GDPR and Boards.ie post removal policy **update linked in OP 24/5/18**

Bob24

Franz Von Peppercorn wrote: »

The second case yes, the first case no. Boards needs the email address to provide a service.

In the first case as well. Sure they need the email address but it doesn’t exempt them from GDPR: because they have it they can personally identify the user, hence the associated data they hold (including just a PM referencing that user) is indeed covered by GDPR and needs (amongst other things) to be included in a response to a data subject access request.

Bob24

Franz Von Peppercorn wrote: »

You have no right to any pms that discuss your pseudonym unless those emails are personally identifiable for the “natural person”. And any such right is a FOI right which isn’t the same as the right to be forgotten.

FOI is more for public bodies so probably doesn’t apply here.

GDPR however definitly gives us (as “data subjects”) the right to request all information boards holds about us (as a “data controller”); and this includes internal comms of the organisation related to us.

This is called “subject access request” in GDPR terminology.

Franz Von Peppercorn

Batzoo wrote: »

You seem to be taking information in isolation! The boards database links your pseudonym to many identifiable pieces of information. And as such any reference to that pseudonym in the boards infrastructure, be it in pm or on a boards email server or even on boards agents(admins and mods computers) technically falls under this remit and you have a right to view it for accuracy under GDPR. You can then also request the removal of this information. The extent of this removal is open to interpretation and debate and will need some test cases to clarify the details.

Unless somebody like a moderator can see your email there’s no violation. And they can’t.

Will boards admins or mods allow access to personal computers, probably not and a data subject would never really now how far the rabbit hole goes down as such. The data subject just has to take on trust when a request is made that all the information is returned to them. But if a boards agent (admin or mod) has that laptop say stolen or left on a train and personal information is released, again, this could be PM's or emails and it turns out that boards did not act fully in regards to a request, this is where the big fines will hit. Boards are now liable under GDPR for not properly securing personal information.

You’ve assumed all kinds of conclusions here. You’re assuming the mods have your email (they don’t) , they have it on a local device (they don’t).

However obviously an email breach is a problem, but the GDPR does allow storing of emails while the service continues.

I honestly don't even think anything I posted in regards to this is contentious.

This whole thread is hysteria.

What most forums do is keep the posts but obfuscate the usernames on a close request and delete profile data.

oscarBravo

Bob24 wrote: »

Any data processed/stored by a representative of the organisation when they conduct their duty is covered by GDPR. That is what I meant by operational data: a PM by a representative of boards which refers to a user is like an internal company email.

The problem is that you've taken an EU directive and invented an entirely new concept of "operational data" from whole cloth that doesn't appear anywhere in the directive, then pointed to a single paragraph in a sixteen-page summary (from an organisation that doesn't purport to offer definitive guidance on the interpretation of the directive) of an 88-page legal document - a paragraph that doesn't mention your novel concept of "operational data" - in support of its existence.

Now, you're entirely within your rights to apply the concept of "operational data" to your own business's internal GDPR compliance procedures, and to explain the concept to the ODPC in the event of an audit, but it's a bit rich to try to insist that this novel concept of yours has any application whatsoever to the situation that boards.ie finds itself in.

Bob24

oscarBravo wrote: »

The problem is that you've taken an EU directive and invented an entirely new concept of "operational data" from whole cloth that doesn't appear anywhere in the directive, then pointed to a single paragraph in a sixteen-page summary (from an organisation that doesn't purport to offer definitive guidance on the interpretation of the directive) of an 88-page legal document - a paragraph that doesn't mention your novel concept of "operational data" - in support of its existence.

Now, you're entirely within your rights to apply the concept of "operational data" to your own business's internal GDPR compliance procedures, and to explain the concept to the ODPC in the event of an audit, but it's a bit rich to try to insist that this novel concept of yours has any application whatsoever to the situation that boards.ie finds itself in.

You picked two words in my post (operational data) and decided that if they don’t appear in the regulation there is a problem even after I clearly explain what I mean and give a similar exemple with emails? Honestly? :-)

I never said it was GDPR terminology ... just used those words to express myself.

Also no big deal but for future reference the GDPR is not a directive, it is a regulation. Meaning they as opposed to a directive it doesn’t need to be implemented into the national law of every member state.

oscarBravo

Bob24 wrote: »

You picked two words in me post (operational data) and decided that if they don’t appear in the regulation there is a problem? Honestly? :-)

Honestly. If the person drawing up my GDPR compliance policy started inventing terminology, I'd be looking for a new GDPR person.

I never said it was GDPR terminology ... just used those words to express myself.

That's fair enough, but it leaves me personally with the impression that you are just opining about the Regulation, which is fine: but a personal opinion expressed through abstractions contributes pretty much nothing useful to this discussion.

Every organisation has to choose its own risk-based approach to GDPR compliance. I personally think the boards.ie approach is far too risk-averse, but then the problems my business faces are quite different.

