XF 2.1 GDPR SAR subject access request queries

Stuart Wright

Well-known member
When someone puts in an SAR (subject access request) in accordance with GDPR, forum owners have a legal responsibility to reply with a lot of specific information.
Following such a request and a subsequent complaint by a forum member for non compliance to the UK data commissioner’s office, I need to ask this question.
What SQL queries do we need to run to supply all of a member’s information?
We need their user record and all the records from associated user tables including user change logs and IP logs.
Also any records from addons such as the user notes system.
I think it’s reasonable to say that publicly posted information does not need to be sent since this was posted by the person. Similarly private messages including the member are deemed private and so shouldn’t be sent. However, private conversations between moderators about that member may need to be included.

In the above case, I got direct help from a person working in the data commissioner’s office (who was extremely helpful) and though the member’s account has already been deleted, so there was no information to send, that didn’t mean I could send ‘nothing’ as a response. I had to amend our privacy policy significantly to comply with GDPR (including adding their address and phone number) and then reply addressing each specific request.

Also I was told that it is not acceptable to delete someone’s account upon receiving an SAR in order to avoid sending the information.

So could someone help specify the queries to run please?
And ideally there should be a function in Xenforo to output all the data in a relatively easy-to-read format.
 
Last edited:
he couldn't be as specific as I was hoping and the overall message I got was that we are free to make our own interpretation of the rules, provided we can justify them on the first instance of getting in to trouble with the ICO about it.

That is ambiguous to the point of being meaningless - you can make your own interpretation of the rules yet can get into trouble with the ICO over them?

As I said in an earlier post, the ICO is a quango which can only offer guidelines but cannot legally do anything about it.

And in response to a GDPR deletion request - I wish for all the data about me to be deleted - we can refuse to do that in order to detect or prevent crime

I very much doubt anyone would ban a member without just reason, in the main it is for breaking forum rules and conduct whilst using the forums.
So, as in the majority of cases where we have banned a member, the member has berated, threatened, bullied, insulted or told lies about or to another member, all of which could potentially be classed as libelous comments, harassment, threatening, etc, all of which could be presented to a court of law in civil actions, and on that basis you would be justified in refusing to delete any data on the grounds that there may be a future action taken against the individual and you would be deleting evidence should you do so.

Like I posted, it's a can of worms and the only person who would benefit from a SAR would be the sender if you were to pamper to his/her request as they would be achieving their aim and that is to cause you maximum inconvenience and wasted time.
 
  • Like
Reactions: HJW
For clarity, I'm looking for a process which is as simple and easy as possible. At the same time I want to avoid getting hit with a £100,000+ fine, which is what I was told (verbally by an ICO officer) could potentially happen if I didn't comply correctly with the SAR.

Please show me evidence of anybody, business or any institution that has been hit with a £100,000+ fine

You could potentially be hit by a bus crossing the road, it doesn't mean that if you cross the road you are going to get hit by a bus :)

1575325322496.webp
 
Here is some interesting reading regarding a company called Cambridge Analytica which if some may remember were in the news a while ago for using personal information collected via Facebook


Their main failings were to not heed the enforcement notice given by the ICO.
An enforcement notice is given should the recipient not respond to a SAR correctly and only if the requester pursues it successfully with the ICO.
At that stage you still have a determined time period to respond to the request as per the enforcement notice.
Comply with that and no action can be taken against you, and that's if it gets taken that far in the first place.

Now the interesting part about the article in the link above is that anyone anywhere in the World can verbally or in writing make a subject access request, even via social media.
Going by the letter of the law you would have to comply with all requests within a thirty day period.
So lets say for instance you upset one person, they have a zillion friends on F'Book, they then get all their friends, members or otherwise, to send you SAR's all at the same time, and you become inundated with requests, what do you do then :D ?

A hypothetical situation, or not, maybe :)
 
