Pocket guide to GDPR + Q&A + FAQ

[Slavik]

Slavik submitted a new resource:

Pocket guide to GDPR + Q&A + FAQ - A quick rundown for most forums.

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. This will come into force on 25th May 2018.

This law is applicable...

Read more about this resource...

 

[BassMan]

Thank you for this guide, Slavik.

I have a question: what about if you use transactional email service (like SparkPost, SendGrid ...) for sending emails - is this ok with GDPR or this means I'm exporting data to 3rd parties? Do I need to mention this in my T&C?

If you know the answer - thank you.

 

[Slavik]

I have a question: what about if you use transactional email service (like SparkPost, SendGrid ...) for sending emails - is this ok with GDPR or this means I'm exporting data to 3rd parties? Do I need to mention this in my T&C?

Best practice will be to inform your users of this in your policies, with a link to the service providers GDPR policy. While it can be argued it may fall under the exemptions for required functionality many of these services have additional logging/tracking/statistics which may retain the email address.

 

[Sperber]

Thanks for your guide, Slavik. I am into that GDPR-stuff now for a few months, working myself through the printed law and started wondering, if you contacted a lawyer or similiar and your written conclusions are the result of their legal advice. Since you haven´t made clear what your infos are based on, I assume your pocket guide is only your personal opinion. If so, there is nothing wrong with that so far, exempt you should make that point more clear. Since you show up as a moderator, the pocket guide could easily be misunderstood as some sort of official statement of XenForo LTD regarding the GDPR.

No offense meant, but I am afraid, from what I have learned by now about the legal scope and the impact expected of the GDPR on forum owners, unfortunaly your conclusions - or suggestions - won´t satisfy the GDPR requirements and it appears to me more as superficial or very coarse-grained approach to a fine-grained problem. A german crew at xenDACH is working - with a bunch of IT and media lawyers and with advice of their national data privacy agency - on a GDPR addon. From what I can read there, their approach of content and scope of the addon, seems very promising and in-depth. Why not teaming up with them?

 

[Slavik]

A german crew at xenDACH is working - with a bunch of IT and media lawyers and with advice of their national data privacy agency - on a GDPR addon. From what I can read there, their approach of content and scope of the addon, seems very promising and in-depth. Why not teaming up with them?

All my information and insight has come from direct conversations with the ICO. To not put too much of a fine point on it the German interpretations that I've read have all been *way* over the top. An example being to do with email opt outs, suggesting *all* emails required 1 click opt out. The ICO have categorically said this is not needed.

 

[Sperber]

All my information and insight has come from direct conversations with the ICO.

I hear you, but the ICO - as surprising it will be for most - isn´t the national instance. Instead it´s important for everyone to understand, that the ICO has produced the framework agreement, and each european state has to come up with his own implementation act and supplement law that can be identical to the framework, but also can - and as far you can see by now in the countries which have them published, is - in minor or major parts different. Austria for example has lowered the framework standards in their supplement law, that has passed the federal council on wednesday, nearly in all points extremely. Vice versa germany has raised them and hardened the penalties and fines. For that reason the german approach is orientated on the german supplement law and IMO fits - for that german implementation - nearly perfect. May be you should have that in the back of your mind, since every country will have different ones. To neglect that could produce some really bad days for forum owners relaying on the ICO-has-the-lead thing. Guess, noone wants that.

 

[Slavik]

since every country will have different ones.

To have differentiating laws on the same framework would create incompatibilities in enforcement.

For example, what happens if an American site following ICO guidance is litigated against by a German national who have different interpretations? It cant work like that, the standards and enforcement have to be the same. Or at least at a standardized minimum level.

 

[Sperber]

To have differentiating laws on the same framework would create incompatibilities in enforcement.

For example, what happens if an American site following ICO guidance is litigated against by a German national who have different interpretations? It cant work like that, the standards and enforcement have to be the same. Or at least at a standardized minimum level.

I know - it sounds absurd. But if you don´t believe me, just check your favorite newssite for the austrian law that has passed recently, and raised headlines in german speaking newspapers. Or check the german one. They are both online. It´s not that I want your guide look bad, it´s just that the national lawmakers make it even more absurd und difficult to follow through.

 

[lms]

Spanish translation: https://xenfacil.com/recursos/guia-...guntas-y-respuestas-preguntas-frecuentes.127/ and ...

Spoiler: Spanish translation

La Regulación General de la Protección de Datos (General Data Protection Regulation - GDPR) (EU) 2016/679 es una regulación por ley de la Unión Europea sobre la protección de datos y privacidad de todos los individuos de la Unión Europea. Aborda la exportación de datos personales fuera de la Unión Europea. La GDPR tiene como objetivo principal devolver el control a los ciudadanos y residentes sobre sus datos personales y simplificar el entorno regulatorio para los negocios internacionales unificando la regulación dentro de la Unión Europea. Entra en vigor el 25 de Mayo de 2018.

