GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

pleas advice

the posts haven't been deleted, the postcount has just been reset to zero, it could just as easily be set to 50 or 100

Franz Von Peppercorn wrote: »

Boards could easily say " We can delete all posts but we are also deleting your email and login information when we do this"

Which is an automatic closure.

But should it automatically mean a siteban as well? the serial 'close account and re-register' is bad enough, people should be able to keep their username / account after deleting their posts if they want, IMHO

Bob24

Franz Von Peppercorn wrote: »

Its like me asking my ISP to delete all records they have of me while I continue to use the service. Just delete my address, emails and direct debit info, Ill continue to use the service.

No it is not the same.

Your direct debit info is essential to delivering the service (which requires to take payment, so if it is deleted the service needs to stop). Unless you decide to start paying by credit card or another payment method, in which case there will be no problem asking to delete direct debit info under GDPR.

Your whole whole post history is not essential to you using the service, so the service can keep being provided it is deleted (as illustrated by the fact that boards chose to do just that while your ISP would never chose to keep your service active if you don’t have an active payment method).

Franz Von Peppercorn

Bob24 wrote: »

No it is not the same.

Your direct debit info is essential to delivering the service (which requires to take payment, so if it is deleted the service needs to stop). Unless you decide to start paying by credit card or another payment method, in which case there will be no problem asking to delete direct debit info under GDPR.

Your whole whole post history is not essential to you using the service, so the service can keep being provided it is deleted (as illustrated by the fact that boards chose to do just that while your ISP would never chose to keep your service active if you don’t have an active payment method).

The whole post history of everybody is essential to the business case of this service.

You were implying that it would be illegal to kick someone out for asking for a deletion of posts. I don’t think that deletion of non identifiable posts is essential under GDPR anyway but if it were it could easily apply to closed accounts only or cause a close account on request. Why? Because a GDPR request should be about the most pertinent identifying data - emails and ip addresses not posts. So a request to data deletion should be everything.

Look at the knots the forum has gotten into over deleted emails and old accounts. On the one hand we hear that they will allow existing members to delete all old posts for reasons of anonymity. On the other they don’t delete the post history of older accounts.

If posts were identifying this clearly wouldn’t be an issue. They aren’t, so it is.

How did a request for full data delete avoid deleting the username and password as well? Surely if this information was removed as well, users could have been able to log in again.

.......

This post has been deleted.

Bob24

Franz Von Peppercorn wrote: »

The whole post history of everybody is essential to the business case of this service.

This statement is very questionable as you are now equaling an individual right given to users to delete their post history (which is what we were discussing) to the disappearance of the whole post history on boards. And specifically boards’ management doesn’t agree with that statement as they are indeed allowing this type of deletion while obviously still trusting their business case and thinking it has a future: makes it hard to call something “essential” if the management of the company says is rather fine with doing away with it.

(plus in any case GDPR doesn’t care about “essential to the business model”, it cares about “essential to deliver the core service the user is accessing”)

Also just to be clear, I am not saying it would definitly be illegal to ban a user who requests all their posts to be deleted. I’m saying I can see how a legal case could be made to say it is a limitation of GDPR rights, so I think the original poster who said it would possibly be illegal has a valid point.

Boards.ie: Mark

Sorry Permabear, but a decision was made. You are welcome to provide Feedback, as all users who don't meet the criteria are, via Private Message or by e-mailing hello@boards.ie .

.......

This post has been deleted.

.......

This post has been deleted.

Insect Overlord

:rolleyes:

It's hardly a punishment. If someone wants the site to stick to the letter of the rules, then they should know that the rules will be applied to them too.

Pintman Paddy Losty

Pretty petty interpretation of the rules.

.......

This post has been deleted.

seamus

Apply the rules consistently = Petty

Apply the rules reasonably = Inconsistent

¯\_(ツ)_/¯

Batzoo

Just for some clarity as this thread seems to get sidetracked with irrationality.

Boards can delete, remove or ban accounts, users, data etc; They do not need user permission or legal advice to do so. Boards are an independent service and have no obligation as such to any of us!

Where a user requests to have their own posts deleted under GDPR, boards have no real option but comply. Technically it is meant to be personal and identifiable information, but this is a grey area as no legal precedent has been set yet. The only viable option is a blanket delete of the user posts as the alternative would take too many man hours to decipher what may or may not be considered personal and identifiable.

