GDPR Terms and Conditions


Has anyone set up a lawfully based terms and conditions for their forum?
Reason I’m asking is a member has asked for all his data and posts to be deleted. I agreed to deleting his all his personal or identifiable data such as email, username, IP.
I wanted the posts to stay so the flow of the forum is not interrupted. None of the posts have any information that could be linked to an individual.
I spoke to the ICO, two different employees.
One said because the member gave consent when joining, they have the right to request everything to be deleted. The ICO guy suggested I have terms that are lawfully based. He said, I’m powerless to stop someone rejoining with another account, saying whatever they wish and then requesting it all deleted.

Second employee said that if all personal data is gone and the posts do not identify the person in any way, then I can keep them. I explained it’s necessary to have IP matches to deter fake accounts which could turn into legal issues. As an example, a competitor attacking one of my sponsors. She agreed with this in principle.

Anyone else had something similar?
Any advice welcome.
The default terms should cover you

You are granting us with a non-exclusive, permanent, irrevocable, unlimited license to use, publish, or re-publish your Content in connection with the Service.

I’m not sure about it addresses, however if it is just a list and not linked to a person I would ha thought that is ok. But I’m not a lawyer.
Posts are not personally identifiable information unless they contain PII (e.g. a user's location) etc. Therefore there's typically no reason to remove them. Renaming then deleting the account should be sufficient in most cases.

(Obligatory I'm not a lawyer)
Posts are not personally identifiable information unless they contain PII (e.g. a user's location) etc.
this is true but without the t&c granting you the non exclusive right, then they could argue to remove them based on copyright, irrespective of privacy or gdpr
Yes, nothing in the posts could identify anyone or be linked to a person.
It`s like me saying, I went to KFC for some chicken last Friday, just generic conversation.
But, it’s this consent thing. I said, what if they join with a made up username which most do, a disposable email and a VPN. First ICO person said it does matter. I said that leaves me open to abuse etc. This is when he just start to mention lawfully and sending me to their advice page which when reading can be interpreted differently as it’s not crystal clear.
Top Bottom