GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

Permabear

This post has been deleted.

IRE60

Bob24 wrote: »

(the underlying question being: if a post contains personal information about someone who is not a registered user, will boards treat that person as a data subject in the sense of the GDPR?)

They are not processing that data. A post containing 'personal data' ie the name of someone - they are not 'processing' it. They are displaying it or publishing it, no processing. If that were the case then the media would be unable to operate as of midnight!



I think we are reaching here.

uck51js9zml2yt

Permabear wrote: »

This post had been deleted.

All someone needs to do is request deletion of posts and then close their account.

Fred Swanson

This post has been deleted.

Fred Swanson

This post has been deleted.

Creative83

So the can of worms has been opened...


From tomorrow I could request that every single one my posts be deleted is my understanding judging by Seans post :eek:

Franz Von Peppercorn

seamus wrote: »

There may be no change

Boards has a privacy policy. If it's already GDPR compliant, then no notification is required.

They would be in a minority, but it's possible...

Because nobody cares.

You'll find GDPR is largely the same. Unless the website is being underpinned by a limited company with audited accounts and a legal team, nobody is going to pay a blind bit of notice to GDPR.

If someone raises a query and the DPC comes in, they'll get a warning, some helpful tips on how to fix their issue, and then that'll be it. Big companies with lots of staff and spare money will get treated more harshly for ignorance of the rules, but Jimmy who runs a karate school with 30 members isn't going to be fined for GDPR failures.

That’s right. The DPC say themselves they will give companies time to comply after the first warning. Court cases are for the last resort.

Individuals can bring a court case against boards but that case will not be private.

LoLth

another reason to protect the security of access to your account

Franz Von Peppercorn

Permabear wrote: »

This post had been deleted.

You continue to beat your well beaten drum.

No software provider for forums agrees with you. And as I said already users can be annoymised per thread on deletion.

Sleeper12

Fred Swanson wrote:

How do I prove I am Fred Swanson? This will be an issue for those that post under a pseudonym. How does a person prove that they posted under a pseudonym?

My real name isn't Sleeper12 but it is linked to my email address and IP address. I assume that's enough information.

I can't remember what information I gave when I joined . I possibly /probably gave my name then

Sleeper12

Franz Von Peppercorn wrote:

He’s always argues like that. He found one phrase in the GPDR handbook about privacy being violated by a natural person being identifiable by political views etc and assumes that all political posts can identify the natural person.

Franz Von Peppercorn wrote:

The mistake has been pointed out a few times but back he comes with the same boilerplate argument.

Well I might disagree with him but I thank him for starting the thread & asking the original questions. It's been interesting & has educated quite a few posters.

Creative83

I take exception to this part of Sean's post...


These requests must be sent via a Private Message (PM) to the following recipient Boards.ie: GDPR (if for any reason you are unable to access or send a PM please email datarequests@boards.ie and we will get back to you with further instructions).


No, the onus is on Boards to delete the data as is my understanding. No "further instructions" are necessary... This looks like Boards will try to say that the user has that responsibility in their "further instructions".

Tokyo

Creative83 wrote: »

I take exception to this part of Sean's post...


These requests must be sent via a Private Message (PM) to the following recipient Boards.ie: GDPR (if for any reason you are unable to access or send a PM please email datarequests@boards.ie and we will get back to you with further instructions).


No, the onus is on Boards to delete the data as is my understanding. No "further instructions" are necessary... This looks like Boards will try to say that the user has that responsibility in their "further instructions".

Well no... the user has the responsibility to verify their identity.

A PM request implicitly verifies the identity of the person requesting post deletion, whereas anybody can send an email. I would imagine that the "further instructions" would be instructions on how to verify that you are actually the owner of the account from which you want posts deleted.

Creative83

mike_ie wrote: »

Well no... the user has the responsibility to verify their identity.

A PM request implicitly verifies the identity of the person requesting post deletion, whereas anybody can send an email. I would imagine that the "further instructions" would be instructions on how to verify that you are actually the owner of the account from which you want posts deleted.

Fair enough

Fred Swanson

This post has been deleted.

Tokyo

Fred Swanson wrote: »

This post has been deleted.

How so? I don't think it's an unreasonable request, considering the alternative:

To: datarequests@boards.ie

Hi guys,

please delete all 20,909 posts of mine immediately.

Regards,
Mike Fred

Creative83

mike_ie wrote: »

How so? I don't think it's an unreasonable request, considering the alternative:

How would they verify?

Pelvis Parsley

What about a banned user who made an arse of themselves?

OldMrBrennan83

This post has been deleted.

Tokyo

Creative83 wrote: »

How would they verify?

