 Downvote
How is a registration date going to be used to identify an individual, with or without a user ID ?

Your name on this forum is Kirby
You joined Aug 7, 2010
You state you are from Germany
You are Male
Your DoB is Oct 27, 1979 (Age: 40)
Occupation: Chief Technology Officer
Website (I'll leave that off)

This is all information you have submitted to this forum, not information that the forum owners store on you without your knowledge, but information you have willingly submitted and made available to others.

From that info, plus your website domain name, a look-up of that domain name, ownership, local records, data search, etc, it might be possible to locate your home address, family details, personal information, bank accounts held, you name it.

The ICO is a quango, it is there to guideline users, it is not law, it cannot influence law, and the information posted by them, the guidelines, are just that. Any interpretation of those guidelines is open to conjecture.

If an aggrieved member decides to hit you with a SAR it is for one purpose and one purpose only, and that is to make life difficult for you, their thinking they have one over on you.
I have yet to hear of any website or forum, large or small, which has been taken to court over this.
The ICO can refer to the legal process, they cannot take it upon themselves to do so.

Likewise they can advise an aggrieved member that they could have a case against your company or individual, but then it is in the hands of that person should they wish to spend time, effort and money pursuing it - and would they?

Threads like this only do one thing, they give those that wish to cause us issues ammunition and guidance what to do and what paths to take to cause maximum issues, and people who seem petrified and look for issues are only adding to such.
 
Upvote 0 Downvote
Ok so I have spoken with an officer at the ICO this morning to try and get some clarification. @Chris D
Without knowing Xenforo and the particular data it stores, he couldn't be as specific as I was hoping and the overall message I got was that we are free to make our own interpretation of the rules, provided we can justify them on the first instance of getting in to trouble with the ICO about it.
He said that we would have to decide what information is personally identifiable. He suggested we base it on the actual data, but we don't have time to go through an individual's data, so we have to assume that if data can be identifiable, it is. E.g. there is a strong argument that 1234@gmail.com is not personally identifiable, whereas john-smith@gmail.com is.

For clarity, I'm looking for a process which is as simple and easy as possible. At the same time I want to avoid getting hit with a £100,000+ fine, which is what I was told (verbally by an ICO officer) could potentially happen if I didn't comply correctly with the SAR.

The key take-away points from the call are that in response to an SAR:

  1. If the combined data held about an individual is personally identifiable, then that is what needs to get sent. So as examples, the email address, login name, location, IP addresses, date of birth, signature all potentially combine to help identify someone, and so are definitely part of the data which needs to be sent. An IP address could give someone's location combined with their name from their email address to identify them in a particular city.
  2. You probably can't combine things like preferences, bookmarks, edit history, dismissed notices statuses and trophy points with other data to personally identify someone and therefore don't need to get sent.
  3. Content which is still publicly viewable need not be included since the person can go see it. So we don't need to send threads and posts. If it's still publicly available, they can go find it themselves.
  4. If the person is banned (i.e. can't access their account), then the contents of private conversation messages sent by them should probably be sent.
And in response to a GDPR deletion request - I wish for all the data about me to be deleted - we can refuse to do that in order to detect or prevent crime. So, for example, where a member has defrauded another member (and we'd need to be able to provide evidence of that, so it would be useful to record it all somewhere) then we can refuse to delete their account. It was suggested to me that we should keep only the personally identifiable information about them that we need in order to identify them in the future, but since there isn't a method of selecting which data to delete, we can't do that.

So I'm going to go through the tables and take a guess (which it seems is all we can do) at what information I think we need to send in an SAR.
It doesn't look like it has to be a tremendous amount, but we'll see.
 
Last edited:
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

⭐ Alex ⭐
Why exactly do we need a cookie notice for third party cookies?
Replies
1
Views
548
⭐ Alex ⭐
⭐ Alex ⭐
S
Email Log
Replies
11
Views
496
kailew
kailew
N
  • Question Question
XF 2.2 API request returning File Not Found
Replies
2
Views
165
notatardis
N
F
  • Question Question
XF 2.2 Is XenForo Cloud GDPR compliant out of the box?
Replies
0
Views
396
finallyfree
F
bzcomputers
  • Poll Poll
What was your solution for the Google Adsense deadline on Jan 16, 2024?
2
Replies
23
Views
2K
bzcomputers
bzcomputers
Top Bottom