How to add spoiler tags, edit posts, add images etc. How to - a user's guide to the new version of Boards
Mods please check the Moderators Group for an important update on Mod tools. If you do not have access to the group, please PM Niamh. Thanks!

GDPR, and Vanilla, how does this work?



  • Do you know for certain you haven't already provided consent? In the Privacy Notice you signed up to when subscribing did that Notice indicate Boards could transfer data to a third country that has an adequacy decision?

  • Boards are saying the EU have determined Canada provides adequate protection of personal data. It's not Boards that determines these matters.

  • Best practice is that such a move is flagged in advance, with the sufficient details being provided so that the customer can make an informed decision.

    Relying on boilerplate, especially when it comes to the protected categories of data, is an adventurous way of doing it. Of course, I'm sure that the GDPR team can show they carried out a rigorous DPIA in advance of this exercise, and that all the concerns here (such as not using encrpytion) are the right way to go about it.

  • The onus is on Boards to decide if a service provider they’re engaging as a data processor meet with the required standard of protection required to be provided to safeguard our personal data.

    If I can determine in one hour that the DPC in Canada says their laws are not up to scratch, why didn’t someone at Boards do the same and err on the side of caution?

    That would be the right thing to do. It wasn’t done though.

  • Advertisement

  • Just because they don't follow what's best practice in your eyes doesn't make it wrong or illegal.

  • Why don't you ask the EU which has given Canada an adequacy decision? Boards is following EU law.

  • No, its the DPC who set the best practice. Time will tell what the DPC make of this.

    I'm sure it will all be fine. I can't imagine that someone decided to hike all the data over to Canada, engage new data storage provisions and decide to disapply stated (at regulation level) recommendations such as encryption, without running it past some data protection specialists, or even the DPC themselves who are quite open to talking about such things before they take place. That DPIA (requirement by the way, not best practice) would be an interesting read.

  • The most that will happen here is a warning to boards. What data is being transferred for you? My data is my email, and that's it for most I would assume. And my email was throwaway.

  • A DPIA is not required in this instance.  A DPIA is only mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”.

  • Advertisement

  • I dont understand the problem here. Canada seems to be the problem? WHats wrong with Canada, if the EU thinks it is ok then why are people concenrned.

    So some users have put personal info in PM's - if the data was stored in France or Hungary or some other EU country would that make it more secure. I dont think so.

  • If you take the time to read what people have contributed, myself and others, there's no need for you to remain ignorant of the issues we're raising. In any case, even if you decide to ignore the issue, dismissing others concerns in this case is a pointless exercise. Boards have legal obligations which they have failed to meet. They've also failed now for 10+ days to correct their failure.

  • The same people who 13 days after a major site launch seem to shrug the shoulders when someone points out that the privacy notice, cookie policy, anything like that doesn't work.

  • They didn't.

    Others, who don't represent Boards, have.

  • Actually []

    The bit you cited is the headline.

    Digging deeper into the guidelines, The Article 29 Working Party has adopted non exhaustive guidelines / criteria to determine whether processing is likely to result in a high risk... One of those is point 9:

    "Data transfer across borders outside the European Union (recital 116), taking into consideration, amongst others, the envisaged country or countries of destination, the possibility of further transfers, or the likelihood of transfers based on derogations for specific situations set forth by the GDPR."

  • What did Boards privacy statement state in relation to transfers to third countries prior to the upgrade?

    Also you are wrong on a couple of things:

    The effect of an adequacy decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

    Article 49 section 1 states that in the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organization shall take place only under certain conditions, for example:

      a) explicit consent from the data subject, company must inform the data subject of all the risks that can occur when the data is transferred there;

    i.e. explicit consent is not required if the transfers are to a country with an adequacy decision.

  • Advertisement

  • Hello - the bottom bar still says Hosted by Digiweb - which is correct, please ?

  • From your own post, a DPIA is required when

    Data transfer across borders outside the European Union (recital 116), taking into consideration, amongst others, the envisaged country or countries of destination, the possibility of further transfers, or the likelihood of transfers based on derogations for specific situations set forth by the GDPR.

    The data is transferred to Canada, a country with an EU adequacy decision and therefore with equivalent data protection laws as in the EU. There is no indication that data will be transferred further and transfers are not based on derogations. It's fairly obvious that a DPIA is not warranted.

    In respect of the previous privacy policy, Boards stated that 'certain third parties providing services to our Sites may transfer data outside of the EEA for example, for storage purposes.'

    Yet you had no issues with using boards knowing your data could be sent to unnamed third countries? And you only now have an issue because data is being sent to Canada, a country with equivalent data protection measures as the EU?

  • Vanilla use hosting in both Canada AND California. Just to highlight...

  • Well have you seen any sufficient response from any boards employee or leadership about the fact that the links don't work, hosting information is still correct, over two weeks after a site was launched?

  • I disagree with your first point but that's fine. I'll even let the DPIA go, if that ends that argument as that's not the main problem. However, you do notice, don't you, that many sections in GDPR don't use MUSTS and SHOULDS. They use softer words to indicate how you should be thinking when you treat data. They even call some of them them guidelines rather than regulations. A lot of GDPR is the spirit of data protection rather than the letter of the law. Even the DPIA text above "taking into consideration". There is no absolute affirmative action in that clause and is open to interpretation and mis-interpretation. Yet you say I'm wrong. I'm afraid only a court of law can make that statement :)

    I agree with your second point. I had no problem [or more correctly, it didn't bother me as much as the current situation] with their Privacy Policy as Boards outlined in their policy which third parties they use and why. Migrating operations to ANY country outside of Europe wasn't in there and still required notice and / or consent. Boards don't do everything right. In fact, in my personal opinion they have been in breach of GDPR since day one by enforcing that the only way you could change your username [a defacto PII] was to purchase a subscription for minimum 1 month. That's not allowed under GDPR and that process is still in place today. Sure Niamh only cited it a couple of days ago in Feedback.

  • I think they have bigger things to worry about than the site not working properly.Definite squeaky bum time in some offices in Dublin :)

  • Actually, not really.

    Technical problems are generally solvable - nothing they need to do is pushing the limits of computer science, its just a matter of getting it done.

    Data protection problems, on the other hand, aren't endogenous to effort, and are determined by what you have done and how the DPC views that.

  • I stated that a DPIA is not required / not warranted which I suppose is analogous to saying you are wrong - either way I don't need a lesson on the subtleties of GDPR wording. The decision as to whether a DPIA should be prepared is never going to be decided in a court of law rather based on the consideration of the facts which I have done.

    They migrated storage to Canada and storage in third countries was something that was specifically called out in the old privacy statement. So your second paragraph makes no sense in light of this nor your attitude now to them transferring storage to a third country with an adequacy decision.

  • Advertisement

  • @RangeR

    To a lesser extent, Boards deemed it safe to use a hosting provider in a Third Country rather than one of the thousands in EU which would be covered by the more strict and robust GDPR.

    Pretty much the whole point of GDPR is that EU residents' data is covered by it, whether that data is held within the EU or anywhere else.

    So our data is still covered by GDPR, the question is whether Vanilla are compliant with Canadian law, as the EU has decided that Canadian laws provide adequate protection.

    Need clarification on Vanilla having US hosting centres, and fast.

    But yes it's very disappointing that no hosting provider in the whole EU, never mind Ireland, was deemed adequate. Platform and hosting do not have to be tied together.

    Boards is now totally dependent on Vanilla, not just platform but hosting as well. If Boards and Vanilla get into a dispute, Boards is screwed and migration away from Vanilla could be impossible.

    Their funeral...

    Bring back the :pac: !

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.