I can't speak for boards here, but I'd imagine that one way would be a confirmation email through the email address used to create the account.

Sleeper12

Patww79 wrote:

This post has been deleted.

If you are a current member yes but it seems if I quoted your posts you can't request that they be deleted. Only the original post you made. If I quote you its my data

Creative83

Patww79 wrote: »

This post has been deleted.

Apparently so

OldMrBrennan83

This post has been deleted.

Bob24

IRE60 wrote: »

They are not processing that data. A post containing 'personal data' ie the name of someone - they are not 'processing' it. They are displaying it or publishing it, no processing. If that were the case then the media would be unable to operate as of midnight!



I think we are reaching here.

They are processing it. Media have an exemption.

Sleeper12

Patww79 wrote:

This post has been deleted.

Read back the last page or so. You'll find a long post from boards.ie explaining everything. You just have to prove that you own the account.

OldMrBrennan83

This post has been deleted.

uck51js9zml2yt

Fred Swanson wrote: »

This post has been deleted.

they can run a script quiet easily. try searching 40 million emails for a keyword:)

StupidLikeAFox

mike_ie wrote: »

I can't speak for boards here, but I'd imagine that one way would be a confirmation email through the email address used to create the account.

That email address will be deleted

Nody

I think there will be a lot of disappointed users who did not read the post to the last sentence which I've bolded since people apparently missed it.

Boards.ie: Sean wrote: »

User Posts

For users with an active Boards account, posts made by a user can be associated with other information held by Boards that relates to an identified or identifiable natural person (for example a post can be associated with a user’s email address and/or real name). Therefore, posts made by a user with an active Boards account are considered personal data and GDPR regulations apply to these posts, including the right of erasure. As such, from 25 May we will begin to process requests for erasure of posts from users with an active Boards account. These requests must be sent via a Private Message (PM) to the following recipient Boards.ie: GDPR (if for any reason you are unable to access or send a PM please email datarequests@boards.ie and we will get back to you with further instructions).

For closed accounts all personal data (other than users’ posts) will be deleted. Therefore, posts made by users whose accounts were subsequently closed cannot be associated with other information held by Boards that relates to an identified or identifiable natural person and as such are not considered personal data and GDPR does not apply to this data.

In specific instances where the content of a post contains sensitive data or data that could be used to identify an individual we will consider requests to edit or delete the post; these will be dealt with on a case-by-case basis.

That is not the same as blanket deleting 21k posts; that's the user pointing out which of those 21k posts identify them and then it is reviewed and considered. Sorry to be a spoil sport but since closed accounts are not applicable for the process (as per the previous section) that part can only apply to existing accounts.

On a completely separate note based on the above policy the easiest way for boards to process this would be to simply close people's accounts since that removes all the relevant personal data they hold. Not that I think boards would use that as policy but per the policy definition it's the fastest way to become compliant per say.

Sleeper12

Nody wrote:

That is not the same as blanket deleting 21k posts; that's the user pointing out which of those 21k posts identify them and then it is reviewed and considered. Sorry to be a spoil sport but since closed accounts are not applicable for the process (as per the previous section) that part can only apply to existing accounts.

I'm reading it that the case by case is for closed accounts.

I'm reading it that open accounts the posts are part of personal data and you can have some or all deleted. On request.

Nody

Sleeper12 wrote: »

I'm reading it that the case by case is for closed accounts.

I'm reading it that open accounts the posts are part of personal data and you can have some or all deleted. On request.

They only need to delete the posts that contain personal data and you as a user has to point out what is the post with personal data and what said data is. That is not the same thing as deleting 21k posts by claiming "I think I can be identified in some of them". For example take your last post; in what way would that post identify your real life identity? It does not in any way do so and hence there's no reason for them to delete it; now if you signed every post with your real life name that would be a reason for it.

Dtp1979

I’ll keep this simple, if I do nothing and don’t want my account altered in any way, will any of this effect me?

Fred Swanson

This post has been deleted.

Sleeper12

Dtp1979 wrote:

I’ll keep this simple, if I do nothing and don’t want my account altered in any way, will any of this affect me?

No.
Doesn't effect me either. I'm happy to leave all my posts

Sleeper12

Nody wrote:

They only need to delete the posts that contain personal data and you as a user has to point out what is the post with personal data and what said data is. That is not the same thing as deleting 21k posts by claiming "I think I can be identified in some of them". For example take your last post; in what way would that post identify your real life identity? It does not in any way do so and hence there's no reason for them to delete it; now if you signed every post with your real life name that would be a reason for it.

I'm on the side of leaving all the posts but the official statement says that current members posts are part of their data while they are members & anything & everything can be deleted.