My personal view is that the ODPC won't take the fascistic view of the Regulation that some posters on here would like it to. We won't know until the case law starts to filter through.

Esel

Are multiquote reply posts on the Touch site still showing apparently GDPR deleted data? If so, this needs to be addressed.

Batzoo

Franz Von Peppercorn wrote: »

Unless somebody like a moderator can see your email there’s no violation. And they can’t.

This statement is totally wrong and misinformed!

I have stated clearly on several occasions, it is irrelevant if the boards agents can view this data or not. It is irrelevant if you or I can view it.

Once the data is stored, this can be in a database, a filing cabinet, or as stated by another poster, a post-it note on someones desk. It technically would extend to a ceo's Filofax if they wrote "I am meeting with "whatever name" on Tuesday at 12:30. Contact Number 0123456789. He is a big fish so be on best behavior"

If "Whatever name" does a subject access request, this Filofax entry should be returned with the other data. This seems ridiculous and almost petty at first glance. This is not the reason for GDPR. GDPR is basically trying to get organizations to take responsibility for the security and relevance of other peoples information.

The goal is to enforce companies to consider if all the data collected is required to perform a service. Do Facebook really need to know what my favourite colour is or my mothers maiden name just for me to open an account? Maybe they do, but they have to be able to justify the retention of this data and its relevance to the service provided. The days of just filling databases with tons of user data(most of which may date quickly but was never deleted or removed) have long gone. You cant justify knowing how many cups of a coffee a day I drink just to provide me with an email service! Or can you? Do you really need to retain the last three addresses I lived at? Or a mobile phone number that I no longer use? GDPR requires data that is stored to be Secure, Accurate, Relevant and to be kept for no longer than legally required to provide the service. You should not store personal information indefinitely.

The data subject also has the right to review this information for accuracy on request. Again there is nothing contentious in the above.

Franz Von Peppercorn wrote: »

You’ve assumed all kinds of conclusions here. You’re assuming the mods have your email (they don’t) , they have it on a local device (they don’t).

However obviously an email breach is a problem, but the GDPR does allow storing of emails while the service continues.

I assure you I have made no assumptions. You appear to be reading it wrong and the conclusions are your own. What information the mods have access to will vary based on access level. All PM's between mod's that relate to a users infraction are fair game in a subject access request. If the mods are in the habit of deleting these PM's before an access request is made, well then there is nothing to view or give to the subject. But if these PM's are deleted after the fact or are not truly deleted and just put in a trash folder, well that's an issue!

Where this information is stored is irrelevant. If it crosses jurisdictions other factors also can come in to play but that would over complicate the simple points I am making here so I wont expand on jurisdictional implications.

But essentially I am an EU citizen and GDPR covers my data regardless of where the server that stores it is located. It could be in a boards mod's bedroom or a server on Bill Gates private Caribbean Island! I can request to see the information.

Also I don't know why you assume emails are deleted. Email storage is practically infinite nowadays and I still have access to emails going back over 20 years.

Franz Von Peppercorn wrote: »

This whole thread is hysteria.

What most forums do is keep the posts but obfuscate the usernames on a close request and delete profile data.

What other forums do, does not make them compliant. Some forums will tell you how to steal pay per view TV or buy guns. Try that on Boards and watch the ban hammer fall!

Batzoo

oscarBravo wrote: »

Every organisation has to choose its own risk-based approach to GDPR compliance. I personally think the boards.ie approach is far too risk-averse...

Ever since the "legal troubles" Boards has been risk adverse to the point of banality in many threads. This will not change now unless new owners were to take the reins! I believe the only viable option for Boards at this time is just to do what they are doing and delete all posts and quotes once requested. This I believe will have minimal effect on the many new threads that are started daily. The effect on Zombie threads should not really be a concern.

oscarBravo wrote: »

...My personal view is that the ODPC won't take the fascistic view of the Regulation that some posters on here would like it to. We won't know until the case law starts to filter through.

The only way the ODPC will get heavy on Boards is if there was a political connection or concern involved. The reality is it may be a couple of years before we get any rulings or clarity on the issues. Boards will never be hit with a 20 million fine regardless of what breaches may occur here. And failure to respond efficiently or correctly to a SAR or deletion request, I doubt would even result in a slapped wrist at the moment.

pleas advice

Esel wrote: »

Are multiquote reply posts on the Touch site still showing apparently GDPR deleted data? If so, this needs to be addressed.

quoted on touch site, it shows

Esel wrote: »

quote on desktop shows

Esel wrote: »

pleas advice

pleas advice wrote: »

Esel wrote: »

Are multiquote reply posts on the Touch site still showing apparently GDPR deleted data? If so, this needs to be addressed.

quoted on touch site,  it shows

Esel wrote: »

quote on desktop shows

I'm very confused as to how the Responsive site handles quotes...