Esta ley es aplicable a todos y cada uno de los sitios web y foros que puedan tener miembros que residan en la Unión Europea con varios grados de incertidumbre sobre lo que se debe hacer para mantener su cumplimiento.

Esta guía no está diseñada para ser completamente comprensible, sin embargo, describirá los factores clave a tener en cuenta. Esto no constituye asesoramiento legal oficial y debe contactarse con un abogado o consultor si se necesitan garantías absolutas.

Para la mayoría de los propietarios de foro, estos pueden dividirse en los siguientes puntos:

1. Alojamiento - ¿Eres un servicio auto-gestionado o administrado? ¿Cumple tu host con GDPR?
2. Seguridad - ¿El software del servidor y aplicaciones web están actualizados?
3. Información - ¿Le dices a la gente qué colocas en sus computadoras cuando visitan tu sitio (cookies, archivos de seguimiento)?
4. Consentimiento - ¿Permites que la gente opte por no aceptar el seguimiento o la ubicación de archivos?
5. Recogida de datos - ¿Qué recoges sobre la gente que visita o se registra en tu sitio?
6. Procesado - ¿Cómo utilizas lo datos?
7. Rehusamiento - ¿Puede la gente optar a rehusar el uso dado a los datos?
8. Borrado: ¿Puede la gente solicitar que se eliminen sus datos?
9. Portabilidad - ¿Pueden moverse los datos de los usuarios a otra parte?

Alto. Qué no cunda el pánico. Para la mayor parte de los propietarios de foro, estos puntos pueden necesitar sólo pequeños retoques a ejecutar en el sitio web o en las políticas de uso.


1) + 2) La seguridad es importante. La gran mayoría de los foros están en alojamientos compartidos o gestionados. Tómate el tiempo preciso para preguntar a tu alojamiento cuál es su política de actualización con respecto al software del servidor. ¿Con qué frecuencia se ejecutan las actualizaciones del sistema? ¿Con qué frecuencia se revisan los paquetes clave de software? ¿Cuál es su política sobre la reparación de vulnerabilidades críticas como fusión, espectro y heartbleed (sangrado cardíaco)?

Si eres un servicio auto-gestionado, ten en consideración si eres capaz de mantener el servidor regularmente.

Software viejo y desactualizado: ¿Realmente necesitas esa instalación de wordpress de hace 5 años? ¿O un CMS de hace mil años? Si es así, asegúrate de que estás actualizado o de modo seguro tras un directorio .htaccess protegido con contraseña. La mayoría de las infracciones de seguridad relacionadas con los foros de XenForo provienen de un software desactualizado de terceros. Sé bruto, sé honesto, si no lo necesitas, deshazte de él.

3) + 4) XenForo colocará varias cookies en la computadora del usuario cuando visiten el sitio. Es posible que tengas cookies adicionales, por ejemplo, si usas Google Analytics o Cloudflare.

Las cookies funcionales están exentas de precisar un "consentimiento explícito". Esto también incluye a Google Analytics a partir de la redacción de esta guía. El consentimiento notificado se considera lo suficientemente bueno. (Por ejemplo, un banner que informa al visitante del sitio que se ha colocado una página en tu sitio que explica qué hace cada cookie y cómo pueden eliminarse).

Parece que el enfoque adoptado con respecto a las cookies por muchas de las grandes compañías, incluida la ICO, es decirle a la gente que las estás colocando (consentimiento implícito) y mostrarles cómo denegarlas / desactivarlas a nivel del navegador, con una advertencia de que el sitio puede no funcionar correctamente sin ellas. Por ejemplo

• Betfair
• Cookies Policy
• Cookies

Es seguro asumir que estos tipos tienen abogados secuaces que les dicen que esto es aceptable, por lo que sugerimos reflejar ese enfoque.

¿Cuándo necesito una opción explícita sobre las cookies? Las cookies que contengan datos personales de un usuario y que no sean necesarias para la funcionalidad del sitio, precisarán una aceptación explícita con capacidad para desactivarlas. Ejemplos de tales cookies pueden ser las cookies publicitarias que rastrean los hábitos de navegación de un usuario o las cookies afiliadas que rastrean si un usuario ha usado un enlace de referencia. Los proveedores de estos servicios deberían proporcionar la orientación pertinente para sus servicios.

5) + 6) + 7) + 8) ¿Qué esperas de ello, amigo? ¿Tratar 4 puntos de una vez? ¡Sí! Y te diré por qué. Si bien algunos sitios web y reyes del drama te dirán que la GDPR causará pesadillas y dolores de cabeza, desglosaremos los puntos clave relacionados con los foros porque son bastante simples.