Closed accounts the posts are no longer a person's data & they'll be handled on a case by case.

That's how I read the statement anyway. Maybe I picked it up wrong.

Bob24

Sleeper12 wrote: »

I'm on the side of leaving all the posts but the official statement says that current members posts are part of their data while they are members & anything & everything can be deleted.

Closed accounts the posts are no longer a person's data & they'll be handled on a case by case.

That's how I read the statement anyway. Maybe I picked it up wrong.

That’s the way I read it as well.

Basically what they are saying is that while you have an active account they consider your post to be your personal data because they can be linked to your personal details (such as the email address associated to your account).

But their view is that since when you close your account they will delete the personal details (email, etc) associated to the account, these posts are not your personal data anymore as they can’t be linked to you anymore.

Permabear

This post has been deleted.

Sleeper12

Permabear wrote:

This post had been deleted.

I'm smiling now. Permabear at last we agree on something!

Ken.

I'm reading it as only stuff that identifies me so for example this post in no way identifies me so I can't ask for it to be deleted. I honestly don't know.

seamus

Putinbot wrote: »

I'm reading it as only stuff that identifies me so for example this post in no way identifies me so I can't ask for it to be deleted. I honestly don't know.

So basically, if you're registered you can delete anything and everything.

If you're not, you can't.

However there is a process so that if you posted anonymously or in a closed account and there's a post containing details that identify you, boards will consider one-off deletion requests.

My understanding is that most of this has pretty much been possible previously anyway. The only major change is the registered users' right to demand post deletions.

Bob24

seamus wrote: »

My understanding is that most of this has pretty much been possible previously anyway. The only major change is the registered users' right to demand post deletions.

Also one thing which should change but is not said explicitly in the new policy, is that when you make a deletion request in this way the post should be completely and permanently deleted from all of boards’ system, as opposed to simply being hidden from the website for regular users previously.

seamus

Bob24 wrote: »

Also one thing which should change but in not say explicitly in the new policy, is that when you make a deletion request in this way the post should be completely and permanently deleted from all of boards’ system, as opposed to simply being hidden from the website for regular users previously.

I think that's generally been the case if you went through official channels.

However the last time I was a mod, mods couldn't do this so if you asked a mod to delete it rather than an admin, it was only be soft deleted.

Sleeper12

Bob24 wrote:

Also one thing which should change but in not say explicitly in the new policy, is that when you make a deletion request in this way the post should be completely and permanently deleted from all of boards’ system, as opposed to simply being hidden from the website for regular users previously.

If it's deleted under GDPR then it is a permanent deletion from their system, hard drive, cloud etc.

Bob24

seamus wrote: »

I think that's generally been the case if you went through official channels.

However the last time I was a mod, mods couldn't do this so if you asked a mod to delete it rather than an admin, it was only be soft deleted.

Actually this relates to another question I would have about data access requests. It is not said explicitly in the policy but I assume any post made by a registered user which was soft deleted by a mod (and is thus still present on boards servers but not visible to the user) will be included in these requests, so that users are given the opportunity to review those posts and request full deletion if the wish to do so.

Can someone from boards confirm this is correct?

Permabear

This post has been deleted.

Lorelli!

Putinbot wrote: »

I'm reading it as only stuff that identifies me so for example this post in no way identifies me so I can't ask for it to be deleted. I honestly don't know.

I'm not sure but the way I'm reading it is that every post you make while still active is connected to your email even if whats written in the post itself doesn't give away any identifiable information.

For closed accounts, the data has been deleted so the posts are no longer connected to an email and therefore do not have to be deleted but will be considered in certain cases.

Ken.

This to me is an example of a data processor doing it right.

J.pilkington

My knowledge of gdpr isn’t as in dept as some of the posters here, but is an obvious efficient option for boards and users simply for boards to re-enable the delete and edit option for posters and this will save everyone a lot of time by having users do their own clean up.

Appreciate the argument that this can disrupt threads but in reality so will the boards team having to do this themselves, most other discussion forums (including the newer generation such as redit / Facebook and Twitter) already have this option and it works very well.

To me it seems like boards are making the process for the user really awkward by having it so manual and thus hoping that users simply won’t bother.

I know if I wanted to delete certain content from boards my preference would be to firstly delete the content I want to remove myself and then close my account. All this interaction and emails and having to send evidence is a pain in the a55 for everyone.

I suppose if it’s unpaid volunteers doing the work on behalf of the commercial profit making company maybe boards don’t care as it’s no skin if their back?

Fred Swanson

This post has been deleted.

OldMrBrennan83

This post has been deleted.