Another option that is valid is for the user to specifically request that a particular thread post be deleted. This is for boards to decide if that is a feasible action or too much trouble. In this case they can manually delete the thread post, or just run the script to remove all posts by the user. The user cannot insist on boards keeping certain posts available, as boards can delete any post, user or account without seeking that users permission.

The grey area is basically what is considered personally identifiable information. In isolation, one detail will not give you much. An IP address by itself is nothing, but combined with logs and history you could pinpoint an individual. Usernames and emails could be used for several accounts across the net and can be used to profile an individual. But these are some of the obvious things. Writing style and phraseology can also be used to identify an individual. Consistent spelling mistakes with certain words can be used to identify an individual. These are all less obvious but commonly used ways to identify somebody. So with that in mind, basically every post can be considered personally identifiable even if it does not reveal how many kids you have or the name of your dog!

Until some legal precedent is set regarding what is personally identifiable information, the only option boards have is to comply with requests to delete posts regardless of the inane content they may contain. Even if a precedent is set, it would take a long time to go through thousands of posts to confirm if it was personal or not so the feasible option may always be just to delete once the request is made.

Ultimately, users requesting to delete posts will have minimal to no effect of boards as most people don't read threads older than a week or so. Anybody who uses boards zombie threads as some sort of wikipedia really needs to learn to use google.

KERSPLAT!

I've hundreds of emails with various posts included in them. For instance I could tell you Permabears life story without even accessing boards but direct from the emails sent from boards as a subscriber of certain threads.

What's the craic there? Obviously there's not much boards can do regarding my emails.

Are boards users free to discuss relevant information previously disclosed by users but which is now deleted? Or is it like when a user reregs, legitimately, in that you cannot disclose their previous username, etc.?

Beasty

KERSPLAT! wrote: »

I've hundreds of emails with various posts included in them. For instance I could tell you Permabears life story without even accessing boards but direct from the emails sent from boards as a subscriber of certain threads.

What's the craic there? Obviously there's not much boards can do regarding my emails.

Are boards users free to discuss relevant information previously disclosed by users but which is now deleted? Or is it like when a user reregs, legitimately, in that you cannot disclose their previous username, etc.?

There is nothing that can be done about information you have received via e-mail. Those records remain entirely under your control (subject to any restrictions placed by your email provider)

In terms of discussing items that are mentioned in those posts, I think that information has become "private" in your own possession, and I don't think you should "publish" such private information, in the same way as you are not allowed to publish PM content, without the other user's consent. These are my comments as a user of this site, and I have certainly not discussed this with other Admins of the office, who may have alternative interpretations

Having said all of that, these are exactly the sorts of issues where people and businesses need to consider exactly what they can and cannot do, certainly pending clarification, which may only come when we start seeing some test cases (which could be some time off)

seamus

Beasty wrote: »

In terms of discussing items that are mentioned in those posts, I think that information has become "private" in your own possession, and I don't think you should "publish" such private information, in the same way as you are not allowed to publish PM content, without the other user's consent. These are my comments as a user of this site, and I have certainly not discussed this with other Admins of the office, who may have alternative interpretations.

Just for clarity here, the person cannot reproduce, verbatim, the content of the posts which is now stored in their email.

But they absolutely can paraphrase or otherwise recall the information from memory. Boards can (try to) put a ban on users bringing up the content of deleted posts which they read, but it is not legally obliged to.

This is where the grey area exists. If poster B has deleted all her posts and poster A says, "I remember you said you live in Stoneybatter with your 5 kids and 3 parakeets", then poster A has done nothing wrong, but poster B may be able to request deletion of that data from boards.

Another reason why IMO a complete deletion should be an account closure, because then it removes that potential issue and protects all parties involved.

Why does Permabear keep writing 'This Post has been deleted'? And a lot of people look silly now for thanking "This Post has been deleted".

...

Surely somebody could press a button and delete Permabear and everything he's ever written - invariably variants on "Let them eat cake!" - and that's the end of that? It seems more straightforward than putting "This Post has been deleted" in each of his 8 million posts. It also wouldn't break up the thread as much. Additionally, I notice that when somebody quotes him, his quoted post says "This Post has been deleted", but other times you can still see his original post when it's quoted. What's the reason for this difference?

