Pocket guide to GDPR + Q&A + FAQ

Pocket guide to GDPR + Q&A + FAQ

Overview FAQ Reviews (3) Discussion
The guy replied, he can't access his original email address any more but he's a GDPR expert and will take "great pleasure" in reporting us to the ICO if we don't comply.
 
RobParker said:
The guy replied, he can't access his original email address any more but he's a GDPR expert and will take "great pleasure" in reporting us to the ICO if we don't comply.
Click to expand...
In 99,99% of all cases such threats are little more than hot air.
 
RobParker said:
The guy replied, he can't access his original email address any more but he's a GDPR expert and will take "great pleasure" in reporting us to the ICO if we don't comply.
Click to expand...

Tell him that you take data security very seriously, and you cant just take a random email as proof that they used to own a particular account.

You could also point out as said email is not theirs anymore, then its no longer their personal information.
 
Slavik said:
"Hi internet troll...
Click to expand...

I don't think it's a good idea to insult someone like this even if they are in fact a troll. For one thing, it could motivate them to actually make a formal complaint. For another, if it ever were to go to a court, it could make it look like you aren't taking the user's rights very seriously.

I would simply state without insult that if they can't prove it is their account, then I cannot provide them with the personal data associated with that account. However, after first confirming that the account did not belong to someone else, I would delete all content and personal data associated with it. It's not worth (to me) fighting over one indivual's posts, no matter how many posts that is.

Also, if this person is correct that your website terms state that an account cannot be deleted, then that is something you should edit if you want to comply with the GDPR.
 
RobParker said:
GDPR doesn't require us to delete accounts..?
Click to expand...
There are exceptions that they outline. I've posted a few exerts in the GDPR thread and tagged you in them. Hopefully that helps you some but I would continue reading through the documents of the GDPR as there are quite a few "loopholes". The way I'm reading it, it seems this is aimed at abusers of personal information, which I highly doubt many of us here do. We do it to ensure the safety, rights and freedoms of individuals who use the site and if someone like the guy who is emailing, being a banned user, can threaten that. Plus, you need to keep those records in the event he tries to come back and cause issues with you or your other members. You need to protect your users on your site from the likes of him.
 
Laron said:
Do we need to mark all email notification defaults to unticked/off for new users?
Click to expand...

I have the same concern.

Changing the new user welcome email to a conversation is a safer option, but is it against GDPR to have the "Receive email when a new conversation message is received" option ticked by default in the User Registration options?

XF provides an opt-in during registration option for the news and updates emails:

1539682824000.webp

Is there a way to have a similar opt-in checkbox during registration for the conversation emails as well?
 
For existing users, do the email preferences need to be unchecked for all, and then have all of them opt-in for 'news and updates' emails and conversation notification emails?

According to this article:
"If you can’t identify how, when, and where consent was obtained, the best option in order to be compliant is to ask (to communicate with contacts) again."
Click to expand...
"For some businesses, this may mean you need to re-permission your entire database. For example, you’ll need to re-permission if you’ve always used a “pre-checked” box for “consent by default” — which is no longer sufficient under the GDPR."
Click to expand...

XenForo offers an opt-in and logs the selection for only the 'news and updates' email, only at the time of registration.
 
Will GDPR be a problem when buying another forum? The GDPR user agreement and so forth are all connected with the previous owner/domain.

Will we need every single users permission before we transfer their data to another server/domain/owner?
 
DroidOne said:
Will GDPR be a problem when buying another forum? The GDPR user agreement and so forth are all connected with the previous owner/domain.

Will we need every single users permission before we transfer their data to another server/domain/owner?
Click to expand...

Yes, it does read that way as this is one of the key reasons GDPR was bought into effect was to stop the sale of databases of peoples information without their consent.

It does seem to be that there might be a provision in that if you assume the entire business (if possible?) it would just be considered carrying on as normal, even if the business owner changes.

Obviously if you then look to fold that company into your existing one, youre back to square one.

As always, with something like this it may be wise to seek official legal advice, especially if money is changing hands...
 
Slavik said:
Yes, it does read that way as this is one of the key reasons GDPR was bought into effect was to stop the sale of databases of peoples information without their consent.
Click to expand...

By removing e-mail, IP logs and so forth, and just keeping the usernames + passwords; would that suffice in order to move the database without having to request permission first?

Otherwise I don't really see how it's possible to transfer a forum from one owner to another in any practical way. Sure, we cold try and send everyone an e-mail requesting their permission, but we'll only reach a minority. A huge amount of accounts would have to be deleted. Many members come and go, some with months or even years apart.

Won't this pretty much kill any forum as soon as the owner isn't able to maintain it anymore? That's sad, to say the least.
 
Last edited:
Slavik said:
Yes, it does read that way as this is one of the key reasons GDPR was bought into effect was to stop the sale of databases of peoples information without their consent.
Click to expand...

Interesting problem. It would technically be the sale of a database full of email addresses along with in some cases plenty of profile information.

You may be safer is the forum is part of a business that is a limited company, in which the same company still owns the database, just a different owner of the company. Most privacy policies would say something like the data would not be sold to a 3rd party, so if still owned by at the same entity (company) that clause may be OK (but I think as Slavik said, legal advice may sadly be best way ££££$$$$

Other solutions may be to have a privacy policy that states up front a clarification that data itself will not be sold on, but that the company that owns the database can be sold. At least people know then what they have signed up to.

Or, just ask permission of all users before selling. (This is what I would do) Let them know to whom it is being sold to so they can check out that company/person and any privacy policy they may have. The company buying may not be too happy if half yours users then up and leave!

But then, if the buying company or individual has a different privacy policy to the existing, ithen they should be informing everyone of that anyway.


DroidOne said:
By removing e-mail, IP logs and so forth, and just keeping the usernames + passwords; would that suffice in order to move the database without having to request permission first?
Click to expand...

A couple of problems with that:

  • It could be very annoying for everyone to have to re-add their email address, plus they won't even get a notification they have to - they would just stop getting all email notifications.
  • It may still not be legal under GDPR due too other data that could identify the use.
 
Mr Lucky said:
Or, just ask permission of all users before selling. (This is what I would do) Let them know to whom it is being sold to so they can check out that company/person and any privacy policy they may have. The company buying may not be too happy if half yours users then up and leave!
Click to expand...

Yes, maybe, if it's possible to have the old site running for quite some time, at least a month or so I imagine, in order to collect a large enough user base.

Any members that don't sign on on a regular basis will be lost though, and this is a fairly large user group.
 
DroidOne said:
Any members that don't sign on on a regular basis will be lost though, and this is a fairly large user group.
Click to expand...

I meant you would send out a newsletter via email. Of course anyone who opted out of site mailings would miss it.
 
You must log in or register to reply here.

Similar threads

Stuart Wright
  • Suggestion Suggestion
Include IP addresses in the Export User function to comply with GDPR
Replies
0
Views
730
Stuart Wright
Stuart Wright
J
  • Question Question
GDPR - first ever request
6 7 8
Replies
142
Views
13K
FTL
FTL
Slavik
Enhanced GDPR for XenForo 2 [Deleted]
2
Replies
27
Views
4K
Slavik
Slavik
Kalo
Articles 11 & 13 from the EU Copyright Directive
6 7 8
Replies
142
Views
12K
Kalo
Kalo
Amin Sabet
  • Suggestion Suggestion
Implemented XenForo tools to comply with GDPR - rights to erasure and data portability
2 3 4
Replies
78
Views
16K
Claverhouse
Claverhouse
Top Bottom