• A menos que exportes tus datos a terceros por razones tales como enviar correos electrónicos de márquetin, la mayoría de los foros nunca se tropezarán con la GDPR, salvo cuando un usuario está tratando de usarlo para "tocar los cojones".
• Los datos que la mayoría de los foros recopilan serán razonables para la ejecución del sitio web.
• Siempre que tengas políticas claras y fáciles de seguir con respecto al uso de datos, qué haces con ellos, etc., de poco tienes que preocuparte.
• Debes cumplir con la solicitud de un usuario de dejar de enviarle correos electrónicos si así lo solicita.
• El derecho de borrado no es un derecho absoluto. Esto significa que si tienes interés legítimo en conservar los datos de un usuario, como el correo electrónico, el nombre de usuario y las direcciones IP, no tienes que eliminarle la cuenta de usuario. El ejemplo en el que la mayoría de los foros rechazarán la eliminación de una cuenta será para hacer cumplir una política de una cuenta por persona o para mantener registros de usuarios prohibidos / molestos.
• Del mismo modo, no tienes que eliminar las publicaciones de los usuarios, ya que mantenerlas es un interés legítimo para la ejecución de tu foro.

9) Esta parte es algo ambigua en este momento. Incluso el ICO tiene una guía contradictoria al respecto. Las implicaciones son que si un usuario lo solicita, debes devolverles una copia de los datos que te proporcionaron. No hay acuerdos comunes sobre el esquema de formato ni sobre su uso, especialmente en sitios web cuyas suscripciones pueden ser datos muy básicos. Lo más probable es que se use una herramienta para simplemente darles los datos de la cuenta del perfil de los usuarios en un archivo CSV.

¿Qué es TL: DR?
Si no mueves ningún dato fuera de XenForo y solo ejecutas tu sitio bajo la plataforma XenForo, tienes poco de qué preocuparte, ya que las opciones de correo electrónico y las opciones de envío de correo están integradas bajo estándares que se consideran aceptables.

Precisarás una ventana emergente sobre cookies, una página que explique qué hacen las cookies y cómo pueden eliminarse.

Si tienes una política de cuenta, puedes alegar intereses legítimos para rechazar la eliminación de cuentas de miembros. Lo mismo puede decirse sobre los mensajes realizados en tu foro.


Si tienes preguntas específicas, hazlas. Se mantendrá actualizado este recurso con cualquier pregunta frecuente y/o discusión.

 

[Amin Sabet]

I'm assuming that the less people are involved in handling our site's data, the easier it will be to be compliant with GDPR. For that reason, I'm dropping support for OneSignal, Pushbullet, Pushover, Facebook login, etc.

One thing I'm questioning is whether to drop Amazon SES and simply use the default email transport method instead. From past experience, I know that making this switch will mean that some people won't receive email properly. I'm just wondering if that is a good tradeoff.

 

[Robust]

The right to erasure is not an absolute right. This means if you have legitimate interest in holding onto a users data, such as the email, username, IP addresses, you don't have to delete a users account. The example most forums will refuse an account deletion on will be to enforce a 1 account per person policy, or maintain records of banned/troublesome users.

To what extent do you think this is reasonable?

Does you believe a forum's "one account per user" policy really overrides an individual's right to data erasure?

I'm aware that laws that require the retention of data can override interest in erasure. Additionally, I believe health providers are also able to retain data despite erasure since they qualify under other provisions of consent, but even NHS guidelines on the GDPR are somewhat vague right now (given the right to withdraw consent). No further data on their erasure guidelines have been given. I really don't think this reasoning will be valid, and I don't think it should be. That would effectively make the right to erasure nil, since *any* provider could just say we retain an X policy which requires us to keep X data. I do not think such a policy overrides the revocation of consent.

What article of the GDPR allows for this?

 

[Robust]

Article 21(1):

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Article 6(1)(f) is the closest to a valid exception to process data without consent that would be applicable here:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The next closest is Art 17(3)(e):

for the establishment, exercise or defence of legal claims.

I'm not sure to what extent you can consider that the retention of the above data will reasonably assist in legal claims. And I'm not sure if such legal claims need to already be brought forth, or if you can keep the data waiting for the possibility such claims.

Overall, I do not think your quote to enforce such a policy will override the fundamental rights and freedoms of the data subject. Hence, I do not think your argument holds at all. I'd err on the side of caution and just remove the data, to be honest.

 

[Robust]

I'm assuming that the less people are involved in handling our site's data, the easier it will be to be compliant with GDPR. For that reason, I'm dropping support for OneSignal, Pushbullet, Pushover, Facebook login, etc.

One thing I'm questioning is whether to drop Amazon SES and simply use the default email transport method instead. From past experience, I know that making this switch will mean that some people won't receive email properly. I'm just wondering if that is a good tradeoff.