Most people can just close their accounts after all their personal data is (understandably) removed. Talk about a personal melodrama.

Canis Lupus

seamus wrote: »

Apply the rules consistently = Petty

Apply the rules reasonably = Inconsistent

¯\_(ツ)_/¯

Ah in fairness for someone normally so level headed you've surprised me there a bit. I think it's a bit weird to remove Permabears access to feedback. We all know what the 100 post rules is there for. His access revocation is a bit derpy to say the least. Boards mods/admin have for years in the dispute/prison forum made a distinction regarding 'letter of/spirit of' rules.

Boards.ie: Mark

Deleted User wrote: »

Why does Permabear keep writing 'This Post has been deleted'? And a lot of people look silly now for thanking "This Post has been deleted".

...

Surely somebody could press a button and delete Permabear and everything he's ever written - invariably variants on "Let them eat cake!" - and that's the end of that? It seems more straightforward than putting "This Post has been deleted" in each of his 8 million posts. It also wouldn't break up the thread as much. Additionally, I notice that when somebody quotes him, his quoted post says "This Post has been deleted", but other times you can still see his original post when it's quoted. What's the reason for this difference?

Most people can just close their accounts after all their personal data is (understandably) removed. Talk about a personal melodrama.

I may be misunderstanding. Are you asking why the posts don't just *poof* vanish? There are threads like this that would then disappear because of the technology (that's why threads started by re-reg trolls can disappear), while people responding to a post by someone who has lodged a GDPR request may look even sillier as they make a point, seemingly out of nowhere and in response to nothing.

On the quote side of things, Touch handles quotes differently to the Legacy or Responsive sites so we are looking into that issue.

Beasty

Canis Lupus wrote: »

Ah in fairness for someone normally so level headed you've surprised me there a bit. I think it's a bit weird to remove Permabears access to feedback. We all know what the 100 post rules is there for. His access revocation is a bit derpy to say the least. Boards mods/admin have for years in the dispute/prison forum made a distinction regarding 'letter of/spirit of' rules.

In this case the OP started the discussion, and had around 100 posts in the thread (around 10% of the total postcount), then chose to have all that content removed. Should we then provide the OP with the opportunity to make some (or indeed all) of those comments again? Perhaps this is as much the "spirit" being applied as it is the "letter". Of course when they have the requisite postcount they can again contribute, as would be the case with someone who has closed their account (with the additional 3 month requirement)

TheValeyard

Perhaps the thanks should be removed from deleted posts. As mentioned by a previous poster it does look a bit silly. Not sure if possible or not

.......

This post has been deleted.

dudara

I think that from a technical point the post itself remains, it is the content that gets deleted and replaced with “this post has been deleted”. Do I think a user’s associated cards should be deleted, well no. But that’s just my opinion, I’m not sure on all aspects of what the deletion script does

Franz Von Peppercorn

Canis Lupus wrote: »

Ah in fairness for someone normally so level headed you've surprised me there a bit. I think it's a bit weird to remove Permabears access to feedback. We all know what the 100 post rules is there for. His access revocation is a bit derpy to say the least. Boards mods/admin have for years in the dispute/prison forum made a distinction regarding 'letter of/spirit of' rules.

His account should have been closed.

the GDPR is clear on one thing - private identifying information like emails or ip addresses should be deleted on closed accounts, or on request. Therefore that should have been the response to this request - we can delete all posts but only with a deletion of the profile information. This closing the account.

Profile info is the identifying information that the GDPR is talking about. In general posts are so non identifying that people can now not delete posts from previous accounts.

So there’s two classes of posters. People who can stay here and reset their posts so as not to “identify the natural person”, and people with closed accounts who can’t delete the older posts in those accounts because the posts are not identifying enough.

Silliness

.......

This post has been deleted.

New Home

Forgotten and forgiven are two very different things, IMO.

dudara

....... wrote: »

This post has been deleted.

The cards are linked to the post. This is different to the contents of the post. The script deletes the contents, but leaves the post itself. Deleting the post entirely causes issues, take the case where deleting the first post in a thread causes the whole thread to disappear.

To your last question, I genuinely don’t know the legal position, but there could be an argument that cards were assigned by Boards as a condition of using the service and are therefore not subject to the GDPR. Purely my own opinion.