Esel;107713827Are multiquote reply posts on the Touch site still showing apparently GDPR deleted data? If so, this needs to be addressed.

Bob24

oscarBravo wrote: »

Honestly. If the person drawing up my GDPR compliance policy started inventing terminology, I'd be looking for a new GDPR person. That's fair enough, but it leaves me personally with the impression that you are just opining about the Regulation, which is fine: but a personal opinion expressed through abstractions contributes pretty much nothing useful to this discussion.

Every organisation has to choose its own risk-based approach to GDPR compliance. I personally think the boards.ie approach is far too risk-averse, but then the problems my business faces are quite different.

My personal view is that the ODPC won't take the fascistic view of the Regulation that some posters on here would like it to. We won't know until the case law starts to filter through.

Let me summarise and rephrase previous points as this fixation on wording prevents from discussing the actual points:

1. Any personal data stored or handled by an organisation (or anyone acting as its representative) related to an individual falls under the scope of GDPR

In my view this is unquestionable as it is at the core of the regulation. Doesn't mean that GDPR necessarily imposes restrictions on all of that data, but it falls under its scope.

2. Internal emails of an organisation which are referring to an individual and contain information about them are deemed to be such personal data

This is not in the regulation as it is too specific but there has been multiple legal opinions making this statement (as the one I linked in my previous post), and it would be hard to find a credible one clearly stating the contrary (although if you have one I would definitely be interested in a link).

And again while the regulation is obviously too high level to specifically mention this case, the reason I tend to agree with these opinions is that the very generic definition GDPR gives of personal data make it hard to argue differently:

"‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’)."

How to argue that an email accessible to any single member of the organisation and saying something like "John Doe has been a bad payer for the past 12 months" doesn't fall under the this definition? It identifies a person and gives a piece of information about them.

If someone accepts these legal opinions, a logical consequence is that these emails should be included in a reply to a subject access request made in accordance with GDPR (as any other personal data held about the individual by the organisation which is not explicitly excluded by GDPR).

3. PMs sent or received by representatives of boards are not different from internal company emails

Of course this is too specific to find any online reference, but this is the point I am making. Essentially this type of PMs are pretty much the same thing as an internal company email*, and if they contain reference to an identified or identifiable person they should be treated exactly in the same way as an internal email referring to an identified or identifiable person, i.e. included in the answer to a subject access request. This is the key point I have been making, and happy to discuss what in the above reasoning might not make sense to someone else.


* both are electronic communication of one or more members of the organisation which is stored on the organisation's IT infrastructure either unencrypted or in a way that can be decrypted by some of its members.

Fr_Dougal

Now that boards is removing posts to comply with Data Protection, is there any need to keep the ‘closed account’ function?

Havockk

Well done Permabear, objective achieved. What an absolute mockery this is.

pickarooney

How come the content of deleted posts still shows up when you search for all posts by X ?

.......

pickarooney wrote: »

How come the content of deleted posts still shows up when you search for all posts by X ?

I noticed the same thing.

Looks like they have NOT been deleted.

blackwhite

It looks like there's some glitch in it, as some appear as deleted, but not all.


Screenshot of what's currently appearing below (sorry PB for using you as the guinea pig for this )

<removing image of someone's soon-to-be-deleted posts in search results for obvious reasons>

Boards.ie: Niamh

It's not a one step procedure unfortunately so things are done in stages. The more posts the user had/has the more problematic it is but we are contacting each user individually when their request has been processed to let them know when everything is completed.

.......

Permabears are appearing correctly. The undeleted ones are from AFTER the delete was completed.

I requested deletion and ALL of mine are still showing up and my post count has not been reset. So clearly my data has not been deleted.

.......

Boards.ie: Niamh wrote: »

It's not a one step procedure unfortunately so things are done in stages. The more posts the user had/has the more problematic it is but we are contacting each user individually when their request has been processed to let them know when everything is completed.

Ive twice sent messages and pointing out that there seems to be an issue and no response at all.

Boards.ie: Niamh

....... wrote: »

Permabears are appearing correctly. The undeleted ones are from AFTER the delete was completed.

I requested deletion and ALL of mine are still showing up and my post count has not been reset. So clearly my data has not been deleted.

You will be contacted when the process with your account is complete.

Boards.ie: Niamh

....... wrote: »

Ive twice sent messages and pointing out that there seems to be an issue and no response at all.

Where did you send the messages, were they PMs? Mark is off at the moment but back tomorrow if you PM'd him directly.

.......

Boards.ie: Niamh wrote: »

Where did you send the messages, were they PMs? Mark is off at the moment but back tomorrow if you PM'd him directly.

PMs to Boards.ie:GDPR

I sent one a few days ago and one today.

Boards.ie: Niamh

Ok, will make sure to follow that up .......

Thanks.


Please see this post for the Boards.ie updated GDPR effective from December 2018 ~Niamh

.

ziggy

This post has been deleted.