The point of the GDPR isn't so you stop processing data. To remove services that may help your users just because you don't want to understand how far you need to go with the GDPR to make clear the processing and sharing of data with those services is kinda a bad idea. All you really need to do is alter your privacy policy slightly.

 

[Slavik]

To what extent do you think this is reasonable?

What article of the GDPR allows for this?

https://ico.org.uk/for-organisation...ul-basis-for-processing/legitimate-interests/

While there may need to be some balancing done to decide where to draw the line, (eg, it may just be easier to remove zero or very low post count accounts) on a whole if someone comes screaming GDPR at you demanding the removal of their account after making posts, or causing trouble, getting a bad rep etc, you have every right to refuse on the grounds of legitimate interests.

You may decide to compromise and remove any additional profile information they enter not relevant, but a username, email and IP fall easily under that scope.

Lets not ignore the elephant in the room, and that is there will be very few legitimate right to erasure requests made. Most will be made by problematic members trying to leverage the law to make your life difficult. (eg https://xenforo.com/community/threa...d-data-portability.128028/page-3#post-1246076) no normal person is going to come screaming lawsuit, they will make a polite request.

 

[Amin Sabet]

The point of the GDPR isn't so you stop processing data. To remove services that may help your users just because you don't want to understand how far you need to go with the GDPR to make clear the processing and sharing of data with those services is kinda a bad idea.

I'm just one guy, and I do these sites as a hobby. I have to make this as easy as possible on myself.

Guess I answered my own question there. I'm gonna switch from SES back to default email.

 

[Robust]

https://ico.org.uk/for-organisation...ul-basis-for-processing/legitimate-interests/

While there may need to be some balancing done to decide where to draw the line, (eg, it may just be easier to remove zero or very low post count accounts) on a whole if someone comes screaming GDPR at you demanding the removal of their account after making posts, or causing trouble, getting a bad rep etc, you have every right to refuse on the grounds of legitimate interests.

You may decide to compromise and remove any additional profile information they enter not relevant, but a username, email and IP fall easily under that scope.

Lets not ignore the elephant in the room, and that is there will be very few legitimate right to erasure requests made. Most will be made by problematic members trying to leverage the law to make your life difficult. (eg https://xenforo.com/community/threa...d-data-portability.128028/page-3#post-1246076) no normal person is going to come screaming lawsuit, they will make a polite request.

Sure, they'll make a polite request. But if the data controller refuses and the citizen believes it's within their rights, they'll try to act threatening. In reality, the best they can do is report it to the ICO (or another DPA in another EU member state) and see if they investigate. You don't leave someone much choice if you refuse a legitimate request, of course they usually can't do anything but I'd fully expect someone whose GDPR rights aren't upheld to lodge a complaint.

With that ICO guide, the main point is "balance it against the individual’s interests, rights and freedoms". It's derived from the GDPR directive and the directive applies before any ICO applications in a bullet pointed list. Even if the ICO refuses to enforce the GDPR in its exact text, another DPA has the right to request enforcement too. The ICO is not the only data protection agency you can complain to, you can complain to any EU member state's DPA. I don't think the retention of email and IPs to enforce a one account policy holds more weight than an individual's interests, rights and freedoms, tbh.

All requests for erasure should be legitimate, provided they aren't asking for the deletion of content, etc, and do not request you to remove data that is required for you to uphold legal requirements.

 

[Robust]

I'm just one guy, and I do these sites as a hobby. I have to make this as easy as possible on myself.

Guess I answered my own question there. I'm gonna switch from SES back to default email.

If you're trying to comply I recommend you also get registered as a data controller. If you're located outside of Europe you may need to appoint an officer.

If you're not willing to pay those application fees, provide the necessary data and be subject to further scrutiny then I don't see the point of hassling over things like SES vs default email.

 

[Slavik]

I don't think the retention of email and IPs to enforce a one account policy holds more weight than an individual's interests, rights and freedoms, tbh.

I specifically asked this point, and was told yes. It is your legitimate interest if you have a 1 account policy and it is reasonable to assume any person signing up and agreeing to that policy would see it as a fair way to enforce it.

The right to erasure is not an absolute right, its more a right that allows you to have superfluous information held by companies about you to be removed. Thats why there are so many exemptions to it.

If you disagree, that is your prerogative, however unless you have started working for the ICO, I'm going by their word

 

[trapped_soul]

So, with regards to a 1 account policy, (which IS enforced by us unless there's a specific reason otherwise) is this something that needs to be stipulated on your T&C's as well as privacy policy too?

 

[Slavik]

So, with regards to a 1 account policy, (which IS enforced by us unless there's a specific reason otherwise) is this something that needs to be stipulated on your T&C's as well as privacy policy too?

Well a 1 account policy is something that would be a t+c of the site... nothing to do with your privacy policy really.