So basically even when you delete all your posts, notification emails from said posts were sent to some users.

Makes sense to close account also. Otherwise you are potentially still identifiable.

Bob24

RoboKlopp wrote: »

So basically even when you delete all your posts, notification emails from said posts were sent to some users.

Makes sense to close account also. Otherwise you are potentially still identifiable.

That’s for the user to decide. If they feel it is a problem they can stop using the account. If not they can keep posting.

Bob24

Bob24 wrote: »

That’s for the user to decide. If they feel it is a problem they can stop using the account. If not they can keep posting.

Obviously, under the current rules.

It was something I and probably many more didn't think off until it was mentioned above.

Batzoo

Some more interesting points raised above to add to the confusion.

Some posters are talking about GDPR in a nonsensical way and are clearly missing the point in regards to an individuals right to what is considered their data. And again, regardless of GDPR, boards can delete any or all posts of any user without that users permission or the need to seek legal advice. Boards can ban users from posting in specific threads or without a minimum post count. This I feel is all irrelevant from GDPR.

When a data subject requests the removal of posts, its not just posts removed from view of other users. These posts have to be removed entirely from the database. They should not be recoverable. A subjects data does not just extend to these public posts. Private data contained in emails or PM's, even though only a limited number of people can view this, it is still considered personal data and should be deleted if requested by the data subject. This is not even a point of conjecture, it is clearly stated. And to clarify, emails relate to boards email servers, not indivdual private users emails.

So in relation to cards, any PM's or emails sent that exists in the Boards database or on Boards Employee computers should also be deleted.

I also pointed out before and if you seek legal advice it will confirm it, that any electronic discussion by boards admins or mods between themselves that mention a particular user, even though they considered it private and in house, this is also part of the subjects data now. When the subject requests their data, these private PM's and Emails are also required to be given to the data subject. Some Redaction can take place where a non involved subjects data may be compromised but redaction has to be specific and with valid reason. You cannot just redact 80% of a PM or things said that may now reflect badly on boards.

This will have some relation to the card situation as I am sure mods have discussed infractions in PM without the subjects awareness. If the card is associated with a user and a connection can be made to a thread. Information may be inferred from that thread as to the reason the user was carded. I have no clear interpretation of this on GDPR, but would definitely help me if I was profiling a particular user.

GDPR recognized that deletion from a current database although inconvenient is possible, and recommendations were made to database designers going forward to design future databases so that every users activity is encapsulated in their own mini database as such. Again this is not really practical or feasible in many setups.

Also acknowledged was the backup of databases that all these service providers will do regularly. It is not really feasible to go through numerous backups and delete every post, every time a subject requests. But care should be taking only to keep the required backups that are necessary and for no longer than necessary. These backups should be encrypted and the information contained should not be easily accessible should the backup be stolen.

Ken.

Batzoo wrote: »

S

I also pointed out before and if you seek legal advice it will confirm it, that any electronic discussion by boards admins or mods between themselves that mention a particular user, even though they considered it private and in house, this is also part of the subjects data now. When the subject requests their data, these private PM's and Emails are also required to be given to the data subject. Some Redaction can take place where a non involved subjects data may be compromised but redaction has to be specific and with valid reason. You cannot just redact 80% of a PM or things said that may now reflect badly on boards.

So your telling me that if I was to post in a forum on boards the following.


"I seen a post the other day by a poster called Batzoo and he seems like a nice guy"

Are you telling me that because your name is there that that post is your data?.

Batzoo

Putinbot wrote: »

So your telling me that if I was to post in a forum on boards the following.


"I seen a post the other day by a poster called Batzoo and he seems like a nice guy"

Are you telling me that because your name is there that that post is your data?.

Basically yes! Any information that pertains to me in the boards database is considered my data, that would include your post if it mentions me! As well as PM's and Emails between mods and admins that mention me or discuss the reasons for my infractions etc. I have a right to request to view that data and correct any wrong information it contains. I can also request to have my data removed from the database.

Although your post about me would be innocuous and may be considered a compliment, I may consider it factually incorrect as I may have a reputation of not being a nice guy to uphold.