That is ambiguous to the point of being meaningless - you can make your own interpretation of the rules yet can get into trouble with the ICO over
them?
Not meaningless. There is interpretation, but if you get reported to the ICO and your interpretation is unreasonable, you might well get into trouble...
As I said in an earlier post, the ICO is a quango which can only offer guidelines but cannot legally do anything about it.
You later quoted an instance of a company getting fined.
Here is another https://ico.org.uk/about-the-ico/ne...ng-developer-fined-for-ignoring-data-request/
So it appears, as you well know, that they can legally do something about it.
all of which could potentially be classed as libelous comments, harassment, threatening,
Depends on what you let your members get away with, but opinion is not libellous, and I seriously don't think you'd successfully argue that someone banned for antisocial behaviour on an internet forum can be refused deletion on the grounds of potential criminal activity.
Like I posted, it's a can of worms and the only person who would benefit from a SAR would be the sender if you were to pamper to his/her request as they would be achieving their aim and that is to cause you maximum inconvenience and wasted time.
You have a legal obligation to respond to their request. However begrudgingly. I had the same cavalier attitude as you until I got a letter from the ICO.
I would rather set up a system where we could supply all the information in accordance with the law and let them know we did it with a single button press. That way the banned scumbags don't get any satisfaction.
Please show me evidence of anybody, business or any institution that has been hit with a £100,000+ fine
Intending to fine Marriot Hotels £99 million and British Ariways £183 million.
£500,000 fine for Facebook https://ico.org.uk/facebook-fine-20181025
Obviously we are small fry compared to those companies, but you asked and I answered.

Going by the letter of the law you would have to comply with all requests within a thirty day period.
So lets say for instance you upset one person, they have a zillion friends on F'Book, they then get all their friends, members or otherwise, to send you SAR's all at the same time, and you become inundated with requests, what do you do then :D ?
Since none of them would be members of my forum, I would reply to them all saying that there would be no data.
You would have to do the same. And if you didn't, you'd get a letter from the ICO for each complaint made.

It's convenient to try to sweep the issue under the rug and pretend you have no responsibilities in this area. When you get a letter from the ICO, and I hope you don't, you will either take it seriously or be fined.
I'm not trying to cause trouble here, I'm just making sure that I have a reasonable, easy response in place to SAR requests. Hence my initial query about queries.
 
So it appears, as you well know, that they can legally do something about it.
Anyone can via the courts - it's nothing specific to the ICO.

When the company failed to obey the notice, the ICO brought a criminal prosecution under s47(1) of the Data Protection Act 1998.


However, that company was only fined for not responding to the request.

Any lawyer worth their overpriced hourly fee would be able to argue that as long as you responded using your "own interpretation of the rules", then there is no case to answer, until such time as there are clear and unambiguous legally detailed instructions for responding to a SAR.
 
As I said in an earlier post, the ICO is a quango which can only offer guidelines but cannot legally do anything about it.
Anyone can via the courts - it's nothing specific to the ICO.
Under Article 58 of the GDPR, and Parts 5 and 6 of the Data Protection Act 2018 (specifically sections 142-145, 149-153, 154, and 155-159) the ICO is the supervisory authority in the UK and has the power to investigate, apply restrictions, require controllers to take certain actions, and issue penalties - without having to apply to a court. It may also enter and search premises, and seize equipment, after a warrant from a court.

They're pretty much responsible for the implementation, oversight and enforcement of the GDPR in the UK.
 
When you get a letter from the ICO, and I hope you don't, you will either take it seriously or be fined.
It appears like your only mistake here was not replying to each point in the SAR clearly indicating that you do not hold the data requested for each category, rather than a sentence response. They didn't seem to ask or imply for a complete export of anything related to the user. If anything that'd be counter productive - chucking a ton of data, including bookmarks and posts, at a person makes it harder for them to know what actual personal data you have on file about them.

Ever since the GDPR hit headlines people try to exercise data rights that don't even exist. The ICO is likely burdened with a lot complaints from all kinds of people, most of which are probably invalid. Doing a half decent job and checking off their boxes of being a 'responsible controller' is almost certainly enough to keep them happy.
 
As per my post here... https://xenforo.com/community/threads/gdpr-sar-subject-access-request-queries.173018/post-1388265

You only have to answer the questions that the requester asks within the SAR

If they make an open ended request, ie "show me all my personal data" , it would not be unreasonable for you to respond to them requesting them to be more specific.
If they then come back with a more specific request then answer each point using short, succinct sentences.

I suppose in all this, there could be one improvement made within XF, and that would be that when a member is banned there is also the option at that time to save their personal details to comply with GDPR to an xml file (as presently available in the options but instead part of the process of banning), and to delete the member, therefore it becomes a semi-automatic process. These options are already available in the ACP but not all on the same page.
These actions could become part of the Privacy Policy, ie 'What happens should I be banned from the forums?'
 
When outputting the IP address to a CSV file from a varbinary field, the output is garbage. What mysql function do I need to run on that field to output the correct text?
Thanks

Edit: found it: INET6_NTOA(ip)
 
Last edited:
Top Bottom