Even if you PM another user about me, technically once my name is mentioned in your PM's and it is clearly about me, my request to view my data should include you PM's. At this point though, your name(unless you are an agent of boards) and the recipients name could and should be redacted so as to not compromise your GDPR privacy rights. This protection of your name and GDPR rights does not apply to Boards admins and mods as they are agents of boards. Any correspondence between boards agents cannot legally redact the agents name in this instance.



_________________________________________________
Not GDPR Specific below...
But essentially when you post on Boards, Boards assumes responsibility for that post regardless of their disclaimers and must once notified, act accordingly should that post be factually incorrect, slanderous, bigoted, inciting violence or advocating criminal activity etc. This is not even GDPR though, just a self policing etiquette to prevent the brand being brought in to disrepute or possible legal liabilities depending on nature of post. So technically even without GDPR boards should remove your posts about me if I request them to do so because I can prove them to be inaccurate. This could be a full on post removal or just a redaction of any identifiable information relating to me. But the easy option is a full on deletion.

Ken.

I won't quote your post cause it's long but I've always been led to believe that unless reported pm's cannot be read by anyone except the sender and receiver.

Not even boards would know that your name would be in one of my pm's.

Also would it not be a breach of my rights to have my pm box raided.

Actually they would have to invade every person on boards's pm's to search for your name.

Bob24

Putinbot wrote: »

I won't quote your post cause it's long but I've always been led to believe that unless reported pm's cannot be read by anyone except the sender and receiver.

Not even boards would know that your name would be in one of my pm's.

Also would it not be a breach of my rights to have my pm box raided.

Actually they would have to invade every person on boards's pm's to search for your name.

To me there is a distinction depending on whether the PMs are from a boards representative* or a “random” user.

If they are correspondance of boards representatives they would be considered operatinal data held by boards about the user and subject to GDPR, while otherwise they wouldn’t and would simply be private correspondance of the account owner.

Same could be said about Google: clearly if you make a data subject access request to them they should disclose any internal employee emails containing information about you, but it doesn’t mean they should scan every single Gmail inbox in existence and look for emails referring to you from any Gmail user (which are not google employees).

* i.e. a boards employee, an admin, or a mod

KERSPLAT!

Putinbot wrote: »

I won't quote your post cause it's long but I've always been led to believe that unless reported pm's cannot be read by anyone except the sender and receiver.

Not even boards would know that your name would be in one of my pm's.

Also would it not be a breach of my rights to have my pm box raided.

Actually they would have to invade every person on boards's pm's to search for your name.

What right do you think you have to have your PMs remain private, it certainly isn't a legal right.

As far as I'm aware, going by our GDPR briefs in work, any data containing details of a customer, in boards case a user, would need to be removed. For us it would be emails, tickets, billing, etc. This was the reason for my question regarding emails sent automatically to users who have subbed to a thread but as above, I'd love to know what the craic is with the mod forums, reported posts, PMs, etc. I doubt this info can be left as is.

Ken.

KERSPLAT! wrote: »

What right do you think you have to have your PMs remain private, it certainly isn't a legal right.

As far as I'm aware, going by our GDPR briefs in work, any data containing details of a customer, in boards case a user, would need to be removed. For us it would be emails, tickets, billing, etc. This was the reason for my question regarding emails sent automatically to users who have subbed to a thread but as above, I'd love to know what the craic is with the mod forums, reported posts, PMs, etc. I doubt this info can be left as is.

It has been stated a million times on boards by the office that someone's pm's are private and can't be read by others.

I've had a look at reported posts by permabear and the few I found say the same as the op of this thread.

Franz Von Peppercorn

Batzoo wrote: »

Basically yes! Any information that pertains to me in the boards database is considered my data, that would include your post if it mentions me! As well as PM's and Emails between mods and admins that mention me or discuss the reasons for my infractions etc. I have a right to request to view that data and correct any wrong information it contains. I can also request to have my data removed from the database.

Although your post about me would be innocuous and may be considered a compliment, I may consider it factually incorrect as I may have a reputation of not being a nice guy to uphold.

This is the kind of rubbish that permeates this thread. You are posting under a pseudonym. The only way the pseudonym can identify you is if you make an identifying post. That individual post can be removed.

Boards has uniquely amongst forums devices that all pseudonymous posts are identifying, except for closed accounts - where they aren’t.

KERSPLAT!

Putinbot wrote: »

It has been stated a million times on boards by the office that someone's pm's are private and can't be read by others.

I've had a look at reported posts by permabear and the few I found say the same as the op of this thread.

You hardly think someone will read every individual PM in everyone's inbox... If something was put in place it'll be a script that's run, the same as a script was run for posts to be replaced with "this post has been deleted".

It's also naive to think that PMs can't be read. I'm sure very few have access but lads in the office have access to the DB where they're stored so they can be read.

With regards to reported posts, I'm not talking about posts where the user requesting the delete was the op, what about where the requester was the one reported or, as I said above, discussed in the mod forum. My understanding is that this should also all be removed.

Bob24

Putinbot wrote: »

It has been stated a million times on boards by the office that someone's pm's are private and can't be read by others.

That can’t be factually correct. At the very least a couple of DBAs and support engineers must have full access to the underlying database.

Maybe what you mean is that the UI of the website doesn’t allow for a user to access the mailbox of another user regardless of their status (admin or employee). But there are no doubt other technical possibilities for boards to see the content of the PMs.

Also whether someone else can read them or not, as a representative of boards who is handling user data, the simple fact that a mod/admin/employee can see the messages in their own outbox/inbox makes their content subject to GDPR as they become data handled by the organisation in the process of running its service.

Franz Von Peppercorn

Bob24 wrote: »

That can’t be factually correct. At the very least a couple of DBAs and support engineers must have full access to the underlying database.

Maybe what you mean is that the UI of the website doesn’t allow for a user to access the mailbox of another user regardless of their status (admin or employee). But there are no doubt other technical possibilities for boards to see the content of the PMs.

Also whether someone else can read them or not, as a representative of boards who is handling user data, the simple fact that a mod/admin/employee can see the messages in their own outbox/inbox makes their content subject to GDPR.

Unless the reader of the pm can associate the user with an email it doesn’t matter.

Bob24

Franz Von Peppercorn wrote: »

Unless the reader of the pm can associate the user with an email it doesn’t matter.

If boards as an organisation can do it that’s definitly enough (which will be the case for any account which isn’t closed). Or if the content of the PM contains personally identifiable information.

oscarBravo

Bob24 wrote: »

If they are correspondance of boards representatives they would be considered operatinal data held by boards about the user and subject to GDPR...

I don't recall seeing the phrase "operational data" anywhere in the GDPR. Can you point it out for me?

Batzoo

Franz Von Peppercorn wrote: »

This is the kind of rubbish that permeates this thread. You are posting under a pseudonym. The only way the pseudonym can identify you is if you make an identifying post. That individual post can be removed.

Boards has uniquely amongst forums devices that all pseudonymous posts are identifying, except for closed accounts - where they aren’t.

I assure you its not rubbish! Yes we are mostly using pseudonyms. Your name means nothing to me, and mine means nothing to you. If I wanted I could take a bordsie's pseudonym and cross check it and do look ups etc and build a profile. This would be more successful with some users than others, so pseudonyms are identifiable. But this is not the GDPR component and slightly off topic.

Where GDPR is concerned is with the integrity of the databases and how securely kept and accurate the user information it contains is. Should the Boards database be compromised I am sure boards also have email addresses, IP's address's, log in times and a myriad of other data that is associated with the users pseudonym. This is all identifiable. It is not about what you or I can see in the public forum, it is about what is contained on the database. This should be secure and accurate. I can request to see this information and that would also include PM's and emails that relate to me as stated.

Franz Von Peppercorn

Bob24 wrote: »

If boards as an organisation can do it that’s definitly enough (which will be the case for any account which isn’t closed). Or if the content of the PM contains personally identifiable information.

The second case yes, the first case no. Boards needs the email address to provide a service.

Franz Von Peppercorn

Batzoo wrote: »

I assure you its not rubbish! Yes we are mostly using pseudonyms. Your name means nothing to me, and mine means nothing to you. If I wanted I could take a bordsie's pseudonym and cross check it and do look ups etc and build a profile. This would be more successful with some users than others, so pseudonyms are identifiable. But this is not the GDPR component and slightly off topic.

Where GDPR is concerned is with the integrity of the databases and how securely kept and accurate the user information it contains is. Should the Boards database be compromised I am sure boards also have email addresses, IP's address's, log in times and a myriad of other data that is associated with the users pseudonym. This is all identifiable. It is not about what you or I can see in the public forum, it is about what is contained on the database. This should be secure and accurate. I can request to see this information and that would also include PM's and emails that relate to me as stated.

All of that is admissible under GDPR if there is a business case for it, which there is while people are still account holders. On closing accounts the database information can be deleted.

You have no right to any pms that discuss your pseudonym unless those emails are personally identifiable for the “natural person”. And any such right is a FOI right which isn’t the same as the right to be forgotten.

Boards had gone overboard on its reaction to the GDPR - most forum software deletes the closed account, keeps the posts and obstufcates the username.

Batzoo

Franz Von Peppercorn wrote: »

...You have no right to any pms that discuss your pseudonym unless those emails are personally identifiable for the “natural person”. And any such right is a FOI right which isn’t the same as the right to be forgotten.

You seem to be taking information in isolation! The boards database links your pseudonym to many identifiable pieces of information. And as such any reference to that pseudonym in the boards infrastructure, be it in pm or on a boards email server or even on boards agents(admins and mods computers) technically falls under this remit and you have a right to view it for accuracy under GDPR. You can then also request the removal of this information. The extent of this removal is open to interpretation and debate and will need some test cases to clarify the details.

Will boards admins or mods allow access to personal computers, probably not and a data subject would never really now how far the rabbit hole goes down as such. The data subject just has to take on trust when a request is made that all the information is returned to them. But if a boards agent (admin or mod) has that laptop say stolen or left on a train and personal information is released, again, this could be PM's or emails and it turns out that boards did not act fully in regards to a request, this is where the big fines will hit. Boards are now liable under GDPR for not properly securing personal information.

I honestly don't even think anything I posted in regards to this is contentious.

Batzoo

Franz Von Peppercorn wrote: »

...Boards had gone overboard on its reaction to the GDPR - most forum software deletes the closed account, keeps the posts and obstufcates the username.

Also sorry for the double post but this point may be acceptable in some cases but not all, but I don't know for sure.

The issue I see here is that some posts could contain identifiable information regardless of the posters name being removed and account being deleted. This could take a lot of man hours to try and independently determine what is and is not personal information. Most forums, especially the size of boards cannot afford those man hours as such the easy option is just to delete with a script when requested.

Any reference in the database to the IP of the original poster or the time and date of the post can narrow a search significantly and lead to identifiable information. Obfuscating a name is not good enough, it has to be removed from the database. But also all logs relating to that user and IP's and times etc should also be removed unless there is a fundamental or legal requirement to retain them.

I should also point out though that most forums online are run by hobbyists who do not really care about any global turnover type fines. Many more forums are not European based and the ignorance and belief that non Europeans are not effected still persists on the other side of the Atlantic. In fact I would go as far to say that the majority of US based sites with a partial European user base are still unaware of the GDPR implications.

I will point out again, its not about the posts you and I can see in the public forum. It's not even about the post's that agents of boards can see that we cannot. It's about the information that can be extrapolated by a nefarious actor should the database be compromised or stolen. Ideally, this information should be stored in an encrypted manner so even if stolen it remains inaccessible.

Bob24

oscarBravo wrote: »

I don't recall seeing the phrase "operational data" anywhere in the GDPR. Can you point it out for me?

Any data processed/stored by a representative of the organisation when they conduct their duty is covered by GDPR. That is what I meant by operational data: a PM by a representative of boards which refers to a user is like an internal company email. And my equivalent exemple related to Google is pretty straight forward I believe.

See internal emails clearly listed here on the IBEC guidelines: https://www.ibec.ie/IBEC/ES.nsf/vPages/GDPR~Ibec_guides_preparing_for_GDPR~how-employers-should-comply-with-gdpr/$file/Ibec+employers+guide+to+GDPR+2017.pdf

“The rights cover data related to identified or identifiable persons (e.g. customers or employees) held either electronically or physically – this includes physical files, emails, Customer Relationship Management (CRM) systems, images or recordings of individuals.”


In fact and while virtually impossible to enforce, even a post-it note on the desk of a mod which refers to individual boards users could equally be covered by GDPR depending on what’s written on the note (for exemple a username with a list of previous infractions definitly would be).